Data Processing Agreement

pursuant to Article 28 GDPR (Auftragsverarbeitungsvertrag) · for the use of Flow Trigger Extensions

Parties

This Data Processing Agreement (“DPA”) is concluded between

the Controller (the customer named below)
The Controller's details are taken from the identification form and inserted into your personalised copy.

and

the Processor:
Code Creation Labs GmbH
Friedensstr. 1, 47647 Kerken, Germany
represented by Yann Faulhaber
Commercial register: Amtsgericht Kleve, HRB 20472 · VAT ID: DE451671933
support@codecreationlabs.com

1. Subject matter and instructions

The Processor processes personal data on behalf of the Controller exclusively to provide the Flow Trigger Extensions service: Providing additional Shopify Flow trigger types, including detection of changes to customer and order data (for example 'Customer Email Changed' or 'Address Changed').

The Processor processes the data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law. This DPA, together with the Controller's use of the app and its configuration, constitutes such documented instructions.

The Processor informs the Controller immediately if it considers that an instruction infringes the GDPR or other data protection provisions.

2. Duration

This DPA applies for as long as the Processor processes personal data on behalf of the Controller, i.e. for the duration of the Controller's use of the app, and ends with the deletion or return of the data in accordance with Section 9.

3. Nature and purpose of processing; data and data subjects

Nature and purpose of the processing: Providing additional Shopify Flow trigger types, including detection of changes to customer and order data (for example 'Customer Email Changed' or 'Address Changed').

Categories of personal data: Customer personal data read from the Shopify store to detect changes - in particular first and last name, billing and shipping address, and email address - together with related order, product and metafield data.

Categories of data subjects: The merchant's customers; the merchant's own staff who use the app.

Further detail is set out in Annex 1.

4. Confidentiality

The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to what is necessary to provide the service.

5. Security of processing (Art. 32 GDPR)

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to the rights and freedoms of natural persons, the Processor implements appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk. The current measures are described in Annex 2.

6. Sub-processors

The Controller grants the Processor general written authorisation to engage the sub-processors listed in Annex 3 to provide the service. The Processor imposes data protection obligations on each sub-processor by contract that are equivalent to those set out in this DPA.

The Processor informs the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes before they take effect.

7. Assistance to the Controller

Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III GDPR.

The Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, data protection impact assessment and prior consultation), taking into account the nature of processing and the information available to the Processor.

8. Personal data breach

The Processor notifies the Controller without undue delay after becoming aware of a personal data breach, and provides the information reasonably required to enable the Controller to meet its notification obligations under Articles 33 and 34 GDPR.

9. Deletion or return of data

At the choice of the Controller, the Processor deletes or returns all personal data processed on behalf of the Controller after the end of the provision of services, and deletes existing copies, within 30 days of termination (for example, uninstallation of the app), unless Union or Member State law requires storage of the personal data.

The Processor additionally honours Shopify's mandatory data-redaction webhooks (customers/redact and shop/redact) within the timelines Shopify specifies.

10. Audits and information

The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable notice and confidentiality.

11. International transfers

The Processor's processing infrastructure (Google Cloud) is located in the European Union, and the sub-processors used for this service are listed in Annex 3. Should personal data be transferred to a third country, the transfer is safeguarded by appropriate measures pursuant to Chapter V GDPR, in particular the EU Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework.

12. Liability and final provisions

Liability is governed by Article 82 GDPR and the agreement between the parties for the use of the app. This DPA is governed by the law of the Federal Republic of Germany. Should individual provisions be invalid, the validity of the remaining provisions remains unaffected. Amendments must be made in text form.

In the event of any conflict between this DPA and other agreements between the parties, the provisions of this DPA prevail with regard to data protection.

13. Conclusion of this Agreement

This Data Processing Agreement is provided on the Processor's website (and, where applicable, in the Controller's customer account). It is concluded when the Controller, before conclusion, takes note of its content and actively ticks the acceptance checkbox (for example 'I accept the Data Processing Agreement').

A handwritten signature by the Controller is therefore not required; the Controller's acceptance is recorded electronically with the date of acceptance, and the Processor's signature is affixed below.

Annex 1 - Details of the processing

Subject matter and purpose: Providing additional Shopify Flow trigger types, including detection of changes to customer and order data (for example 'Customer Email Changed' or 'Address Changed').

Type of personal data: Customer personal data read from the Shopify store to detect changes - in particular first and last name, billing and shipping address, and email address - together with related order, product and metafield data.

Categories of data subjects: The merchant's customers; the merchant's own staff who use the app.

Duration: for the term of the Controller's use of the app (see Section 2).

Annex 2 - Technical and organisational measures (Art. 32 GDPR)

The Processor implements the following technical and organisational measures:

• Confidentiality - physical access control: hosting in Google Cloud's certified EU data centres (ISO 27001 / SOC 2); the Processor operates no own server rooms.
• Confidentiality - system access control: authenticated access to all systems, multi-factor authentication (MFA) for administrative access, use of a company password manager, least-privilege administrative accounts, and no shared logins.
• Confidentiality - data access control: role-based access restrictions, access logging, and encryption of data at rest.
• Confidentiality - separation control: logical separation of each merchant's data (multi-tenant isolation) and separate production and staging environments.
• Integrity - transfer control: TLS/HTTPS for all data in transit; all processing within the European Union.
• Integrity - input control: audit logging of relevant changes (who, what, when).
• Availability and resilience: redundant EU cloud infrastructure, monitoring and alerting, regular fully encrypted backups, and documented recovery procedures.
• Procedures for regular review: data-protection management, an incident-response and breach-notification process, privacy by design and by default, and sub-processor control under Art. 28(2) and (4) GDPR.
• Personal data (PII) fields are encrypted at field level using Google Cloud KMS. Customer personal data and secrets (such as credentials and tokens) are encrypted with separate Google Cloud KMS keys.
• In addition to the encrypted value, a one-way hash of each monitored PII field is stored to compare values between events and detect changes; only hashes are compared.

Annex 3 - Approved sub-processors

The Controller authorises the following sub-processors:

• Google Cloud (Google Ireland Limited) - Compute, storage and Cloud KMS key management - EU region (eu-west-1) - DPA: https://cloud.google.com/terms/data-processing-addendum
• Amazon Web Services EMEA SARL (Amazon SES) - Delivery of the app's operational notification emails - EU (Frankfurt), eu-central-1 - DPA: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf