ShipStream Data BorderShipStream Data Border

Data Processing Addendum

Last Updated: January 13, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between ShipStream, LLC ("ShipStream," "Processor," "we," or "us") and the customer ("Customer," "Controller," or "you") using the ShipStream Data Border service ("Service").

This DPA sets forth the parties' obligations with respect to the processing of Personal Data in connection with the Service.

1. Definitions

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and other applicable U.S. state privacy laws.

"Controller" means the entity that determines the purposes and means of processing Personal Data. For purposes of this DPA, Customer is the Controller of Customer Personal Data.

"Customer Personal Data" means any Personal Data that ShipStream processes on behalf of Customer in connection with the Service.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Personal Data" means any information relating to an identified or identifiable natural person, including information that constitutes "personal information" under the CCPA.

"Process" or "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Processor" means the entity that processes Personal Data on behalf of the Controller. For purposes of this DPA, ShipStream is the Processor of Customer Personal Data.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

"Service Provider" has the meaning given under the CCPA and refers to ShipStream's role in processing Personal Data on behalf of Customer.

"Subprocessor" means any third party engaged by ShipStream to process Customer Personal Data.

2. Scope and Applicability

2.1 Scope

This DPA applies to the processing of Customer Personal Data by ShipStream in connection with providing the Service.

2.2 Relationship to Agreement

This DPA supplements and forms part of the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

2.3 Customer as Controller

Customer is the Controller of Customer Personal Data and determines the purposes and means of processing. ShipStream processes Customer Personal Data only as a Processor on behalf of Customer.

3. Details of Processing

3.1 Categories of Data Subjects

Customer Personal Data may relate to the following categories of Data Subjects:

  • Recipients of shipments (Amazon order recipients)
  • Customer's employees and representatives
  • Customer's end clients (for SaaS Provider customers)

3.2 Categories of Personal Data

The following categories of Personal Data may be processed:

CategoryExamples
Contact InformationName, shipping address, phone number, email address
Order InformationOrder identifiers, tracking numbers
Account InformationCustomer contact name, email, phone, billing address
Usage DataLabel request logs, timestamps, IP addresses

3.3 Sensitive Personal Data

The Service is not designed to process sensitive personal data (such as health information, financial account numbers, or government identifiers). Customer shall not submit sensitive personal data to the Service.

3.4 Processing Purposes

ShipStream processes Customer Personal Data solely for the following purposes:

  • Retrieving and delivering shipping labels from Amazon's SP-API
  • Maintaining audit logs as required by Amazon's Data Protection Policy
  • Providing customer support
  • Billing and account management
  • Service improvement and analytics (using aggregated, anonymized data)

3.5 Duration of Processing

ShipStream will process Customer Personal Data for the duration of the Agreement, plus any retention periods specified in Section 6.

4. Obligations of ShipStream (Processor)

4.1 Processing Instructions

ShipStream shall:

  • Process Customer Personal Data only in accordance with Customer's documented instructions, unless required by law
  • Inform Customer if, in ShipStream's opinion, an instruction violates Applicable Data Protection Law
  • Not process Customer Personal Data for any purpose other than providing the Service

Customer's instructions are documented in this DPA, the Agreement, and any written instructions provided by Customer.

4.2 Confidentiality

ShipStream shall:

  • Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations
  • Limit access to Customer Personal Data to personnel who need access to perform the Service

4.3 Security Measures

ShipStream shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, including:

Technical Measures:

  • Encryption of data in transit (TLS 1.2+)
  • Encryption of data at rest
  • Access controls and authentication
  • Logging and monitoring of access
  • Regular security assessments
  • Vulnerability management
  • Intrusion detection

Organizational Measures:

  • Security policies and procedures
  • Employee security training
  • Background checks for personnel with data access
  • Incident response procedures
  • Business continuity planning

4.4 Subprocessors

ShipStream may engage Subprocessors to process Customer Personal Data, subject to the following conditions:

  • ShipStream maintains an up-to-date list of Subprocessors (see Section 5)
  • ShipStream enters into written agreements with Subprocessors imposing data protection obligations no less protective than this DPA
  • ShipStream remains liable for the acts and omissions of its Subprocessors
  • Customer may object to new Subprocessors as described in Section 5.3

4.5 Data Subject Requests

ShipStream shall:

  • Promptly notify Customer of any request received directly from a Data Subject
  • Not respond to Data Subject requests directly, unless authorized by Customer
  • Provide reasonable assistance to Customer in responding to Data Subject requests, taking into account the nature of the processing

4.6 Assistance with Compliance

ShipStream shall provide reasonable assistance to Customer with:

  • Responding to Data Subject requests (access, deletion, correction)
  • Data protection impact assessments (if required)
  • Consultations with regulatory authorities (if required)
  • Demonstrating compliance with Applicable Data Protection Law

Assistance may be subject to reasonable fees for work beyond the normal scope of the Service.

