Data processing agreement

This Data Processing Agreement (“DPA”) forms part of Attravo’s Terms of Service and any Master Services Agreement (MSA) between Attravo and Customer. It governs the processing of personal data by Attravo on Customer’s behalf and applies to the Shopify apps, services engagements, and any related processing.

• Customer — the Shopify merchant or business using Attravo’s apps or services. Acts as the Data Controller.
• Attravo — acts as the Data Processor on behalf of Customer.
• Personal data, processing, and related terms have the meanings given in the GDPR (EU Regulation 2016/679) and equivalent applicable laws.
• Sub-processor — a third party engaged by Attravo to process personal data on Customer’s behalf.

Customer is the Controller of personal data processed through the Services. Attravo is the Processor. Attravo will only process personal data on documented instructions from Customer (typically expressed through the Services’ configuration, the MSA, or the relevant Statement of Work).

Categories of data subjects

• Customer’s end shoppers (store visitors and buyers).
• Customer’s staff using the Shopify admin or integrated tools.

Types of personal data

• Contact data: name, email, phone, address.
• Order data: order history, line items, discount codes used.
• Behavioral data: page views, quiz responses, bundle selections, device and browser data.
• Staff data: store owner contact, role data.

Attravo will process personal data only as necessary to provide the Services, in accordance with Customer’s documented instructions, and in compliance with applicable laws including GDPR, UK GDPR, CCPA / CPRA, and Shopify’s developer terms.

Attravo ensures that all personnel authorized to process personal data are bound by confidentiality obligations and have received training on data protection.

Attravo implements the following technical and organizational measures, consistent with standard industry protocols (ISO 27001-aligned, SOC 2-aligned):

• All data in transit is encrypted using TLS 1.3.
• All data at rest is encrypted using GCP-managed AES-256 encryption.
• Production infrastructure runs on Google Cloud Platform (GCP). Access is restricted by role, protected by SSO and multi-factor authentication, and audited.
• Logical isolation per Shopify shop. No cross-shop data leakage by design.
• Vulnerability management, dependency scanning, and patch cadence governed by internal policy.
• Incident response procedures with documented escalation paths.
• Backups encrypted at rest, retained for 30 days, and automatically rotated.
• Least-privilege access enforced across infrastructure, applications, and customer support tooling.

All Shopify scopes requested by Attravo apps are reviewed and verified by Shopify before publication to the App Store. We request the minimum scopes necessary to deliver each app’s functionality, and we operate under Shopify’s Built for Shopify and Partner program requirements.

Customer authorizes Attravo to engage the sub-processors listed below to process personal data in connection with the Services. Each sub-processor is bound by a written agreement requiring data protection terms no less protective than this DPA.

• Google Cloud Platform — application hosting, storage, and analytics infrastructure (US, EU, APAC regions).
• Shopify Inc. — app installation, OAuth, billing, and order webhooks (US, EU, Canada).
• Stripe, Inc. — payment processing for services invoices (US, EU).
• Resend / Postmark — transactional email (US, EU).
• Sentry / Datadog — application monitoring and error tracking (US, EU).

Attravo notifies Customer of any new or replaced sub-processor at least 30 days in advance. Customer may object on reasonable data protection grounds; if no workable resolution can be found, Customer may terminate the Service.

Where personal data is transferred outside the EU/UK, Attravo relies on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO, or other legally recognized transfer mechanisms. The relevant SCCs are incorporated by reference into this DPA.

Attravo will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures to respond to requests from data subjects exercising their rights under applicable law (access, rectification, erasure, restriction, portability, objection). If Attravo receives a request directly from a data subject, we will redirect them to Customer where appropriate.

Attravo will notify Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer’s data. The notification includes the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

When the Services end (uninstall of an app, expiry of an MSA, or Customer’s written request), Attravo will:

• Cease all processing of personal data.
• Delete all personal data from production systems within 48 hours of app uninstall, or within 30 days of MSA termination.
• Purge encrypted backups containing the data on the next backup rotation cycle (max 30 days).
• Provide written confirmation of deletion on Customer request.

Attravo honors Shopify’s mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact) for app data.

Attravo makes available to Customer all information necessary to demonstrate compliance with this DPA. Customer may request written summaries of Attravo’s security controls. Where Customer has a justified concern, Attravo will cooperate with reasonable, non-disruptive audits scoped and scheduled in advance.

The liability of each party under this DPA is subject to the limitations of liability set forth in the Terms of Service and the MSA. Nothing in this DPA limits any liability that cannot be limited under applicable law.

This DPA remains in force for as long as Attravo processes personal data on behalf of Customer. Termination follows the termination terms of the underlying Terms of Service or MSA.

For DPA-related questions, formal data protection inquiries, or sub-processor notifications, email team@attravo.com.