# Data Processing Addendum (DPA) **Effective date:** Jul 28, 2025 *** ### 1) Roles, Scope, and Instructions 1.1 Controller appoints Processor to **process Personal Data solely on Controller’s documented instructions** and only to provide, maintain, secure, and support the FlexCon Service (rental flows, deposits/pricing logic, schedules, notifications, order lifecycle, analytics/monitoring).\ 1.2 Processor will **minimize** Personal Data and **limit** processing to the stated purposes. Any additional use requires Controller’s further documented instructions unless required by law (in which case Processor will inform Controller unless legally prohibited). ### 2) Definitions Terms **Personal Data**, **Controller**, **Processor**, **Processing**, and **Data Subject** follow applicable data protection laws (e.g., GDPR/UK GDPR, Vietnam PDPD, U.S. state privacy laws). “**Protected customer data**” means Shopify API data related to a customer (e.g., Customers, Orders, Checkouts, and related webhooks/metafields). ### 3) Shopify-Specific Compliance 3.1 **Mandatory privacy webhooks.** Processor will subscribe to and act on [Shopify’s privacy/compliance webhooks](https://shopify.dev/docs/apps/build/compliance/privacy-law-compliance), including `customers/data_request`, `customers/redact`, and `shop/redact`, acknowledging and [completing required actions](https://shopify.dev/docs/apps/launch/protected-customer-data) within Shopify’s timelines.\ 3.2 **Consent & opt-outs.** Where provided by Shopify, Processor will respect customer consent preferences and **do-not-sell/share** choices and will not sell or share Personal Data for cross-context behavioral advertising.\ 3.3 **Purpose limitation.** Processor will process Protected customer data only to operate the Service and as permitted by these Terms/DPA. ### 4) Nature, Purpose, Duration, and Data Types * **Subject matter & purpose.** Operation and improvement of the Service (rental selection, pricing/deposits, scheduling, notifications, inventory, order lifecycle, fraud/abuse prevention, diagnostics). * **Duration.** For the Agreement term and until deletion/return per §9. * **Data Subjects.** Controller’s customers and authorized staff. * **Personal Data.** Identifiers/contact (name, email, phone), addresses, order/rental details (dates, SKUs, prices, deposits), device/usage (IP, logs), communications metadata. *(No special category data is intended.)* ### 5) Security Processor maintains **appropriate technical and organizational measures** including: encryption in transit and at rest (including encrypted backups); least-privilege and role-based access; MFA/SSO for privileged access; environment separation (test vs. production); secret management; secure software development and vulnerability management; monitoring/audit logs for access to Protected customer data; data loss prevention controls; documented incident response; backups and disaster recovery with tested restores. See **Annex II**. ### 6) Confidentiality & Personnel Processor ensures personnel authorized to process Personal Data are **bound by confidentiality** and trained in privacy/security appropriate to their roles. ### 7) Sub-processors Processor may use sub-processors for hosting, messaging, analytics, and support as listed in **Annex III**. Processor will impose **no-less-protective** obligations and remains **liable** for sub-processor acts/omissions. Processor will notify Controller of changes and allow reasonable objections. ### 8) Assistance & Data Subject Rights Taking into account the nature of processing and information available, Processor will **assist** Controller in responding to Data Subject requests (access, deletion, portability, objection), in security obligations, and in DPIAs/consultations. Processor will also support requests flowing through Shopify’s compliance webhooks. ### 9) Retention, Return, and Deletion 9.1 Processor will not retain Personal Data **longer than necessary** for the stated purposes.\ 9.2 Upon termination/uninstall or upon Controller’s written request, Processor will **delete or return** Personal Data (at Controller’s option) and delete existing copies **within 30 days**, subject to legal retention requirements and standard backup overwrites. Backups are overwritten on a rolling schedule not exceeding **90 days**. Processor will cascade deletions to sub-processors and maintain deletion/audit logs. ### 10) Cross-Border Data Transfers Where Personal Data is transferred from the EEA/UK to countries without adequate protection (e.g., Vietnam, U.S.), the parties **incorporate by reference**: * the **EU Standard Contractual Clauses (2021/914)** — Module Two (Controller→Processor); and * the **UK International Data Transfer Addendum** (where UK GDPR applies).