Data Processing Addendum
The terms governing Shopppio's processing of personal data on behalf of merchants.
1. Scope
This Data Processing Addendum ("DPA") forms part of the Terms when Shopppio processes Personal Data on behalf of the Customer as Processor.
2. Definitions
"Personal Data", "Processing", "Controller", "Processor" and "Data Subject" have the meanings given in applicable data protection law.
3. Processing details
Subject-matter, duration, nature, purpose, categories of data subjects and personal data are described in the Service Order.
4. Customer instructions
Shopppio processes Personal Data only on documented instructions of the Customer.
5. Confidentiality
People authorised to process Personal Data are bound by appropriate confidentiality obligations.
6. Security measures
Encryption in transit (TLS), encryption at rest via the hosting provider, least-privilege access, audit logging.
7. Sub-processors
Customer authorises the engagement of the sub-processors listed above. Shopppio will notify Customer of any addition or replacement (30-day objection right).
| Sub-processor | Service | Location |
|---|---|---|
| Google Cloud | Hosting, database, storage | Google Cloud regions |
| Stripe | Card processing | Razorpay (India / global) |
| Cloudflare | TBD — see updated list | |
| Sentry | marketing.legal.dpa.subprocessors.rows.3.service | marketing.legal.dpa.subprocessors.rows.3.location |
| Segment | marketing.legal.dpa.subprocessors.rows.4.service | marketing.legal.dpa.subprocessors.rows.4.location |
| Twilio | marketing.legal.dpa.subprocessors.rows.5.service | marketing.legal.dpa.subprocessors.rows.5.location |
| Postmark | marketing.legal.dpa.subprocessors.rows.6.service | marketing.legal.dpa.subprocessors.rows.6.location |
8. Data Subject rights
Shopppio will assist Customer in fulfilling requests by Data Subjects to exercise rights under applicable data protection law.
9. Personal Data Breach notification
Shopppio will notify Customer without undue delay of becoming aware of a Personal Data Breach.
10. International transfers
Transfers are governed by appropriate safeguards under applicable law.
11. Audits
Customer may audit Shopppio's compliance on reasonable notice, subject to standard confidentiality.
12. Return & deletion
On termination, Shopppio will delete or return Personal Data within 60 days unless retention is required by law.