Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Layout, Inc. ("Layout") and the customer that accesses or integrates the Layout platform ("Integrator") under the Layout End User License Agreement or other applicable terms (the "Agreement"). This DPA governs the processing of personal data carried out through the Layout software, application programming interfaces, agentic ordering tools, connectors, and related services (the "Software"). By accessing or using the Software, the Integrator agrees to this DPA.

Who We Are

Layout, Inc. provides software that lets AI assistants and other applications place real orders and complete purchases at participating merchants. Layout is legally organized from Roseville, California. Contact us at legal@layout.link.

Definitions

For the purposes of this DPA, "personal data," "processing," "controller," "processor," "sub-processor," and "data subject" have the meanings given to them under applicable data protection law, including the EU General Data Protection Regulation and UK GDPR (together, "GDPR") and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"). "Applicable Data Protection Law" means all privacy and data protection laws that apply to the processing of personal data under this DPA.

Roles of the Parties

The parties acknowledge that Layout acts in two capacities depending on the type of processing.

For personal data that the Integrator submits or directs Layout to process in order to receive the Software, the Integrator is the controller and Layout is the processor. The Integrator determines the purposes and means of that processing and is responsible for having a lawful basis for it.

For a limited set of personal data that Layout determines the purposes and means of on its own, including account and authentication data, security and audit logs, fraud prevention data, and spending control records, Layout acts as a controller. Layout processes this data to operate, secure, and improve the Software.

Where the CCPA applies, Layout acts as a "service provider" with respect to personal data processed on the Integrator's behalf. Layout does not sell or share that personal data and does not retain, use, or disclose it for any purpose other than performing the Software or as permitted by the CCPA.

Scope and Purpose of Processing

Layout processes personal data only to provide, maintain, secure, and support the Software, in accordance with the Integrator's documented instructions, this DPA, and the Agreement. The Agreement and the Integrator's use of the Software constitute the Integrator's complete and documented instructions. Layout will inform the Integrator if it believes an instruction violates Applicable Data Protection Law, unless legally prohibited from doing so.

Categories of Data and Data Subjects

The personal data processed under this DPA may include the names, email addresses, and order or transaction details of the Integrator's customers and end users, and tokenized payment references. Layout does not receive, store, or log raw payment card data. The data subjects are the end users who place orders or initiate purchases through an interface powered by Layout.

Obligations of Layout

Layout will process personal data only on documented instructions from the Integrator, except where required by law. Layout will ensure that persons authorized to process personal data are bound by appropriate confidentiality obligations. Layout will implement appropriate technical and organizational measures to protect personal data as described in this DPA. Layout will assist the Integrator, taking into account the nature of the processing, in responding to data subject requests and in meeting the Integrator's security, breach notification, and impact assessment obligations to the extent applicable.

Obligations of the Integrator

The Integrator is responsible for the accuracy, quality, and legality of the personal data it submits and for having a valid lawful basis for the processing. The Integrator is responsible for providing all required privacy notices to its own customers and end users and for obtaining any necessary consents. The Integrator must not instruct Layout to process personal data in a way that violates Applicable Data Protection Law.

Sub-Processors

The Integrator authorizes Layout to engage sub-processors to support the Software. Layout's current sub-processors include Amazon Web Services for hosting and database infrastructure and Basis Theory for payment tokenization and virtual card generation. Layout will impose data protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for its sub-processors' performance. Layout will give the Integrator advance notice of any new or replacement sub-processor and a reasonable opportunity to object on legitimate data protection grounds.

Security Measures

Layout maintains appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include encryption of data in transit and at rest where appropriate, access controls, network protection, and use of payment infrastructure that is PCI DSS Level 1 compliant. Raw payment card data is tokenized by Basis Theory and is not stored or logged by Layout.

Personal Data Breach

Layout will notify the Integrator without undue delay after becoming aware of a personal data breach affecting personal data processed on the Integrator's behalf. The notice will include the information reasonably available to Layout to help the Integrator meet its own breach notification obligations. Layout will take reasonable steps to mitigate the effects of the breach.

Data Subject Requests

To the extent the Integrator cannot address a data subject request itself through the Software, Layout will provide reasonable assistance to help the Integrator respond to requests from data subjects exercising their rights under Applicable Data Protection Law. If Layout receives such a request directly, it will, where permitted, direct the data subject to the Integrator.

International Data Transfers

Layout processes and stores personal data using infrastructure located in the United States. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection, the parties agree that the transfer will be governed by an appropriate transfer mechanism, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, which are incorporated by reference where applicable.

Return and Deletion of Data

Upon termination or expiration of the Agreement, Layout will, at the Integrator's choice, delete or return the personal data processed on the Integrator's behalf, unless retention is required by law. Layout may retain data in routine backups for a limited period consistent with its standard backup practices, during which the data remains protected under this DPA.

Audits

Layout will make available to the Integrator information reasonably necessary to demonstrate compliance with this DPA. Where required by Applicable Data Protection Law, and subject to reasonable notice, confidentiality obligations, and limits on frequency and scope, Layout will allow for and contribute to audits conducted by the Integrator or an independent auditor it appoints.

Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Agreement.

Term

This DPA takes effect when the Integrator first accesses or uses the Software and continues for as long as Layout processes personal data on the Integrator's behalf. Provisions that by their nature should survive termination will survive.

Governing Law

This DPA is governed by the laws of the State of California, except where Applicable Data Protection Law requires otherwise. Any dispute will be brought exclusively in the state or federal courts located in California.

Contact Us

Layout, Inc. legal@layout.link