Data Processing Addendum (DPA)

Updated: Sep 21, 2025

Effective date: Jul 28, 2025

1) Roles, Scope, and Instructions

1.1 Controller appoints Processor to process Personal Data solely on Controller’s documented instructions and only to provide, maintain, secure, and support the FlexCon Service (rental flows, deposits/pricing logic, schedules, notifications, order lifecycle, analytics/monitoring). 1.2 Processor will minimize Personal Data and limit processing to the stated purposes. Any additional use requires Controller’s further documented instructions unless required by law (in which case Processor will inform Controller unless legally prohibited).

2) Definitions

Terms Personal Data, Controller, Processor, Processing, and Data Subject follow applicable data protection laws (e.g., GDPR/UK GDPR, Vietnam PDPD, U.S. state privacy laws). “Protected customer data” means Shopify API data related to a customer (e.g., Customers, Orders, Checkouts, and related webhooks/metafields).

3) Shopify-Specific Compliance

3.1 Mandatory privacy webhooks. Processor will subscribe to and act on Shopify’s privacy/compliance webhooks, including customers/data_request, customers/redact, and shop/redact, acknowledging and completing required actions within Shopify’s timelines. 3.2 Consent & opt-outs. Where provided by Shopify, Processor will respect customer consent preferences and do-not-sell/share choices and will not sell or share Personal Data for cross-context behavioral advertising. 3.3 Purpose limitation. Processor will process Protected customer data only to operate the Service and as permitted by these Terms/DPA.

4) Nature, Purpose, Duration, and Data Types

  • Subject matter & purpose. Operation and improvement of the Service (rental selection, pricing/deposits, scheduling, notifications, inventory, order lifecycle, fraud/abuse prevention, diagnostics).

  • Duration. For the Agreement term and until deletion/return per §9.

  • Data Subjects. Controller’s customers and authorized staff.

  • Personal Data. Identifiers/contact (name, email, phone), addresses, order/rental details (dates, SKUs, prices, deposits), device/usage (IP, logs), communications metadata. (No special category data is intended.)

5) Security

Processor maintains appropriate technical and organizational measures including: encryption in transit and at rest (including encrypted backups); least-privilege and role-based access; MFA/SSO for privileged access; environment separation (test vs. production); secret management; secure software development and vulnerability management; monitoring/audit logs for access to Protected customer data; data loss prevention controls; documented incident response; backups and disaster recovery with tested restores. See Annex II.

6) Confidentiality & Personnel

Processor ensures personnel authorized to process Personal Data are bound by confidentiality and trained in privacy/security appropriate to their roles.

7) Sub-processors

Processor may use sub-processors for hosting, messaging, analytics, and support as listed in Annex III. Processor will impose no-less-protective obligations and remains liable for sub-processor acts/omissions. Processor will notify Controller of changes and allow reasonable objections.

8) Assistance & Data Subject Rights

Taking into account the nature of processing and information available, Processor will assist Controller in responding to Data Subject requests (access, deletion, portability, objection), in security obligations, and in DPIAs/consultations. Processor will also support requests flowing through Shopify’s compliance webhooks.

9) Retention, Return, and Deletion

9.1 Processor will not retain Personal Data longer than necessary for the stated purposes. 9.2 Upon termination/uninstall or upon Controller’s written request, Processor will delete or return Personal Data (at Controller’s option) and delete existing copies within 30 days, subject to legal retention requirements and standard backup overwrites. Backups are overwritten on a rolling schedule not exceeding 90 days. Processor will cascade deletions to sub-processors and maintain deletion/audit logs.

10) Cross-Border Data Transfers

Where Personal Data is transferred from the EEA/UK to countries without adequate protection (e.g., Vietnam, U.S.), the parties incorporate by reference:

  • the EU Standard Contractual Clauses (2021/914) — Module Two (Controller→Processor); and

  • the UK International Data Transfer Addendum (where UK GDPR applies). Details/elections are set in Annex IV. If a new lawful mechanism replaces the foregoing, the parties will cooperate in good faith to implement it.

11) Breach Notification

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data and provide information reasonably required for Controller’s compliance obligations.

