Data Processing Addendum

Introduction

This Data Processing Addendum (“Addendum”) forms part of the agreement between Refactor Plus Systems and Software LLC (the “Company”) and you, the merchant (the “Customer”), and applies to the extent the Company processes any personal data on your behalf in the course of providing our Apps and Services. This Addendum is designed to meet the requirements of Article 28 of the GDPR and equivalent provisions of other data protection laws. In case of any conflict between this Addendum and any other agreement (such as our Terms of Use or Privacy Policy) regarding the processing of personal data, the terms of this Addendum shall prevail.

1. Definitions

1.1. “Agreement” means the Company’s Terms of Use and Privacy Policy governing Customer’s use of the Company’s Apps and Services.

1.2. “Customer Data” means any personal data that the Company processes on behalf of the Customer as a processor in providing the Services. Customer Data includes personal data submitted into the Company’s Apps or otherwise made available by the Customer (or by Shopify on the Customer’s behalf) in connection with the Services..

1.3. “Data Protection Laws” means all data protection and privacy laws and regulations applicable to the respective party’s processing of personal data under the Agreement, including, where applicable, GDPR; the UK Data Protection Act 2018 and UK GDPR; the Swiss Federal Data Protection Act; the CCPA (as amended by the CPRA); Canada’s PIPEDA; Brazil’s LGPD; and any other applicable privacy laws.

1.4. “GDPR” means the General Data Protection Regulation (EU) 2016/679. References to GDPR also include the UK GDPR.

1.5. “Europe” means the member states of the European Economic Area (EEA), plus the UK and Switzerland.

1.6. The terms “personal data”, “Data Subject”, “Controller”, “Processor”, “processing”, “Supervisory Authority”, and any other terms defined in Data Protection Laws shall have the meaning given to them under the applicable law.

1.7. “Sensitive Data” (or “special categories of data”) means personal data that is subject to additional protection under certain Data Protection Laws, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data (for ID purposes), health information, or data concerning a person’s sex life or sexual orientation. For purposes of this Addendum, Sensitive Data also includes any data regarding criminal convictions or financial account information to the extent considered sensitive under applicable law.

1.8. “Sub-processor” means any third-party Processor (including any affiliate of the Company) engaged by the Company to process Customer Data on behalf of the Company in providing the Services. Sub-processors do not include the Company’s own personnel.

1.9. “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by the Company. “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Customer Data (e.g., failed login attempts, network scans, etc.).

Interpretation: “personal data” in this Addendum shall be interpreted to include “personal information” under the CCPA and similar terms under other laws. Other capitalized terms not defined in this Addendum have the meanings given in the Data Protection Laws.

2. Roles and Scope of Processing

2.1. Controller and processor roles. As between the parties, the Customer is the Controller of the personal data it provides to the Company, and the Company is acting as a Processor (on behalf of the Customer. This Addendum applies only when the Company is processing Customer Data as a Processor. When the Company processes its own data (e.g., the Customer’s account contact info) as a controller, that processing is subject to the Company’s Privacy Policy, not this Addendum.

2.2. Customer’s instructions. The Company will process Customer Data only in accordance with the Customer’s instructions. The Agreement (including this Addendum), together with the Customer’s actual use of the App and any written instructions, constitute the Customer’s full and final instructions. If the Company believes an instruction violates Data Protection Laws, it will promptly inform the Customer (unless legally prohibited). By using our Apps and providing Customer Data, the Customer instructs the Company to process that data to provide the Services. The Company will not “sell” Customer Data or process it for purposes outside those specified in this Addendum and the Agreement, except where required by law. The Company will not combine Customer Data with data from other customers except as needed for legitimate technical operations.

2.3. Limitations on use. The Company will not use Customer Data for its own purposes or disclose it to third parties except as required to provide the Services and as permitted by this Addendum. If Data Protection Laws require processing outside the scope of the Customer’s instructions, the Company will inform the Customer before any such processing (unless legally prohibited).

