Data Processing Agreement (DPA)

Merchant (Shopify store owner): Data Controller

ApisDom: Data Processor

Processing occurs ONLY under Article 28 GDPR

We process data only as instructed by the Merchant

No secondary purposes

• Amazon (Chronos-2 engine). Standard Contractual Clauses
• Google (Firestore). Data Processing Amendment

The Merchant handles data subject access requests

ApisDom will assist the Merchant within 10 business days, passing on associated technical costs if the request requires significant development or manual intervention

• Encryption at rest and in transit
• Access controls, audit logs
• Regular security assessments

ApisDom will notify the Merchant without undue delay after confirming a security breach, preferably within 24-48 hours

The Merchant handles GDPR notifications

On uninstall, data deleted within a maximum of 7 business days upon receiving the Shopify notification

Proof of deletion available upon request

The right of audit shall preferably be exercised by providing existing security reports. Any on-site audit shall be at the Merchant's sole expense

Security reports available upon request

Effective while the app is installed

Survives termination for 30 days (deletion period)