Data Processing Agreement

1. Definitions

Capitalised terms used but not defined here have the meaning given in the Agreement or, where applicable, in the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR.

• Personal Data — information that identifies or could identify a natural person, transmitted to us through the App.
• Processing — any operation performed on Personal Data.
• Sub-processor — any third party we engage to process Personal Data on your behalf (see Schedule 2).
• Data Subject — the natural person to whom the Personal Data relates.

2. Roles and scope

For merchant-account data (shop domain, operator emails, OAuth tokens), we are an independent Controller and Business. For end-customer data flowing through orders (shipping addresses, names, phone numbers, emails attached to Shopify orders), you are the Controller / Business and we are your Processor / Service Provider. This DPA governs that latter processing.

Purpose: generate quotes and Bills of Lading via the connected carrier APIs; book shipments and write tracking information back to your Shopify order; respond to data-subject requests; and maintain anonymized financial records as required by applicable tax-retention law (U.S. tax retention and FMCSA broker recordkeeping).

Duration: for as long as the App is installed on your Shopify store, plus the retention windows in § 7.

3. Your instructions

We will process Personal Data only on your documented instructions, which include the Agreement, this DPA, the Acceptable Use Policy, your configuration of the App, each Shopify order you select for shipment generation, and Shopify’s GDPR webhooks (customers/data_request, customers/redact, shop/redact) which we treat as your instructions to export or anonymize data.

4. Confidentiality

We ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and are trained on data-protection requirements. We operate a least-privilege access model for our production database and admin console.

5. Security

We implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (GDPR Art. 32). See Schedule 3 below. Highlights:

• TLS 1.2+ for all data in transit;
• Encryption-at-rest with industry-standard authenticated encryption for OAuth tokens, session identifiers, and PII-bearing JSON payloads (customer addresses, quote inputs, billing intent metadata);
• Per-environment encryption keys managed in our infrastructure provider’s secret-store with audit-logged access;
• Least-privilege internal operator access via SSO + email allowlist + short-lived signed session cookies;
• Automated daily Postgres backups (Render managed, 7-day rolling retention).

6. Sub-processors

You authorise us to engage the sub-processors listed in Schedule 2. We will notify you by in-app notice or email at least 30 days before adding or replacing a sub-processor; you may object during that window and, if we cannot accommodate, terminate for convenience. Each sub-processor is bound by a written contract imposing data-protection obligations no less protective than those in this DPA. We remain liable for each sub-processor’s performance to the same extent we would be liable for our own acts.

7. Retention and deletion

In-life processing: we retain Personal Data only as long as needed to perform the services and as described in Privacy Policy § 8.

On uninstall — two-stage retention model:

• Within 48 hours of Shopify’s shop/redact webhook (or 30 days after uninstall if that webhook never arrives), we anonymize all identifying merchant- and customer-level fields tied to your shop.
• The anonymized financial skeleton is kept for seven (7) years to satisfy tax-retention obligations (26 U.S.C. § 6001 / IRS Pub. 583) and FMCSA broker recordkeeping (49 C.F.R. § 371), on the legal basis of GDPR Art. 17(3)(b) read with Art. 4(1) and EDPB Opinion 05/2014.
• After 7 years, the anonymized rows are permanently deleted.

Self-service export window: the Merchant retains the ability to perform a self-service CSV export of all Merchant Data and Order Data for 30 days following termination. We send the export link to the email on file in the Merchant’s Shopify admin at the time of uninstall.

Backups: Personal Data in Render automated snapshots is overwritten as snapshots age out of their 7-day retention. We do not run targeted redaction against backups.

8. Assistance to you

We provide reasonable assistance with data-subject requests (Chapter III GDPR; California Civil Code §§ 1798.100 et seq.), security obligations (GDPR Arts. 32–36), and breach notification. We will notify you within 72 hours of becoming aware of a personal-data breach affecting your end-customer Personal Data.

9. International data transfers

Our production database and application servers are located in the United States (Render, US-East / Oregon). For Restricted Transfers from the EEA, UK, or Switzerland to the United States, the parties incorporate the EU Commission’s Standard Contractual Clauses (Module Two: Controller-to-Processor) per Commission Implementing Decision (EU) 2021/914, together with the UK ICO IDTA or Swiss FDPIC mirror clauses where applicable. Annex references map to Schedules 1–3 below.

10. Audits

We will make available all information reasonably necessary to demonstrate compliance, and allow for audits (including inspections) by you or your mandated auditor, subject to 30 days’ notice, reasonable confidentiality undertakings, and no more than once every 12 months unless required by a regulator or following a breach. We may satisfy this obligation by providing third-party certification or audit reports (SOC 2, ISO 27001) where reasonably accepted.

11. Liability

The liability provisions in the Agreement apply to this DPA.

12. Termination

This DPA terminates automatically when the Agreement terminates, subject to the retention windows in § 7.

13. Governing law and precedence

This DPA is governed by California law (the law identified in the Agreement). Where this DPA and the Agreement conflict on a data-protection matter, this DPA prevails. Where this DPA and the SCCs incorporated under § 9 conflict, the SCCs prevail.

Schedule 1 — Details of processing

Schedule 2 — Sub-processors

Schedule 3 — Technical and organisational measures

Pseudonymisation and encryption (Art. 32(1)(a))

• TLS 1.2+ for all data in transit.
• Encryption-at-rest with industry-standard authenticated encryption for OAuth tokens, session identifiers, and PII-bearing JSON payloads (customer addresses, quote inputs, billing intent metadata).
• Per-environment encryption keys managed in our infrastructure provider’s secret-store, with backup in an enterprise password manager under least-privilege access.

Confidentiality, integrity, availability, resilience (Art. 32(1)(b))

• Multi-instance autoscaled production web service with redundancy to survive single-node failure.
• Daily automated database backups (7-day rolling retention).
• Cron-driven retention and hard-delete pipelines (§ 7).

Restoration of availability (Art. 32(1)(c))

Quarterly verification that recent backups can be restored.

Process for testing and evaluating (Art. 32(1)(d))

• Sentry error monitoring + Slack alert mirror for incident detection.
• Quarterly re-test of GDPR webhook handlers end-to-end.
• Comprehensive automated test coverage of the data-handling code paths, including the PII scrub pipeline.

Access controls

Internal operator console gated by SSO + an explicit email allowlist + short-lived signed session cookies. Database credentials managed via the infrastructure provider’s secret-store, never committed to source control.

Incident response

Documented in our internal runbook. 72-hour breach-notification commitment (§ 8).

How to execute this DPA

Installing the App constitutes acceptance of this DPA as supplementing the Agreement. If your procurement process requires a counter-signed copy, email privacy@shipeasyco.com and we will send a PDF you can sign.