2.4. Compliance with laws. Each party is responsible for complying with applicable Data Protection Laws. The Customer, as Controller, is responsible for ensuring it has all necessary rights and consents to provide the Customer Data to the Company for processing. The Company will assist the Customer to the extent possible (and as provided in this Addendum) in fulfilling these obligations. The Customer warrants that its instructions for processing Customer Data will not cause the Company to violate any Data Protection Laws.

2.5. Sensitive Data. The Customer will not send any Sensitive Data to the Company unless explicitly agreed in writing. Our Services are generally not intended to process Sensitive Data. The Company has no liability for any Sensitive Data received without its consent; the Customer will indemnify the Company for any damages arising from such unauthorized processing.

2.6. Duration of processing. The Company will process Customer Data for the duration specified in the Agreement. Typically, this means while the Customer’s account is active and until deletion of all Customer Data as described in this Addendum (see Section 7). After termination or deletion, the Company will cease processing and delete the Customer Data as required below, unless law requires retention.

3. Sub-Processing

3.1. Authorised Sub-Processors. The Customer agrees that the Company may engage Sub-processors to assist in delivering the Services. Our current Sub-processors include:

• Shopify, Inc. (Canada) – Shopify provides the platform hosting our Apps and stores data such as customer metafields, and facilitates secure data transmission.
• Heroku (Salesforce, USA) – Heroku hosts our application backend and PostgreSQL database on AWS infrastructure.
• Mantle, Inc. (USA) – Provides system monitoring and performance analytics; we only use it for technical monitoring, and no customer-identifiable personal data is intentionally stored in Mantle.
• Sentry, Inc. (USA) – Used for error and exception tracking; it logs technical events and stack traces to help us debug issues in our app.

We may also use additional Sub-processors in the future. We will update our Sub-processor list and notify the Customer of any additions as described in Section 3.3.

3.2. Sub-Processor obligations. The Company enters into written agreements with each Sub-processor imposing data protection obligations no less protective than those in this Addendum or as may otherwise be required by applicable Data Protection Laws and regulations. These agreements ensure Sub-processors process Customer Data only for the limited and specified purposes and provide at least the same level of protection as required here. For example, Shopify, Heroku, Sentry, and Mantle each have strong security certifications (such as ISO 27001 and SOC 2) and offer standard Data Processing Agreements. The Company remains responsible to the Customer for the Sub-processor’s performance of its data protection obligations relating to Customer Data under this Addendum (i.e., the Company will be liable for acts and omissions of Sub-processors to the same extent as if they were done by the Company). The Company remains responsible to the Customer for the Sub-processor’s performance of its data protection obligations relating to Customer Data under this Addendum.”

3.3. Notification of new Sub-Processors. The Company will inform the Customer of any intended addition or replacement of Sub-processors by updating the Sub-processor list or sending notice to the Customer at least 30 days in advance. If the Customer has a reasonable basis to object (for example, security or compliance concerns about the new Sub-processor), the Customer must notify the Company in writing within that 30-day period. We will then discuss the concerns in good faith. If we cannot resolve the issue and the Customer’s objection is justified, the Customer may terminate the portion of the Services that would be affected by the Sub-processor change, and we will refund any prepaid fees for that portion.

3.4. Confidentiality of Sub-Processor agreements. The Customer agrees and acknowledges that some Sub-processor agreements may contain confidential terms. In such a case, the Company may be prevented from disclosing Sub-processor agreements to Customer. But upon request, the Company will provide the Customer with relevant summaries or evidence of the Sub-processors’ data protection measures to demonstrate that they meet the standards of this Addendum.

4. Security of Data

4.1. Security measures. The Company will implement and maintain appropriate technical and organisational measures to protect Customer Data against Security Incidents, ensuring confidentiality, integrity, and availability of the data. These measures include pseudonymization and encryption of data, securing data in transit and at rest, access controls, network security, and regular testing of the effectiveness of these measures. We take into account the state of the art and the risks involved in our processing of data. (See Annex B for more details.)

4.2. Confidentiality of personnel. The Company will ensure that any personnel authorised to process Customer Data (including its staff, agents, subcontractors, etc.) are under confidentiality obligations (via contract or law) and have been trained on data protection. Access to Customer Data is limited to those personnel who need it to perform our obligations under the Agreement.

