Data Processing Agreement

Effective date: June 5, 2026  ·  Last updated: June 5, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Merchant”, “Controller”) and PAC Door Order, operated by Phill Anton Consulting LLC (“PAC”, “Processor”). It governs PAC’s processing of personal data on the Merchant’s behalf. Capitalized terms not defined here have the meaning given in the Terms of Service.

1. Roles of the parties

For personal data that the Merchant’s end customers submit through the embedded door builder (such as names, contact details, and order information), the Merchant is the Controller and PAC is the Processor. For limited account and usage data that PAC collects about the Merchant’s own users to operate and secure the Service, PAC acts as an independent Controller as described in the Privacy Policy.

2. Subject matter and details of processing

3. PAC’s obligations

4. Sub-processors

The Merchant authorizes PAC to engage the sub-processors listed in the Privacy Policy (including hosting, database, email, and integration providers) to support delivery of the Service. PAC imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. PAC will give the Merchant a reasonable means of learning of intended additions or replacements of sub-processors so the Merchant can object on reasonable data-protection grounds.

5. Security measures

PAC maintains measures appropriate to the risk, including encryption of data in transit, access controls and least-privilege roles, tenant isolation enforced at the database level, encryption of sensitive stored secrets, audit logging, and regular backups. These measures are described further in the Privacy Policy and may be updated as the Service evolves, provided protection is not materially reduced.

6. Data-subject requests

Taking into account the nature of the processing, PAC will assist the Merchant by appropriate measures, insofar as possible, to fulfill the Merchant’s obligation to respond to requests to exercise data-subject rights (access, correction, deletion, restriction, portability, and objection). If PAC receives such a request directly from a Merchant’s end customer, it will refer the request to the Merchant.

7. Personal data breach notification

PAC will notify the Merchant without undue delay after becoming aware of a personal data breach affecting the Merchant’s data, and will provide information reasonably available to it to help the Merchant meet its own notification obligations.

8. Return and deletion

On termination of the Merchant’s account, PAC will, at the Merchant’s choice, delete or make available for export the personal data it processes on the Merchant’s behalf, within the windows described in the Terms and Privacy Policy, except where retention is required by law.

9. Audits and information

PAC will make available to the Merchant information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to reasonable audits, including by providing relevant documentation, subject to confidentiality and to reasonable limits on frequency and scope.

10. International transfers

Where personal data is transferred across borders, PAC and its sub-processors rely on lawful transfer mechanisms appropriate to the data and the jurisdictions involved.

11. Precedence and liability

In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA controls. Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

12. Contact

Questions about this DPA, or to request a countersigned copy, can be sent to support@pac-os.app.