This Data Processing Agreement (“DPA”) applies where [COMPANY LEGAL NAME] processes personal data on your behalf in connection with the optional managed onboarding/support service. For the self-hosted plugin running on your server, you are the controller and processor of shopper data; this DPA covers only data we handle for you.
1. Roles
You are the data controller. We act as processor for personal data we process while delivering onboarding/support (e.g., access to your store during setup).
2. Scope & instructions
We process personal data only on your documented instructions and only as needed to provide the agreed services.
3. Confidentiality & security
Personnel are bound by confidentiality. We apply appropriate technical and organisational measures (access control, encryption in transit, least privilege, time-boxed access during onboarding).
4. Sub-processors
Current sub-processors: hosting [HOSTING], scheduling [SCHEDULING], email [EMAIL]. Any AI provider is selected and controlled by you and is not our sub-processor.
5. International transfers
Where applicable, transfers outside the EEA/your jurisdiction rely on Standard Contractual Clauses or an adequacy decision.
6. Assistance & breach
We assist you with data-subject requests and security/DPIA obligations, and notify you without undue delay after becoming aware of a personal-data breach affecting data we process for you.
7. Deletion & audit
On termination we delete or return personal data we hold for you, save where retention is legally required. We make available information reasonably necessary to demonstrate compliance.
Template only, not legal advice — have counsel adapt before signing.