4.3. No assessment of Customer Data by Company. The Company does not independently review Customer Data to classify it (e.g., identifying “sensitive” data) — that is the Customer’s responsibility. The Company’s security measures apply uniformly to all data it processes.

4.4. Security incidents. In the event the Company becomes aware of a confirmed Security Incident affecting Customer Data, the Company will: (a) notify the Customer without undue delay (and no later than 48 hours after discovery); (b) take prompt steps to contain and investigate the incident; and (c) provide timely information to the Customer about the nature of the incident, categories and approximate volume of data affected, likely consequences, and measures taken to mitigate. The Company’s notification is not an admission of fault but is intended to help the Customer fulfil any legal or regulatory obligations.

4.5. Customer’s security responsibilities. The Customer is responsible for the secure use of the Services, including protecting its own account credentials (API keys, passwords) and configuring its store and infrastructure securely. The Customer should implement appropriate measures (e.g., encrypting sensitive data before entering it into our Apps if needed). The Customer is also responsible for maintaining reasonable security measures on its own systems and devices used to access the Services (for example, keeping systems updated and using appropriate endpoint security controls). The Company is not responsible for breaches resulting from customer misconfiguration or compromised credentials outside our systems.

5. Audits and Accountability

5.1. Audit right.: The Customer has the right to verify the Company’s compliance with this Addendum. The Company will make available to the Customer all information reasonably necessary to demonstrate compliance, including policies and procedures, or third-party audit reports. The Customer may also conduct audits or inspections of the Company’s systems relevant to the processing of Customer Data, subject to Section 5.2 below.

5.2. Audit process. If the Customer wishes to conduct an on-site or remote audit, it must give at least 30 days’ notice. The scope, timing, and duration of the audit shall be mutually agreed upon to minimise disruption. The Customer may not conduct more than one audit per year (unless required by law or in case of a substantiated breach). Any auditor must be independent, non-competitive with the Company, and bound by confidentiality obligations. The Company may charge a reasonable fee (depends on scope and timing, and may vary case by case) or require the Customer to cover costs if the audit exceeds standard scope or requires extraordinary resources.

5.3. Provision of reports. The Customer agrees that, in lieu of a full audit, the Company may provide compliance evidence in the form of third-party certifications or reports (e.g., SOC 2 Type II, ISO 27001) that cover relevant data protection controls. If the Customer is satisfied with these reports for the relevant scope, no further audit may be needed. If the Customer still requires more information, they can request a more limited audit as per Section 5.2. Any additional audit requests or supplemental information requests beyond the provision of standard reports may be subject to cost recovery as described in Section 5.2.

5.4. Audit confidentiality. Any information obtained by the Customer or its auditor during an audit (including findings and reports) must be kept confidential and used only for verifying compliance with this Addendum. The Customer must ensure that auditors sign a non-disclosure agreement acceptable to the Company before accessing any audit-related information or systems. The Customer will share the audit findings with the Company and allow the Company to address any issues uncovered.

6. International Data Transfers

6.1. Authorisation of international processing. The Customer authorises that the Company and its Sub-processors may transfer and process Customer Data in any country where they have facilities, subject to this Section’s safeguards. The Company will implement appropriate safeguards to protect data wherever it is processed.

6.2. Transfers from EEA/UK/Switzerland. If Customer Data originating in the EEA, UK, or Switzerland is transferred to a country that has not been recognised by the European Commission or other authority as providing adequate protection, the parties agree to comply with the Standard Contractual Clauses (SCCs) Module Two (Controller-to-Processor) or other valid transfer mechanism. The SCCs are hereby incorporated by reference and form an integral part of this Addendum. The Company shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this Addendum. For UK transfers, the UK Addendum to the SCCs is deemed appended; for Swiss transfers, the SCCs will be interpreted with Swiss modifications.

6.3. Alternative transfer mechanisms. If the SCCs are deemed inadequate (for example, due to legal changes) or if a new valid mechanism becomes available (such as a different adequacy or certification framework), the Company and Customer will cooperate to implement that mechanism for transfers. The Customer also agrees that if the Company adopts any approved binding corporate rules or certifications, those may be used for lawful transfers.