12) Audit & Documentation

Upon reasonable prior notice, Processor will make available relevant information to demonstrate compliance and allow audits/inspections by Controller or its mandated auditor, subject to confidentiality, reasonable frequency, and operational safeguards. Processor maintains records of processing and access logs for Protected customer data.

13) Service Provider / No Sale of Personal Data

Processor acts as Controller’s service provider/processor, does not sell Personal Data, and will not use Personal Data for targeted advertising or for any purpose other than providing the Service, analytics, and improvements in accordance with this DPA (with aggregation/de-identification where applicable).

14) Vietnam-Specific Compliance (PDPD — Decree 13/2023)

Processor is established in Vietnam and will comply with Vietnam’s personal data protection law (PDPD). Where cross-border transfers occur, Processor will prepare and maintain a Data Processing Impact Assessment (DPIA) and a Cross-Border Transfer Impact Assessment (TIA), submit an original copy to the Ministry of Public Security (Department A05) within 60 days of the start of processing/first transfer, keep such documents available for inspection, and update within 10 days of material changes. Processor will implement appropriate security measures and facilitate Data Subject rights consistent with PDPD requirements. If any data localization or related obligations become applicable under Vietnam law, Processor will comply and notify Controller.

15) Liability; Governing Law; Order of Precedence

Liability and governing law follow the Agreement. If there is a conflict between this DPA and the Agreement, this DPA controls for Personal Data processing and Shopify privacy compliance.

Annex I — Description of Processing

  • Service operations. Collection, storage, structuring, transmission, retrieval, analysis, and deletion necessary to provide the Service and secure it.

  • Personal Data / Systems. Shopify Protected customer data objects (Customers, Orders, Checkouts and relevant webhooks/metafields), support tickets/communications as needed.

  • Hosting locations. Primary hosting: AWS us-east-2 (Ohio, USA); backups within the same or equivalent regions. [Update if you add EU/Asia regions.]

  • Retention. Operational data retained only as needed; uninstall or deletion requests handled per §9; backups overwritten ≤ 90 days.

  • Contacts. Controller privacy contact: [ ]; Processor privacy contact: support@flexconversion.com.

Annex II — Security Measures (Minimum)

  1. Encryption: TLS in transit; encryption at rest; encrypted backups.

  2. Access control: RBAC/least privilege; SSO/MFA for admins; strong passwords; periodic access reviews; IP allow-listing for consoles.

  3. Network & infrastructure: VPC isolation; security groups/firewalls; keys/secrets in managed vault; hardened build/patching.

  4. Application security: secure SDLC, code review, dependency scanning, vulnerability management; change control; logging and monitoring.

  5. Environment separation: strict segregation of development/test from production and scrubbed test data.

  6. Monitoring & logs: audit trails for admin access to Protected customer data; anomaly detection and alerting.

  7. Data management: backups with tested restores; secure deletion; least-copy principle; DLP rules to detect and block bulk exfiltration.

  8. Incident response: documented runbooks; breach notification workflow; post-incident review and corrective actions.

  9. Business continuity: DR plan; RPO/RTO objectives aligned to Service criticality; periodic drills.

  10. Personnel & training: confidentiality agreements; security/privacy training; joiner/mover/leaver controls.

Annex III — Sub-processors

List your current sub-processors, purpose, and region (example):

  • Amazon Web Services, Inc. (AWS) — hosting & storage — Region: us-east-2 (Ohio, USA)

  • Amazon Web Services, Inc. (AWS) - Amazon Simple Email Service — transactional emails/notifications — Region: us-east-2 (Ohio, USA)

Annex IV — Cross-Border Transfer Mechanisms

  • EU SCCs (2021/914, Module Two — C→P): incorporated by reference.

    • Data exporter: Controller; Data importer: Processor.

    • Governing law for SCCs (Clause 17): Ireland; Competent supervisory authority (Clause 18): Irish Data Protection Commission (or the EEA authority of the Controller).

    • Annexes: map to Annexes I–III of this DPA.

  • UK Addendum: incorporated where UK GDPR applies; Tables 1–4 populated by Annexes I–III and this Annex; governing law/jurisdiction: England & Wales (unless the Controller specifies otherwise).

PreviousTerms Of Service

Last updated