Customer GDPR Data Processing Agreement

Effective Date: [insert date]

If you have any questions about this DPA, contact [email protected].

This Data Processing Agreement ("DPA") is an addendum to the Customer Terms of Service (the "Agreement") between Shopfiles Ltd ("Shopfiles", "we", "us", or "our") and the customer ("Customer", "you"). It reflects requirements under the EU/EEA/UK data protection laws, including the GDPR. Capitalized terms not defined here have the meanings in the Agreement.

1. Definitions

  1. Affiliate: an entity that Controls, is Controlled by, or is under common Control with a party; "Control" means ownership or control of >50% of voting interests.
  2. Authorized Affiliate: any Customer Affiliate permitted to use the Services under the Agreement.
  3. Controller: the entity that determines purposes and means of processing Personal Data.
  4. Customer Data: any data that we process on behalf of Customer via the Services.
  5. Data Protection Laws: all applicable privacy/data protection laws governing processing under this DPA (e.g., GDPR, ePrivacy, UK GDPR).
  6. Personal Data: Customer Data relating to an identified or identifiable natural person, as protected under Data Protection Laws.
  7. Processor: an entity processing Personal Data on behalf of a Controller.
  8. Processing: as defined by the GDPR; related terms are construed accordingly.
  9. Security Incident: unauthorized or unlawful breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Personal Data.
  10. Services: products/services we provide under the Agreement.
  11. Sub‑processor: any Processor engaged by Shopfiles to assist with processing under this DPA.

2. Scope and Role of the Parties

  1. 2.1. Applicability. This DPA applies only where, and to the extent that, we process Personal Data on your behalf and such data is subject to EU/EEA, UK, or Swiss Data Protection Laws.
  2. 2.2. Roles. As between the parties, you are the Controller of Personal Data and Shopfiles acts as Processor. Nothing in this DPA restricts Shopfiles from processing data as an independent Controller where we determine purposes and means (e.g., billing, account management, security telemetry, anti‑abuse).
  3. 2.3. Customer responsibilities. You are solely responsible for: (a) the lawfulness of Personal Data and your instructions; (b) providing all required notices and obtaining all rights/consents; (c) configuring and securing your environments; and (d) determining whether your use involves special categories of data and meeting all prerequisites. You must not use the Services to process special categories unless strictly necessary and lawful.
  4. 2.4. Processor obligations. We process Personal Data only: (a) to provide and maintain the Services under the Agreement; (b) to perform steps necessary to deliver the Services; and (c) per your documented, lawful instructions consistent with the Agreement. We are not obliged to follow instructions that are unlawful, infeasible, or would impose a disproportionate burden or security risk.
  5. 2.5. Nature and purpose. Typical activities include storage, transmission, and limited operations necessary to provide the Services, support, and security; and disclosures required by law. We do not monitor customer content and have no obligation to obtain or maintain data we do not possess or control.

3. Sub‑processing

  1. 3.1. You authorize our use of Sub‑processors. We will impose data protection terms no less protective than this DPA and remain responsible for our Sub‑processors’ performance as set out herein.
  2. 3.2. We may update Sub‑processors and will provide reasonable notice (email suffices) where required. You may object on reasonable data‑protection grounds; if no resolution is possible, either party may terminate only the affected Services.

4. Security

  1. 4.1. We implement appropriate technical and organizational measures designed to protect Personal Data, taking into account the state of the art, costs, and risks. A summary of controls is set out in Annex B.
  2. 4.2. Personnel and Sub‑processors authorized to process Personal Data are bound by confidentiality obligations.
  3. 4.3. Upon becoming aware of a Security Incident impacting Personal Data we host, we will notify you without undue delay and provide information reasonably available to help you meet your obligations. Notification is not an admission of fault or liability.
  4. 4.4. We may update security measures to reflect technical progress provided overall protection is not materially reduced.

5. Reports and Audit

Upon written request and subject to confidentiality, we may provide available third‑party attestations or summaries reasonably necessary to demonstrate compliance with this DPA. On‑site audits are not required unless mandated by law and then limited to scope, frequency, and safeguards that protect the security and confidentiality of our environments; your audit costs are your responsibility.

6. International Transfers

Personal Data is primarily processed within the EU/EEA. If a transfer outside the EU/EEA/UK is required, we will rely on an approved transfer mechanism (e.g., Standard Contractual Clauses) where applicable. You acknowledge that we may use Sub‑processors subject to such mechanisms.

7. Return and Deletion

Following deactivation of the applicable Services, we will delete or anonymize Personal Data within our standard retention windows, unless retention is required by law. Data on backups will be isolated from routine processing and deleted per lifecycle schedules. You are solely responsible for exporting data prior to termination.

8. Cooperation

  1. 8.1. Where you cannot reasonably access relevant Personal Data, we will, taking into account the nature of processing and at your expense, provide reasonable assistance with data subject requests required by law.
  2. 8.2. To the extent required, and at your expense, we will provide available information necessary for you to conduct data protection impact assessments or consultations with supervisory authorities concerning our processing under this DPA.

9. Warranty Disclaimer; Limitation of Liability

THE SERVICES AND ANY ASSISTANCE UNDER THIS DPA ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND (EXPRESS, IMPLIED, OR STATUTORY), INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON‑INFRINGEMENT. TO THE MAXIMUM EXTENT PERMITTED BY LAW, SHOPFILES LTD AND ITS AFFILIATES SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOSS OF PROFITS, REVENUE, DATA, OR GOODWILL, ARISING OUT OF OR RELATED TO THIS DPA OR THE SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY LAW, OUR AGGREGATE LIABILITY RELATING TO THIS DPA SHALL NOT EXCEED THE FEES PAID BY YOU FOR THE RELEVANT SERVICE IN THE THREE (3) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY. NOTHING IN THIS DPA SEEKS TO LIMIT LIABILITY WHERE SUCH LIMITATION IS PROHIBITED BY LAW.

10. Miscellaneous

  1. 10.1. Order of precedence: In case of conflict between this DPA and the Agreement, this DPA controls solely with respect to processing of Personal Data.
  2. 10.2. Governing law and venue: as set forth in the Agreement, unless required otherwise by Data Protection Laws.
  3. 10.3. This DPA binds the parties and their permitted successors and assigns.

Annex A – Sub‑processors

Current Sub‑processors (if any) are available upon request at [email protected]. You consent to our engagement of these Sub‑processors under Section 3.

Annex B – Summary of Security Measures

  • Network isolation and access controls; least‑privilege and MFA for administrative access.
  • Encryption in transit; encryption at rest where supported by the underlying platform.
  • Change management, vulnerability management, and security monitoring.
  • Incident response procedures with notification as required by law.
  • Personnel confidentiality obligations and security awareness practices.

Contact: [email protected]