Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Laparaneza ("Processor," "we," "us," or "our") and the Merchant installing Social Proof Popup ("Controller," "you," or "your").

This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (GDPR) and applies to the processing of Personal Data by Processor on behalf of Controller in connection with the Social Proof Popup application.

1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Controller" means the Merchant who determines the purposes and means of processing Personal Data (you).
• "Processor" means Laparaneza, which processes Personal Data on behalf of the Controller (us).
• "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and erasure.
• "Data Subject" means an identifiable natural person whose Personal Data is processed.
• "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
• "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Duration

This DPA applies to all processing of Personal Data by Processor on behalf of Controller in connection with the Social Proof Popup application ("the App").

This DPA shall remain in effect for the duration of the Controller's use of the App. Processing shall continue only for as long as Controller maintains an active installation of the App.

By installing and using the App, Controller agrees to be bound by this DPA.

3. Subject Matter of Processing

The Processor processes Personal Data to provide the Social Proof Popup service, which displays purchase notification popups on the Controller's online store. The processing involves:

• Receiving order data via Shopify webhooks
• Storing order data in our database
• Displaying purchase notifications on the Controller's storefront
• Providing analytics about popup performance

4. Nature and Purpose of Processing

Nature of Processing

• Collection (from Shopify order webhooks)
• Storage (in PostgreSQL database)
• Retrieval (to display popups)
• Disclosure (public display of city/country on storefront)
• Erasure (automatic deletion and upon termination)

Purpose of Processing

• Display recent purchase notifications (social proof) on Controller's storefront
• Show product purchase counters
• Provide analytics dashboard for Controller
• Maintain and improve the service

5. Types of Personal Data

The following categories of Personal Data are processed:

Data We Process

• Geographic location: City and country from shipping/billing address
• Purchase information: Product title, product image URL
• Transaction data: Order ID (internal reference), order timestamp

Data We Do NOT Process

• Customer names
• Email addresses
• Phone numbers
• Full street addresses
• Payment information
• IP addresses
• Special category data (Article 9 GDPR)

6. Categories of Data Subjects

Personal Data processed under this DPA relates to the following categories of Data Subjects:

• End-Customers: Individuals who make purchases on the Controller's online store

Note: Merchant (Controller) data is processed under a separate legal basis (contractual necessity) as described in our Privacy Policy.

7. Processor Obligations

The Processor agrees to:

7.1 Process Only on Documented Instructions

Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries. The Controller's instructions are documented through the App's settings and this DPA.

7.2 Ensure Confidentiality

Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.3 Implement Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 10.

7.4 Use Only Approved Sub-Processors

Not engage another processor without prior general authorization from the Controller. Current Sub-Processors are listed in Section 8.

7.5 Assist with Data Subject Rights

Assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, portability, etc.).

7.6 Assist with Security and Breach Notification

Assist the Controller in ensuring compliance with security obligations and breach notification requirements under GDPR Articles 32-34.

7.7 Delete or Return Data on Termination

At the choice of the Controller, delete or return all Personal Data after the end of the provision of services. Upon uninstallation of the App, all data is automatically deleted.

7.8 Make Available Audit Information

Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations. This includes responding to reasonable written requests about our data processing practices.

8. Sub-Processors

8.1 Authorized Sub-Processors

The Controller provides general authorization for the Processor to engage the following Sub-Processors:

8.2 Notification of Changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Controller the opportunity to object to such changes. Notification will be provided by updating this DPA and notifying active users via email or in-app notice at least 30 days in advance.

8.3 Sub-Processor Obligations

Where the Processor engages a Sub-Processor, it shall impose the same data protection obligations as set out in this DPA on that Sub-Processor by way of a contract.

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA):

• Primary Storage: Singapore (AWS ap-south-1)
• Shopify: Canada and United States

Transfer Safeguards

For transfers to countries without an adequacy decision from the European Commission, we rely on:

• Standard Contractual Clauses (SCCs): Our Sub-Processors have implemented SCCs approved by the European Commission
• Supplementary Measures: Including encryption in transit and at rest

10. Security Measures

The Processor implements the following technical and organizational measures:

Technical Measures

• Encryption in Transit: All data transmitted via HTTPS/TLS 1.2+
• Encryption at Rest: Database encryption using industry-standard algorithms
• Access Controls: Role-based access with principle of least privilege
• Authentication: Secure OAuth 2.0 integration with Shopify
• Webhook Verification: HMAC signature verification for all incoming webhooks
• Regular Updates: Timely application of security patches

Organizational Measures

• Data Minimization: Collection limited to necessary data only
• Retention Limits: Automatic deletion (100 orders per shop maximum)
• Access Restrictions: Data access limited to authorized personnel
• Security Reviews: Regular review of security practices

11. Data Breach Notification

11.1 Notification to Controller

In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach. Notification shall include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

11.2 Assistance with Regulatory Notification

The Processor shall assist the Controller in complying with notification obligations to supervisory authorities and Data Subjects under GDPR Articles 33 and 34, where applicable.

12. Data Subject Requests

If the Processor receives a request from a Data Subject regarding their Personal Data, the Processor shall:

• Promptly notify the Controller of the request
• Not respond directly to the Data Subject unless authorized by the Controller or required by law
• Assist the Controller in responding to the request

The Processor shall assist the Controller in fulfilling Data Subject rights including:

• Right to access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

Response will be provided within regulatory timeframes (typically 30 days).

13. Term and Termination

13.1 Duration

This DPA shall remain in effect for the duration of the Controller's use of the App.

13.2 Effects of Termination

Upon termination (uninstallation of the App):

• All Personal Data shall be deleted immediately
• Deletion includes order data, settings, and access tokens
• Deletion is permanent and cannot be reversed
• The Processor shall confirm deletion upon request

13.3 Survival

The provisions of this DPA relating to confidentiality, liability, and any other provisions which by their nature should survive, shall remain in effect after termination.

14. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms of Service.

Nothing in this DPA limits either party's liability for breaches of applicable data protection law to the extent such limitation is prohibited by law.

15. Governing Law

This DPA shall be governed by:

• Primary: The laws of the United Arab Emirates (Dubai), as specified in the Terms of Service
• GDPR Processing: For processing of Personal Data of EEA, UK, or Swiss residents, the provisions of GDPR shall apply

In case of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.