Data Processing Addendum (DPA)
Summary version. Last updated: May 13, 2026
What this page is
When Royalty Reporting processes personal data on a customer's behalf (for example: licensee employee accounts, audit-log identities, statement recipients), RetailNorthstar, Inc. acts as a data processor and the customer acts as the data controller. This page summarizes the commitments we make as a processor. The full executable Data Processing Addendum ("DPA") is available on request and supplements our Terms of Service and any signed Service Agreement.
Scope
The DPA applies to processing of personal data subject to: the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA, and other applicable data-protection laws. It governs the processing performed by RetailNorthstar as a processor on the customer's instructions in delivering the Royalty Reporting Platform.
Our processor commitments
- Process personal data only on the customer's documented instructions and for the purposes of providing the Service.
- Ensure personnel with access to personal data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organizational security measures (encryption in transit and at rest, role-based access controls, MFA for administrative access, tenant isolation, logging, regular security review).
- Assist the customer in responding to data-subject rights requests (access, rectification, erasure, restriction, portability, objection).
- Assist the customer with data-protection impact assessments and prior consultations with supervisory authorities where required.
- Notify the customer without undue delay after becoming aware of a personal data breach affecting their data.
- Delete or return personal data at the end of the Service, subject to legal retention requirements.
- Make available all information necessary to demonstrate compliance and allow for audits, subject to reasonable confidentiality and scope limits.
Sub-processors
We use a limited set of sub-processors to deliver the Service. Current sub-processors include:
- DigitalOcean, LLC — cloud infrastructure hosting (United States)
- Google LLC — Google Analytics 4 for site analytics (United States; only after visitor cookie consent)
- Microsoft Corporation — Microsoft Clarity for site interaction analytics (United States; only after visitor cookie consent)
- Google LLC (Workspace) — transactional and notification email delivery (United States)
We will provide notice of changes to this list and an opportunity to object before any new sub-processor begins processing customer personal data, in accordance with the DPA.
International transfers
Our infrastructure operates in the United States. Where personal data originates in the EU, UK, or other jurisdictions with cross-border transfer rules, we rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable. The executed DPA includes the relevant SCCs as appendices.
Request an executed DPA
Customers and prospective customers can request an executed copy of the DPA through our legal contact form. We typically return a signed countersignature within five business days.
Related
- Privacy Policy — how we handle personal data on the website and as a controller
- Terms of Service
- security.txt — coordinated vulnerability disclosure