Data Processing Agreement (DPA)

Last updated: March 2026

1. Preamble

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller: The merchant ("you", "Controller") who installs and uses the Shopilaw application on their Shopify store.
  • Data Processor: Tran Consulting UG (haftungsbeschränkt) ("we", "us", "Processor"), operator of Shopilaw.

This DPA supplements and forms part of the Shopilaw Terms of Service and is concluded in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). It governs the processing of personal data by the Processor on behalf of the Controller when providing the Shopilaw service.

2. Subject and Duration

The Processor processes personal data on behalf of the Controller for the purpose of providing the Shopilaw withdrawal button service. The processing begins when the Controller installs the Shopilaw application and continues for the duration of the service agreement. Upon termination, the provisions of Section 11 (Deletion and Return of Data) apply.

3. Nature and Purpose of Processing

The Processor processes personal data to facilitate EU-compliant withdrawal requests on behalf of the Controller's Shopify store. This includes:

  • Receiving and storing withdrawal requests submitted by end customers
  • Sending confirmation emails to end customers upon withdrawal submission
  • Sending notification emails to the Controller about new withdrawal requests
  • Providing a merchant dashboard for managing and tracking withdrawal requests
  • Verifying order data to prevent fraudulent withdrawal requests
  • Generating export files (CSV/PDF) of withdrawal records

4. Types of Personal Data

The following categories of personal data are processed:

  • Customer name: First and last name of the end customer submitting a withdrawal
  • Customer email address: Used for confirmation emails and order verification
  • Order number: Shopify order reference for identifying the withdrawn order
  • Withdrawal reason: Optional reason provided by the end customer
  • IP address: Collected for fraud protection and rate limiting purposes
  • Timestamps: Date and time of withdrawal submission and confirmation

5. Categories of Data Subjects

The data subjects are end customers of the Controller's Shopify store who submit withdrawal requests through the Shopilaw withdrawal button.

6. Obligations of the Processor

The Processor shall:

  • Process on instructions only: Process personal data solely on the basis of documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law.
  • Ensure confidentiality: Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement security measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 9.
  • Engage sub-processors responsibly: Not engage another processor without prior specific or general written authorization of the Controller, as described in Section 7.
  • Assist with data subject rights: Assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights (access, rectification, erasure, restriction, portability, objection).
  • Assist with compliance obligations: Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor.
  • Delete or return data: At the choice of the Controller, delete or return all personal data after the end of the provision of services, as described in Section 11.
  • Demonstrate compliance: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

7. Sub-processors

The Controller grants the Processor general authorization to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

The following sub-processors are currently engaged:

  • Neon Inc. — Database hosting (PostgreSQL). Data stored in EU region (eu-central-1).
  • Resend Inc. — Transactional email delivery for withdrawal confirmation and notification emails.
  • Vercel Inc. — Application hosting and content delivery.
  • Trigger.dev Ltd. — Background job processing for email sending and data cleanup tasks.
  • Sentry (Functional Software, Inc.) — Error monitoring and application performance tracking.

Each sub-processor is contractually bound to data protection obligations no less protective than those set out in this DPA.

8. Data Transfers

The Processor ensures that personal data is primarily processed within the European Economic Area (EEA). Where sub-processors are located outside the EEA, the Processor ensures that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as adopted by the European Commission
  • Adequacy decisions by the European Commission where applicable
  • The EU-U.S. Data Privacy Framework where applicable

The database hosting (Neon) is located in the EU region (Frankfurt, eu-central-1) to ensure that withdrawal request data remains within the EEA.

9. Technical and Organizational Measures

The Processor implements the following technical and organizational measures to protect personal data:

  • Encryption in transit: All data is transmitted over TLS/HTTPS encrypted connections.
  • Encryption at rest: Database storage is encrypted at rest using industry-standard encryption.
  • Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. Authentication is managed through Shopify OAuth.
  • HMAC validation: All app proxy requests are validated using HMAC-SHA256 signatures to prevent unauthorized access.
  • Rate limiting: IP-based rate limiting is implemented to prevent abuse and protect against denial-of-service attacks.
  • Regular security reviews: The Processor conducts regular security reviews and applies security updates promptly.
  • Incident response: The Processor maintains an incident response procedure to detect, report, and address security incidents promptly.

10. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with Article 33 GDPR. The notification shall include:

  • A description of the nature of the personal data breach
  • The categories and approximate number of data subjects concerned
  • The categories and approximate number of personal data records concerned
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

11. Deletion and Return of Data

Upon termination of the service agreement (including uninstallation of the Shopilaw app), the Processor shall:

  • Delete all personal data related to the Controller's withdrawal requests within 48 hours of receiving Shopify's shop/redact webhook, unless Union or Member State law requires further storage.
  • Upon request, provide the Controller with an export of their withdrawal data in a machine-readable format (CSV) before deletion.
  • Retain billing and audit records for 7 years as required by applicable tax and commercial law obligations.

12. Liability

Liability of each party under this DPA is subject to the limitations and exclusions set forth in the Shopilaw Terms of Service, except where such limitations are not permitted under GDPR Article 82. Each party shall be liable for damages caused by processing that infringes the GDPR in accordance with Article 82 GDPR.

13. Contact

For questions regarding this DPA or data processing matters, contact us at:

Email:

Tran Consulting UG (haftungsbeschränkt)