Data Processing Addendum

Effective date: May 5, 2026

This Data Processing Addendum ("DPA") is incorporated into and forms part of the CORINTH Terms of Service. It applies wherever CORINTH processes Personal Data on your behalf in the course of delivering the platform. It is intended to satisfy the requirements of GDPR Article 28 and the CCPA "service provider" contractual obligations.

If there is any conflict between this DPA and the Terms of Service, this DPA controls with respect to data processing matters.

1. Definitions

  • Customer — the business that has agreed to the Terms of Service (the liquor store operator).
  • Personal Data — any information relating to an identified or identifiable natural person that Customer uploads or inputs into CORINTH. This includes employee names and contact details used to configure store accounts, and any end-customer data that may appear incidentally in POS exports.
  • Processing — any operation performed on Personal Data, including collection, storage, analysis, retrieval, use, and deletion.
  • Controller — Customer, who determines the purposes and means of Processing.
  • Processor — CORINTH, who processes Personal Data on Customer's behalf.
  • Sub-processor — a third-party infrastructure provider that CORINTH engages to assist in delivering the platform. See /legal/subprocessors for the current list.

2. Scope

This DPA applies to all Personal Data that Customer uploads to or generates within CORINTH — including POS CSV/Excel exports, inventory records, deal data entered via file upload or the browser extension, and any natural-language input submitted through the CORINTH AI chat interface.

CORINTH processes this data only to provide the platform features described in the Terms. CORINTH does not sell Personal Data or process it for its own commercial purposes independent of Customer's instructions.

3. Customer instructions

CORINTH processes Personal Data only on Customer's documented instructions. The Terms of Service constitute Customer's primary instructions. Customer may issue supplemental instructions (such as deletion requests) by emailing support@corinth.tech.

If CORINTH is required by applicable law to process Personal Data in a manner inconsistent with Customer's instructions, CORINTH will notify Customer before doing so unless prohibited by law.

4. Confidentiality

CORINTH personnel authorized to access Personal Data are bound by confidentiality obligations — either by contract or by applicable professional standards — and are permitted to access Personal Data only to the extent necessary to deliver the platform.

5. Security measures

CORINTH implements technical and organizational measures appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. These measures include:

  • Encryption in transit. All data is transmitted over HTTPS (TLS 1.2+).
  • Encryption at rest. Managed by Supabase, which encrypts all data at the storage layer using AES-256.
  • Row-level security. PostgreSQL RLS policies enforce tenant isolation — one store cannot access another store's data at the database layer.
  • Audit logging. Material actions (data uploads, deletions, AI queries, account changes) are recorded in an append-only audit log.
  • Access control. API keys and secrets are stored server-side only and are never exposed to the client.
  • Incident response. CORINTH maintains a documented incident response procedure. See Section 8 for breach notification terms.

6. Sub-processors

Customer authorizes CORINTH to engage the sub-processors listed at /legal/subprocessors. CORINTH ensures each sub-processor is bound by data processing obligations at least as protective as those in this DPA.

  • New sub-processors. CORINTH will give Customer at least 30 days' written notice (by email to the account address) before engaging a new sub-processor.
  • Objection. If Customer objects, it may notify CORINTH at support@corinth.tech. CORINTH will work in good faith to accommodate the objection; if it cannot, Customer may terminate the subscription without penalty within 30 days of the notice.

7. Data subject requests

When CORINTH receives a request directly from an individual (a "data subject") regarding their Personal Data — access, correction, deletion, restriction, or portability — CORINTH will promptly forward the request to Customer and, to the extent technically feasible, assist Customer in fulfilling it. Customer, as Controller, is responsible for responding to data subjects.

To submit a data subject request on behalf of your store, email support@corinth.tech with your account email and the nature of the request.

8. Personal Data breach notification

If CORINTH becomes aware of a confirmed breach of security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, CORINTH will notify Customer without undue delay — targeting within 72 hours of confirmation.

The notification will include, to the extent known at the time:

  • A description of the nature of the breach
  • The categories and approximate number of records affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach

Customer is responsible for any notifications it is required to make to regulators or affected individuals under applicable law.

9. Audits

Customer may audit CORINTH's data processing practices once per calendar year, with at least 30 days' written notice. Audits are conducted at Customer's expense and must not unreasonably disrupt CORINTH's operations.

If CORINTH obtains a SOC 2 Type II report or equivalent third-party audit certification in the future, Customer may request a copy of that report in lieu of a direct audit.

10. Return and deletion of Personal Data

Within 30 days of termination or expiration of the Terms of Service, CORINTH will delete all Personal Data processed on Customer's behalf, unless retention is required by applicable law. Customer may request deletion at any time via account settings or by emailing support@corinth.tech. The deletion pipeline runs a 30-day soft-delete window before permanent erasure, consistent with our Privacy Policy.

11. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. CORINTH's total aggregate liability for claims under this DPA is capped at the fees Customer paid to CORINTH in the 12 months preceding the event giving rise to the claim.

12. Effective date

This DPA takes effect on the date Customer accepts the Terms of Service and remains in force for as long as CORINTH processes Personal Data on Customer's behalf.

Contact

Questions about this DPA? Email support@corinth.tech.

Back to Terms of Service · Privacy Policy · Sub-processors