\ Details/elections are set in **Annex IV**. If a new lawful mechanism replaces the foregoing, the parties will cooperate in good faith to implement it. ### 11) Breach Notification Processor will notify Controller **without undue delay** after becoming aware of a Personal Data Breach affecting Personal Data and provide information reasonably required for Controller’s compliance obligations. ### 12) Audit & Documentation Upon reasonable prior notice, Processor will make available **relevant information** to demonstrate compliance and allow **audits/inspections** by Controller or its mandated auditor, subject to confidentiality, reasonable frequency, and operational safeguards. Processor maintains records of processing and access logs for Protected customer data. ### 13) Service Provider / No Sale of Personal Data Processor acts as Controller’s **service provider/processor**, **does not sell** Personal Data, and will not use Personal Data for targeted advertising or for any purpose other than providing the Service, analytics, and improvements in accordance with this DPA (with aggregation/de-identification where applicable). ### 14) Vietnam-Specific Compliance (PDPD — Decree 13/2023) Processor is established in Vietnam and will comply with Vietnam’s personal data protection law (PDPD). Where cross-border transfers occur, Processor will prepare and maintain a **Data Processing Impact Assessment (DPIA)** and a **Cross-Border Transfer Impact Assessment (TIA)**, **submit an original copy to the Ministry of Public Security (Department A05) within 60 days** of the start of processing/first transfer, keep such documents available for inspection, and **update within 10 days** of material changes. Processor will implement appropriate security measures and facilitate Data Subject rights consistent with PDPD requirements. If any **data localization** or related obligations become applicable under Vietnam law, Processor will comply and notify Controller. ### 15) Liability; Governing Law; Order of Precedence Liability and governing law follow the Agreement. If there is a conflict between this DPA and the Agreement, **this DPA controls** for Personal Data processing and Shopify privacy compliance. *** ### Annex I — Description of Processing * **Service operations.** Collection, storage, structuring, transmission, retrieval, analysis, and deletion necessary to provide the Service and secure it. * **Personal Data / Systems.** Shopify Protected customer data objects (Customers, Orders, Checkouts and relevant webhooks/metafields), support tickets/communications as needed. * **Hosting locations.** Primary hosting: **AWS us-east-2 (Ohio, USA)**; backups within the same or equivalent regions. \[Update if you add EU/Asia regions.] * **Retention.** Operational data retained only as needed; uninstall or deletion requests handled per §9; backups overwritten ≤ **90 days**. * **Contacts.** Controller privacy contact: \[ ]; Processor privacy contact: . ### Annex II — Security Measures (Minimum) 1. **Encryption:** TLS in transit; encryption at rest; encrypted backups. 2. **Access control:** RBAC/least privilege; SSO/MFA for admins; strong passwords; periodic access reviews; IP allow-listing for consoles. 3. **Network & infrastructure:** VPC isolation; security groups/firewalls; keys/secrets in managed vault; hardened build/patching. 4. **Application security:** secure SDLC, code review, dependency scanning, vulnerability management; change control; logging and monitoring. 5. **Environment separation:** strict segregation of development/test from production and scrubbed test data. 6. **Monitoring & logs:** audit trails for admin access to Protected customer data; anomaly detection and alerting. 7. **Data management:** backups with tested restores; secure deletion; least-copy principle; DLP rules to detect and block bulk exfiltration. 8. **Incident response:** documented runbooks; breach notification workflow; post-incident review and corrective actions. 9. **Business continuity:** DR plan; RPO/RTO objectives aligned to Service criticality; periodic drills. 10. **Personnel & training:** confidentiality agreements; security/privacy training; joiner/mover/leaver controls. ### Annex III — Sub-processors List your current sub-processors, purpose, and region (example): * **Amazon Web Services, Inc. (AWS)** — hosting & storage — **Region:** us-east-2 (Ohio, USA) * **Amazon Web Services, Inc. (AWS) - Amazon Simple Email Service** — transactional emails/notifications — **Region:** us-east-2 (Ohio, USA) ### Annex IV — Cross-Border Transfer Mechanisms * **EU SCCs (2021/914, Module Two — C→P)**: incorporated by reference. * **Data exporter**: Controller; **Data importer**: Processor. * **Governing law for SCCs (Clause 17)**: **Ireland**; **Competent supervisory authority (Clause 18)**: **Irish Data Protection Commission** (or the EEA authority of the Controller). * **Annexes**: map to Annexes I–III of this DPA. * **UK Addendum**: incorporated where UK GDPR applies; Tables 1–4 populated by Annexes I–III and this Annex; governing law/jurisdiction: **England & Wales** (unless the Controller specifies otherwise).