中文 EN 日本語

This Data Processing Addendum (“DPA”) applies when HCY Tech processes personal or business data on behalf of a customer while delivering overseas warehouse, Amazon SP-API order-coordination, fulfillment-integration, or governance services. It supplements the parties’ main agreement.

1. Roles

The customer typically determines the purpose and scope of processing and acts as controller or principal. HCY Tech processes data under documented customer instructions and acts as processor or service provider.

2. Processing activities

  • Public-page updates, multilingual content maintenance, and public documentation support;
  • Support for Amazon order, inventory, warehouse, fulfillment, and after-sales workflows;
  • Account access configuration, logging, support operations, and security maintenance.

3. Data subjects and data categories

Data subjects may include customer staff, merchant operators, recipients, customer-service contacts, creator collaboration contacts, and logistics-related contacts. Data categories may include business contact data, order and fulfillment data, product information, platform authorization details, system logs, and necessary personal data.

4. Customer obligations

  • Ensure there is a lawful basis for processing and that any required notices have been provided;
  • Provide data, content, and access rights only where the customer is authorized to do so;
  • Promptly notify HCY Tech of access revocations, restrictions, or compliance requirements.

5. HCY Tech commitments

  • Process data only as instructed and only for the agreed service scope;
  • Bind relevant personnel to confidentiality obligations;
  • Not sell customer data or use it for unrelated advertising or profiling.

6. Security measures

  • Role-based access, approval processes, and audit logging;
  • HTTPS/TLS, encryption, masking, or restricted handling where appropriate;
  • Backup rotation, vulnerability handling, monitoring, and incident response.

7. Subprocessors

Where infrastructure, communications, collaboration, or fulfillment-support vendors are engaged, HCY Tech will require them to operate under confidentiality and security obligations that are materially consistent with this DPA.

8. Cross-border processing

If project delivery involves cross-border transfers, the parties will rely on the safeguards appropriate to the deployment model, contract, and applicable law. Access and storage locations depend on the customer-selected operating model.

9. Assistance with requests

Upon customer instruction, HCY Tech will provide reasonable assistance with access, correction, deletion, export, restriction, or similar data-subject requests.

10. Security incidents

If HCY Tech becomes aware of an incident affecting entrusted data, we will use reasonable efforts to investigate, contain, remediate, and notify the customer as required by contract or applicable law.

11. Return and deletion

At the end of the service or upon valid request, HCY Tech will support return, export, deletion, or anonymization of data according to the parties’ agreement. Residual backup copies are removed through ordinary rotation unless law requires longer retention.

12. Audit evidence

Without exposing other customers, system security, or confidential methods, HCY Tech may provide reasonable evidence of its processing posture through questionnaires, process descriptions, screenshots, sample logs, or similar materials.

13. Revocation and deletion assistance

If a customer or end user revokes authorization, requests feature disablement, or submits a deletion request, HCY Tech will, under customer instruction and within a reasonable scope, support disablement, export, deletion, anonymization, or access restriction measures and may retain limited records necessary to document performance of the request.

14. Categories of subprocessors

Service delivery may rely on infrastructure, communications, development collaboration, ticketing, or fulfillment-support subprocessors. HCY Tech requires those subprocessors to operate under confidentiality and security obligations materially consistent with this DPA and can describe their categories and roles within a reasonable scope.

15. Response timeline

Unless law or contract requires otherwise, requests involving deletion, export, access restriction, or compliance materials are generally acknowledged within 7 business days and completed, fulfilled, or reasonably explained within 30 days.

16. Priority

If this DPA conflicts with the main agreement on data-protection matters, this DPA controls for those matters. Contact: support@hcytechsoft.com