6.4. Transfers to other regions. For data transferred from other jurisdictions (e.g., Canada or Brazil) to outside those regions, the Company will ensure appropriate legal safeguards. We will also honour any specific geographic restrictions the Customer may have requested in writing.

6.5. Government access requests. The Company has not received any indiscriminate government requests for personal data. If the Company receives a legal request from a government or law enforcement agency for Customer Data (like a subpoena or warrant), unless prohibited by law, the Company will (a) promptly notify the Customer of the request (providing a copy if permitted); (b) assert that the data requested belongs to the Customer and should be obtained directly from the Customer; and (c) disclose only the minimum data legally required after exhausting any protections. The Company will not voluntarily disclose Customer Data to any government or law enforcement agency without a legally binding order. These practices ensure that any government access is challenged and kept as limited as possible according to the principles of necessity and proportionality.

7. Deletion or Return of Data

7.1. Deletion on termination. Upon termination or expiration of the Agreement (or earlier, at the Customer’s request), the Company will delete or return to the Customer all Customer Data in its possession, except to the extent that applicable law requires retention. If the Customer requests return of data, the Company will provide it in a common format within a reasonable time, after which it will securely delete the data. The Company will also instruct its Sub-processors to delete the Customer Data from their systems in accordance with this section.

7.2. Shopify mandatory deletion webhooks. The Company honours Shopify’s mandatory privacy webhooks for data erasure. Specifically, when a merchant uninstalls our App or requests data erasure for a store or customer, Shopify sends our App a webhook (shop/redact, customers/redact, or customers/data_request) in accordance with Shopify’s schedule and policies. Upon receiving a shop/redact or customers/redact webhook, the Company will delete or anonymise the relevant Customer Data from our systems without undue delay, typically within minutes, and will confirm completion to Shopify. Shopify typically delivers the shop/redact webhook within 48 hours after uninstallation, but Shopify may delay delivery of the customers/redact webhook based on its internal grace period and chargeback rules. If a customers/data_request webhook is received, the Company will promptly provide the requested data (that the App has stored) to the merchant via the Shopify response, so the merchant can fulfil the data access request. The Company keeps logs of these deletions and provides confirmations to ensure accountability. If any data cannot be deleted due to a legal obligation, the Company will inform the Customer and ensure it is securely isolated from processing until lawful deletion is possible.

If any data cannot be deleted due to a legal obligation, the Company will inform the Customer and ensure it is securely isolated from processing until lawful deletion is possible.

7.3. Ongoing obligations. The Company may retain minimal Customer Data as necessary for ongoing obligations or to resolve disputes, but in each case, it will only retain what is legally required by applicable law(for example, invoice and billing records required for bookkeeping and audit purposes, etc). Any retained data will continue to be protected under this Addendum’s terms until deletion.

8. Data Subject Rights and Cooperation

8.1. Assistance with data subject requests. Taking into account the nature of processing and the information available, the Company will assist the Customer in fulfilling the Customer’s obligations to respond to Data Subject requests (such as access, deletion, and correction requests) under Data Protection Laws. If the Company receives a request directly from a Data Subject who is a customer of the merchant, the Company will promptly inform the Data Subject to contact the Customer (as primary Controller). The Company will not respond to the request on its own except as instructed by the Customer or as required by law. If a legal requirement forces the Company to respond directly (for example, a valid CCPA request to a Service Provider), the Company will notify the Customer and provide a copy of the request and any response, unless prohibited by law. The Company’s services (and Shopify’s features) allow the Customer to address many requests (for example, deleting a record or correcting data via Shopify admin), and the Company will provide additional assistance on request (such as retrieving or deleting specific data) to enable the Customer to respond within legal timeframes.

8.2. Data Protection Impact Assessments (DPIAs). Upon the Customer’s request, and if required under Data Protection Laws, the Company will provide information to enable the Customer to conduct Data Protection Impact Assessments or consultations with authorities. This may include details of our processing activities, security measures, and Sub-processors. The Company can share existing documentation or answer questionnaires to help satisfy this obligation. Significant ad-hoc support beyond providing standard documentation may be subject to additional fees, which would be agreed in advance.

