Data Processing Addendum (DPA)

Effective Date: April 7, 2026 · Last Updated: April 7, 2026

This Data Processing Addendum (“DPA”) supplements the BarterSci Terms of Service and Privacy Policy between Amelix Solutions LLC, a California limited liability company (“Amelix,” “we,” or “us”) and the customer or organizational user identified in an executed agreement or that uses the BarterSci platform on behalf of an organization (“Customer”). It governs the Processing of Personal Data by Amelix on behalf of Customer in connection with the BarterSci platform, websites, applications, APIs, and related services (collectively, the “Service”).

This DPA applies to the extent Amelix Processes Personal Data on behalf of Customer and is subject to (i) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); (ii) the United Kingdom GDPR and Data Protection Act 2018 (“UK GDPR”); (iii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”); and (iv) other applicable data protection laws (collectively, “Data Protection Laws”). Capitalized terms used but not defined have the meanings given in the Data Protection Laws or the Terms of Service.

BarterSci is primarily a self-serve platform on which individual users act as independent controllers of the User Content they post. This DPA applies only where Amelix is engaged by Customer to Process Personal Data as a Processor on Customer’s behalf. For consumer use of the Service, the Privacy Policy governs.

1) Definitions

Controller, Processor, Data Subject, Personal Data, Processing, and Special Categories of Personal Data have the meanings given in the EU GDPR.
Sub-processor means any third party engaged by Amelix to Process Personal Data on Customer’s behalf.
Standard Contractual Clauses or SCCs means the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including the UK International Data Transfer Addendum where applicable.
Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Amelix on behalf of Customer.

2) Roles of the parties

Customer is the Controller of Personal Data Processed by Amelix on its behalf in connection with the Service. Amelix is the Processor of such Personal Data. With respect to the CCPA, Amelix acts as a “Service Provider” and not a “business” or “third party” with regard to that Personal Data. Each party will comply with the obligations applicable to it under the Data Protection Laws.

3) Subject matter, duration, nature, and purpose

Subject matter: Provision of the Service to Customer.
Duration: The term of Customer’s use of the Service plus any retention period required to fulfill obligations or comply with law.
Nature and purpose: Hosting, storing, transmitting, displaying, securing, supporting, and otherwise Processing Personal Data as necessary to provide and improve the Service.
Categories of Data Subjects: Customer’s authorized users and any individuals whose Personal Data is included in User Content submitted by Customer or its authorized users.
Categories of Personal Data: Account and profile information, marketplace content, messages, device and log data, behavior events, and other information described in the Privacy Policy.
Special Categories: The Service is not designed to Process Special Categories of Personal Data. Customer must not submit such data to the Service.

4) Customer instructions

Amelix will Process Personal Data only on Customer’s documented instructions, including with regard to international transfers, except where required by Applicable Law. Customer’s instructions are reflected in the Terms of Service, this DPA, and Customer’s use of the Service. Amelix will inform Customer if, in its opinion, an instruction infringes the Data Protection Laws.

5) Confidentiality

Amelix will ensure that personnel authorized to Process Personal Data are bound by written or statutory confidentiality obligations and have received appropriate training on their data protection responsibilities.

6) Security

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to Data Subjects, Amelix will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including:

Encryption of Personal Data in transit;
Logical access controls based on least privilege and identity verification (including MFA for administrative access);
Network protection and segmentation;
Database security rules restricting access to authorized callers and operations;
Regular backups and point-in-time recovery;
Logging, monitoring, and security event review;
Vulnerability management and patching;
Secure development practices and code review;
Vendor diligence and contractual safeguards for Sub-processors;
Personnel security training and confidentiality obligations;
Incident response procedures; and
Periodic review and improvement of the foregoing measures.

7) Sub-processing

Customer provides general written authorization for Amelix to engage Sub-processors, including the Sub-processors used to host and operate the Service (e.g., Google LLC / Google Cloud / Firebase). Amelix will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and will remain liable for the acts and omissions of its Sub-processors. Amelix will provide notice (which may be by updating this DPA or a Sub-processor list available on request) of the addition or replacement of Sub-processors. Customer may object on reasonable data protection grounds within fifteen (15) days of notice; the parties will work in good faith to resolve the objection, and if no resolution is reached Customer may terminate the affected Service.

8) International transfers

The Service is hosted in the United States. To the extent Amelix Processes Personal Data of Data Subjects located in the EEA, UK, or Switzerland on Customer’s behalf, the parties incorporate the Standard Contractual Clauses, Module Two (Controller to Processor), with the following selections: Clause 7 (docking) applies; Clause 9(a) Option 2 (general written authorization) applies with the notice period in section 7 of this DPA; Clause 11(a) optional language does not apply; Clause 17 governing law is the law of the Republic of Ireland; Clause 18 forum is the courts of Ireland; Annex I, II, and III are deemed completed by reference to this DPA and the Privacy Policy. For UK transfers, the UK International Data Transfer Addendum (Version B1.0) is incorporated and the SCCs are amended accordingly.

9) Assistance to Customer

Taking into account the nature of Processing and the information available to it, Amelix will provide reasonable assistance to Customer in fulfilling its obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation), and in responding to Data Subject requests (Articles 12–22 of the GDPR). Customer is responsible for responding to Data Subjects directly.

10) Security Incident notification

Amelix will notify Customer without undue delay after becoming aware of a Security Incident. The notification will include, to the extent reasonably available, the nature of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the incident and mitigate its effects. Amelix’s notification or response to a Security Incident is not an acknowledgement of fault or liability.

11) Audits

Amelix will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Where required by the Data Protection Laws and not satisfied by such information, Customer may, at Customer’s expense and no more than once per twelve-month period (except where required by a supervisory authority), conduct an audit of Amelix’s compliance, subject to (a) at least thirty (30) days’ written notice; (b) reasonable confidentiality obligations; (c) restrictions to protect Amelix’s other customers’ data and trade secrets; and (d) audit during normal business hours and in a manner that does not unreasonably interfere with operations.

12) Deletion or return of Personal Data

Upon termination or expiration of the Service, Amelix will, at Customer’s choice, delete or return all Personal Data Processed on Customer’s behalf, and delete existing copies, unless Applicable Law requires further storage. Where deletion is requested, Amelix may retain Personal Data in backups until the backups naturally expire, subject to ongoing confidentiality and security obligations.

13) CCPA service provider terms

With respect to Personal Information subject to the CCPA, Amelix (i) will Process such Personal Information solely for the limited and specified business purposes of providing the Service; (ii) will not retain, use, or disclose such Personal Information outside of the direct business relationship between the parties or for any commercial purpose other than providing the Service; (iii) will not “sell” or “share” such Personal Information; (iv) will not combine such Personal Information with Personal Information received from other sources except as permitted under 11 CCR § 7050(b); and (v) certifies that it understands and will comply with these restrictions.

14) Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party’s liability to Data Subjects under the Standard Contractual Clauses or where such limitation is prohibited by Applicable Law.

15) Conflict and order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA controls with respect to the Processing of Personal Data subject to the Data Protection Laws. In the event of any conflict between this DPA and the SCCs, the SCCs control.

16) Changes

We may update this DPA to reflect changes in Applicable Law, Sub-processors, or our security and Processing practices. Updates will be posted with a new “Last Updated” date. Material changes affecting Customer obligations will be communicated as required.

17) Contact

Amelix Solutions LLC
Attn: Privacy
[REGISTERED AGENT ADDRESS — Amelix Solutions LLC]
Email: legal@amelixllc.com