Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Merchant", the controller) and Oddly Even Group Pte. Ltd. ("oddly", the processor). It governs oddly's processing of personal data on the Merchant's behalf.
1. Definitions
- Controller, Processor, Sub-processor, Personal Data, Data Subject have the meanings set out in the GDPR and the Singapore PDPA.
- Services means the oddly platform as described in the Terms of Service.
- Connected Accounts means the store, ad-platform, CRM, and analytics accounts the Merchant authorises oddly to access.
2. Subject matter and duration
oddly processes Personal Data only to provide the Services and only for the duration of the Merchant's subscription, plus any retention period set out in the Privacy Policy (audit logs up to 12 months; account data deleted within 30 days of termination).
3. Categories of Data Subjects and data
- Merchant team members. Email, name, role, login audit trail.
- Aggregate store data. Order counts, revenue, conversion rate, inventory state. We do not process individual end-customer PII.
- Aggregate ad performance. Campaign metrics, search terms, creative metadata, conversion configuration. We do not process advertiser audience PII.
4. Sub-processors
oddly relies on a small number of sub-processors to deliver the Service: edge infrastructure (compute, database, object storage, CDN), payments (billing identifier and tax-relevant fields only), email delivery (transactional sends), and identity (OAuth verification only). The current list is published in the Privacy Policy. oddly will give the Merchant 30 days' notice before adding or replacing a sub-processor; the Merchant may terminate without penalty if it reasonably objects.
5. Security measures
- TLS 1.2+ in transit. Encryption at rest on all storage layers.
- Tenant isolation via row-level scoping; every database query is bound to a client identifier.
- Passwordless authentication. Session tokens are cryptographically random and stored as SHA-256 hashes.
- Audit logging on every data access, login, and action.
- Least-privilege OAuth scopes on connected platforms; credentials never stored in plaintext.
6. Confidentiality
oddly personnel with access to Personal Data are bound by written confidentiality obligations. Access is granted on a need-to-know basis and is logged.
7. Data subject rights
oddly will assist the Merchant in responding to access, correction, deletion, and portability requests within 30 days. Requests may be sent to [email protected] and will be acknowledged within 5 business days.
8. Personal data breach notification
If oddly becomes aware of a Personal Data breach affecting Merchant data, oddly will notify the Merchant within 72 hours and provide the information reasonably required for the Merchant to comply with its own breach notification obligations.
9. Audits
The Merchant may, no more than once per 12 months and on 30 days' notice, request information demonstrating oddly's compliance with this DPA. oddly will respond with relevant security documentation. On-site audits are at the Merchant's expense and require commercial coordination.
10. International transfers
The Service runs on globally distributed edge infrastructure. Personal Data may be processed in any region where the underlying infrastructure operates. Where the GDPR or PDPA require a transfer mechanism, oddly relies on Standard Contractual Clauses or equivalent safeguards.
11. Return and deletion
On termination, oddly will delete or return all Personal Data within 30 days, except for backups in the normal retention cycle and audit logs retained for security review (maximum 12 months), after which they are deleted.
Contact
DPA questions and breach reports: [email protected].