8.3. Government and law enforcement requests. As noted above, the Company will notify the Customer of any lawful government requests for Customer Data and will attempt to direct the request to the Customer. The Company will not voluntarily disclose Customer Data to any government authority unless compelled by law. The Company will resist overly broad requests and only disclose the specific data legally ordered. We will assist the Customer in challenging unlawful requests where possible and will ensure compliance with principles of necessity and proportionality.

8.4. CCPA cooperation. When subject to the CCPA, the Company (as a Service Provider) will assist the Customer in responding to verifiable consumer requests under California law. For example, the Company will provide the Customer with information about a consumer that it processes on the Customer’s behalf, or delete personal information upon the Customer’s instruction. The Company understands its restrictions under the CCPA (it will not retain or use personal information beyond providing the Services) and will comply with the Customer’s directives regarding CCPA requests.

9. General Provisions

9.1. Liability. The liability limitations agreed between the Customer and Company in the Agreement apply to this Addendum. If any regulatory penalties or claims arise due to the Company’s processing of Customer Data that result from the Customer’s failure to comply with this Addendum or applicable law, those liabilities shall count toward and reduce the Company’s liability under the Agreement as if they were claims by the Customer.

9.2. Term and termination. This Addendum remains in effect as long as the Company processes Customer Data under the Agreement. Termination or expiration of the Agreement automatically terminates this Addendum. The sections of this Addendum that by their nature should survive termination (such as confidentiality, sub-processor obligations, and cooperation) will remain in effect until the Company has deleted all Customer Data as described above.

9.3. Conflict. If there is any inconsistency between this Addendum and the Agreement, the provisions of this Addendum shall prevail for purposes of data protection obligations. If there is any conflict between this Addendum and the SCCs, the SCCs (including Annexes I and II of the SCCs) shall prevail to the extent required by law.

9.4. Governing law. This Addendum is governed by the same law and jurisdiction as the Agreement, unless otherwise required by Data Protection Laws.

9.5. Changes to this Addendum. Either party may propose updates to this Addendum if required by changes in Data Protection Laws or new standard contractual clauses. Material changes will be discussed and agreed in writing.

9.6. Severability. If any provision of this Addendum is held invalid or unenforceable, the remainder of this Addendum shall remain in full force, and the parties will negotiate a valid substitute.

9.7. Acceptance. By using our Services, you (the Customer) accept the terms of this Addendum. If this Addendum is presented via an online click-through or other digital acceptance, no separate signature is needed. If a physical signature is required by the Customer’s policies, the Customer may countersign and return a copy to the Company; acceptance of that signature will incorporate this Addendum.

Annex A – Details of Processing

• Subject Matter: The subject matter is the personal data provided by Customer that is processed through the Company’s Apps (for example, customer profiles, carts, orders, etc., from the merchant’s Shopify store).
• Duration: The duration is the term of the Agreement, until deletion of all Customer Data as per Section 7 above (typically upon uninstallation or request).
• Nature and Purpose: The Company will process personal data to provide and support the App’s functionality as agreed with the Customer. This includes reading, storing, and updating data via Shopify APIs to deliver features, providing customer support, and performing maintenance and improvements of the service. The Company will not use Customer Data for any purpose other than those permitted by the Customer.
• Categories of Data Subjects: The data subjects include: (a) end-customers of the merchant’s Shopify store whose personal data flows through the Apps; (b) the merchant’s own personnel or admin users who have accounts in the merchant’s store (e.g., staff names or emails used in the App’s configuration); and (c) other individuals whose data might be included if the merchant processes such data through Shopify (e.g., subscribers or leads).
• Categories of Personal Data: Customer Data may include (as determined by the Customer’s use of the App):
• Contact information (e.g., names, email addresses, shipping and billing addresses, phone numbers) of customers and other individuals.
• Account identifiers (e.g., Shopify customer IDs, cart IDs, order IDs) and contents (e.g., items in a cart, order details, product IDs, quantities).
• Transaction data (e.g., order history, purchase amounts, currency).
• Device and usage metadata (e.g., IP addresses, device types, browser metadata, timestamps) related to interactions with the App.
• Support communication content (e.g., information in customer support tickets) if processed through the App.
• Any other personal data fields that the merchant’s store processes in Shopify and that flow through the App.