5. Subprocessors

5.1 Authorized Subprocessors

Customer authorizes ShipStream to engage the following Subprocessors:

SubprocessorPurposeLocationData Processed
Fly.io, Inc.Application hostingUnited StatesAll Service data
Tigris Data, Inc.Object storageUnited StatesShipping labels (temporary)
Stripe, Inc.Payment processingUnited StatesBilling information
Resend, Inc.Email deliveryUnited StatesEmail addresses, notifications

5.2 Subprocessor Obligations

ShipStream shall:

  • Enter into written agreements with each Subprocessor that impose data protection obligations consistent with this DPA
  • Ensure Subprocessors implement appropriate security measures
  • Remain liable for the acts and omissions of Subprocessors

5.3 Changes to Subprocessors

ShipStream shall:

  • Maintain an up-to-date list of Subprocessors at shipstream.io/legal/subprocessors
  • Notify Customer at least thirty (30) days before engaging a new Subprocessor
  • Provide Customer the opportunity to object to new Subprocessors on reasonable grounds

If Customer objects to a new Subprocessor and ShipStream cannot reasonably accommodate the objection:

  • Customer may terminate the affected portion of the Service
  • ShipStream will refund any prepaid fees for the terminated period
  • No other liability shall arise from such termination

6. Data Retention and Deletion

6.1 Retention Periods

ShipStream retains Customer Personal Data for the following periods:

Data CategoryRetention PeriodReason
Shipping Labels30 daysOperational (reprint, troubleshooting)
Audit Logs3 yearsAmazon DPP compliance
Account InformationDuration of Agreement + 3 yearsLegal compliance
Billing Records7 yearsTax and accounting requirements

6.2 Deletion Upon Termination

Upon termination of the Agreement:

  • ShipStream will delete or anonymize Customer Personal Data within thirty (30) days, except for data that must be retained for legal compliance
  • Customer may request a copy of Customer Personal Data before deletion (subject to technical feasibility)
  • ShipStream will provide written confirmation of deletion upon request

6.3 Return of Data

Upon Customer's written request prior to termination, ShipStream will provide Customer with a copy of Customer Personal Data in a commonly used, machine-readable format, to the extent technically feasible.

7. Security Incident Response

7.1 Notification

ShipStream shall notify Customer of any Security Incident without undue delay, and in no event later than seventy-two (72) hours after becoming aware of the incident.

7.2 Notification Contents

Security Incident notifications shall include, to the extent known:

  • Description of the nature of the incident
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of records affected
  • Name and contact details of ShipStream's point of contact
  • Likely consequences of the incident
  • Measures taken or proposed to address the incident

7.3 Cooperation

ShipStream shall:

  • Cooperate with Customer in investigating and responding to Security Incidents
  • Preserve evidence related to the incident
  • Provide reasonable assistance with Customer's notifications to Data Subjects or regulators
  • Not notify Data Subjects or regulators directly without Customer's prior written consent (unless required by law)

7.4 Documentation

ShipStream shall document Security Incidents, including facts, effects, and remedial actions taken, and make this documentation available to Customer upon request.

8. Audits and Assessments

8.1 Audit Rights

Customer may audit ShipStream's compliance with this DPA, subject to the following conditions:

  • Audits shall be conducted no more than once per year, unless a Security Incident has occurred
  • Customer shall provide at least thirty (30) days written notice
  • Audits shall be conducted during normal business hours
  • Customer shall bear the costs of any third-party auditors
  • Auditors must execute reasonable confidentiality agreements

8.2 Audit Alternatives

In lieu of an on-site audit, ShipStream may, at its discretion:

  • Provide Customer with relevant certifications (e.g., SOC 2 Type II report)
  • Provide responses to a reasonable security questionnaire
  • Provide documentation of security practices and controls

8.3 Confidentiality of Audit Results

Audit results and any information obtained during an audit shall be treated as ShipStream's confidential information and shall not be disclosed to third parties without ShipStream's prior written consent.

