Data Processing Addendum (DPA).
The DPA governs how RetailNorthstar processes personal data on behalf of our customers. It applies whenever the customer is the controller and RetailNorthstar is the processor under applicable data-protection law.
This page summarizes the major sections of the DPA. The executable copy — including the sub-processor annex and Standard Contractual Clauses — is provided alongside the master service agreement. This page is informational; the executed DPA is the binding instrument.
Nine sections covering controller-processor obligations.
Roles and scope
Under the DPA, the customer is the data controller for personal data they upload to or process through RetailNorthstar, and RetailNorthstar acts as the data processor on the customer's behalf. The DPA applies whenever RetailNorthstar processes personal data subject to applicable data-protection law in connection with the service contracted under the customer's order form or master agreement.
Processing activities
RetailNorthstar processes personal data only as necessary to deliver the service — including authentication, audit logging, support, security operations, and the merchandising-planning workflow itself. We do not use customer personal data to train shared machine-learning models, sell to third parties, or for any purpose outside the service.
Sub-processors
A current list of sub-processors is maintained as an annex to the DPA. Sub-processors include cloud infrastructure providers, monitoring and observability services, identity providers, and customer-support tooling. We notify customers of material sub-processor changes consistent with the contractual notice period.
International transfers
For transfers of personal data from the EU/EEA, UK, or Switzerland to jurisdictions without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum and Swiss-equivalent transfer mechanisms. EU-resident data residency is available on Enterprise plans.
Security and confidentiality
RetailNorthstar maintains technical and organizational measures appropriate to the risk of processing — including encryption in transit and at rest, access controls, secure development practices, vulnerability management, incident response, and personnel confidentiality. The full set of controls is documented on the Security page; our controls are aligned to the SOC 2 Trust Services Criteria with a formal Type II audit in progress.
Data subject rights
RetailNorthstar provides reasonable assistance to enable customers to fulfill data subject requests under applicable law — including access, rectification, erasure, restriction, portability, and objection. Customer admins can use the in-product tools for most requests; we support escalations through customer support within statutory windows.
Breach notification
In the event of a personal data breach affecting customer data, RetailNorthstar will notify the affected customer without undue delay after becoming aware, with information sufficient to support the customer's own notification obligations. Notification details are provided through the customer's designated contacts and security team if specified.
Audit rights
Customers may exercise audit rights through our control documentation, security questionnaire responses, and — once available — SOC 2 Type II attestations, on at least an annual basis. For specific regulatory needs not addressed by available documentation, we work with customers in good faith to support reasonable additional inquiries, subject to mutual confidentiality and reasonable scope.
Return or deletion of data
On termination of the service, customer data is returned in a portable format on request and deleted from production systems within 30 days; backups age out per the documented retention window (typically 90 days). A signed data-deletion attestation is available on request.
Common questions about the DPA
How do we sign the DPA?
The DPA is signed alongside or as an addendum to the master service agreement. Customers on standard order forms receive the DPA pre-attached; customers using their own paper can review and counter-sign the standalone DPA. Email contact@retailnorthstar.ai or your account contact to request the executable copy.
Where do I see the current sub-processor list?
The sub-processor list is provided as an annex to the executed DPA and updated as the list evolves. Material changes are communicated through the contractual notice channel before they take effect, giving customers an opportunity to object as provided in the DPA terms.
Do you offer EU data residency?
Yes — EU-resident data hosting is available on Enterprise plans for customers with localization requirements. Data residency selection is made at provisioning time and applies to the primary data store and backups. Talk to your sales contact to confirm region availability for your contract.
What is the legal entity that signs the DPA?
RetailNorthstar Inc., the same legal entity named in the master service agreement, signs the DPA. For contracts with EU customers requiring an EU representative, our designated representative under GDPR Article 27 is identified in the DPA annex.
DPA, SCCs, and sub-processor list — at the procurement table.
Talk to your sales contact to receive the executable DPA, current sub-processor annex, and any region-specific transfer mechanism documentation.
Connected apparel planning — live in weeks, not quarters.