The Company does not intentionally collect any special category (sensitive) data from the Customer; if any such data is included in Customer Data by the Customer’s systems, it is done without the Company’s intent, and the Customer remains responsible for its legality.

Annex B – Security Measures

The Company has implemented and maintains technical and organisational measures appropriate to the risk, including:

• Organisation of Security: The Company has appointed security and privacy personnel and has internal policies for data protection and incident response. Access to systems is role-based, and we employ the principle of least privilege.
• Physical and Infrastructure Security: We use reputable cloud infrastructure (Heroku/AWS) with robust physical security (24/7 monitoring, access controls, environmental safeguards). Our databases and servers are in private subnets, not exposed to the public internet. Any office environment is secured with controlled entry and visitor management.
• Access Control: Access to production systems and Customer Data is restricted. Engineering and admin accounts are provisioned on a need-to-know basis, require strong passwords, and use multi-factor authentication (MFA). We maintain access logs and regularly audit who has access. Deployment and administrative actions are logged and reviewed.
• Data Encryption: All data in transit is encrypted using TLS/SSL. Within our infrastructure, we encrypt sensitive data at rest using cloud provider encryption (e.g., AWS KMS with AES-256). Secrets, API keys, and tokens are stored in encrypted configuration variables. Databases (and automated backups) are encrypted at rest.
• Network Security: We use firewalls and network segmentation to isolate critical systems. We restrict incoming traffic to necessary ports only. We patch systems and applications promptly to address vulnerabilities. We employ intrusion detection/prevention systems and anti-malware where applicable.
• Application Security: Our code is developed with secure coding standards. We perform regular code reviews and use automated tools to scan for vulnerabilities. Third-party libraries are vetted and updated. OAuth and API calls to Shopify use secure, scoped tokens. We logically isolate each merchant’s data so that one merchant cannot access another’s.
• Logging and Monitoring: We keep logs of key actions (e.g., API requests, login attempts, configuration changes). These logs are monitored for anomalies. Alerts from monitoring tools notify our team of errors or suspicious activity. We retain logs long enough for troubleshooting and compliance.
• Incident Response: We have an incident response plan that defines roles, communication channels, and steps for handling breaches or outages. We perform incident response drills periodically. In case of a Security Incident, we will promptly implement mitigation steps, investigate, and notify affected parties as required.
• Backups and Business Continuity: We perform regular backups of our databases and critical systems. For example, daily backups of the PostgreSQL database are performed via Heroku. Backups are encrypted and stored securely. We test recovery procedures. Our services are built with redundancy to maintain availability.
• Physical Security (Developer Offices, if any): Any facilities where Customer Data might be accessible are secured physically (locked doors, badge access, visitor logs). Server administrators must use secure equipment to access systems.
• Human Resources Security: Employees and contractors with access to Customer Data are bound by confidentiality obligations and receive training on data protection and security practices. Where appropriate and legally permitted, the Company may verify the identity and suitability of personnel before granting access to production systems.
• Security Assessments: We periodically review and test our security measures to ensure their effectiveness. We may also rely on the security certifications and compliance controls of our cloud providers as part of our overall security programme.
• Data Minimisation and Anonymisation: We strive to minimise the personal data we collect, keeping only what is necessary for the Services. Where possible, we use pseudonymization (e.g., using customer IDs instead of names for internal logs). Any test or analytics data is handled in an anonymised or aggregated form.
• Government Access and Encryption (EEA Impact): Acknowledging the risk of data transfer to the U.S., we have deployed robust encryption so that data would be unintelligible to unauthorised parties without access to our keys. We also enforce legal process steps (Section 6.5) to limit any compelled disclosures.

This annex is a general description of our security posture. For specific questions about our security, the Customer may request more detailed information or documentation.