9. CCPA-Specific Provisions

9.1 Service Provider Certification

ShipStream certifies that it:

  • Understands and will comply with the CCPA requirements applicable to Service Providers
  • Will not sell Customer Personal Data
  • Will not retain, use, or disclose Customer Personal Data for any purpose other than providing the Service, as permitted under the CCPA
  • Will not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer
  • Will not combine Customer Personal Data with personal information received from other sources, except as permitted by the CCPA

9.2 Assistance with CCPA Requests

ShipStream shall assist Customer in responding to CCPA requests from consumers, including requests to:

  • Know what personal information has been collected
  • Delete personal information
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information (not applicable, as ShipStream does not sell or share)

9.3 Notification of Inability to Comply

If ShipStream determines that it can no longer meet its obligations under the CCPA, ShipStream shall:

  • Promptly notify Customer
  • Take reasonable steps to remediate the non-compliance
  • Cease processing Customer Personal Data if remediation is not possible

10. Liability and Indemnification

10.1 Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.

10.2 Customer Indemnification

Customer shall indemnify and hold harmless ShipStream from claims arising from:

  • Customer's violation of Applicable Data Protection Law
  • Customer's processing of Personal Data in violation of this DPA
  • Customer's instructions that violate Applicable Data Protection Law

10.3 ShipStream Indemnification

ShipStream shall indemnify and hold harmless Customer from claims arising from:

  • ShipStream's violation of Applicable Data Protection Law
  • ShipStream's processing of Personal Data in violation of this DPA
  • Security Incidents caused by ShipStream's failure to implement appropriate security measures

11. General Provisions

11.1 Governing Law

This DPA shall be governed by the laws of the State of Tennessee, United States, without regard to conflict of law principles.

11.2 Amendments

This DPA may be amended by ShipStream to reflect changes in Applicable Data Protection Law. Material amendments will be provided to Customer with at least thirty (30) days notice.

11.3 Entire Agreement

This DPA, together with the Agreement, constitutes the entire agreement between the parties regarding the subject matter hereof.

11.4 Severability

If any provision of this DPA is found unenforceable, the remaining provisions shall remain in full force and effect.

11.5 No Third-Party Beneficiaries

This DPA is for the benefit of the parties only and does not create any third-party beneficiary rights, except that Data Subjects may enforce their rights under Applicable Data Protection Law.

12. Contact Information

For questions about this DPA or data protection matters:

ShipStream, LLC Email: privacy@shipstream.io Website: https://shipstream.io

For Security Incident notifications: Email: security@shipstream.io

Related Documents:

Appendix A: Technical and Organizational Security Measures

The following describes the technical and organizational security measures implemented by ShipStream:

A.1 Access Control

  • Role-based access control (RBAC) for all systems
  • Multi-factor authentication (MFA) required for administrative access
  • Principle of least privilege applied to all access grants
  • Regular access reviews and prompt deprovisioning

A.2 Encryption

  • TLS 1.2 or higher for all data in transit
  • AES-256 encryption for data at rest
  • Encryption key management with regular rotation
  • Secure key storage using hardware security modules (HSMs) or equivalent

A.3 Network Security

  • Firewalls and network segmentation
  • Intrusion detection and prevention systems
  • DDoS protection
  • Regular vulnerability scanning

A.4 Application Security

  • Secure software development lifecycle (SDLC)
  • Code reviews and security testing
  • Dependency scanning and management
  • Regular penetration testing

A.5 Physical Security

  • Data center physical access controls
  • Environmental controls (fire suppression, climate control)
  • 24/7 monitoring and surveillance
  • Visitor management procedures

A.6 Operational Security

  • Logging and monitoring of all system access
  • Security information and event management (SIEM)
  • Incident response procedures
  • Regular security training for personnel

A.7 Business Continuity

  • Regular data backups
  • Disaster recovery planning and testing
  • Geographic redundancy
  • Documented recovery procedures

A.8 Vendor Management

  • Security assessment of third-party vendors
  • Contractual security requirements
  • Ongoing monitoring of vendor compliance