Data Processing Agreement (DPA)
This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions between you (“Controller”, “Customer”, “you”) and HoppaYou (“Processor”, “we”, “us”) for the use of Import Export Suite (“Service”).
This DPA is entered into pursuant to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), UK GDPR, and other applicable data protection laws.
## 1. Definitions
For the purposes of this DPA:
– **”Controller”** means the entity that determines the purposes and means of processing Personal Data (you, the Shopify store owner)
– **”Processor”** means the entity that processes Personal Data on behalf of the Controller (HoppaYou)
– **”Personal Data”** means any information relating to an identified or identifiable natural person as defined in GDPR
– **”Data Subject”** means an identified or identifiable natural person whose Personal Data is processed
– **”Processing”** means any operation performed on Personal Data, including collection, storage, modification, transfer, or deletion
– **”Sub-processor”** means any third party engaged by the Processor to process Personal Data
– **”Data Protection Laws”** means GDPR, UK GDPR, CCPA, and any other applicable data protection legislation
– **”Security Incident”** means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data
## 2. Scope and Applicability
2.1. **Application**
This DPA applies to all Processing of Personal Data performed by HoppaYou as Processor on behalf of the Controller in connection with the Service.
2.2. **Relationship to Terms and Conditions**
This DPA supplements and forms an integral part of the Terms and Conditions. In case of conflict between this DPA and the Terms and Conditions, this DPA prevails with respect to Personal Data Processing.
2.3. **Hierarchy of Documents**
In case of conflict between documents, the following order of precedence applies:
1. Standard Contractual Clauses (if applicable)
2. This Data Processing Agreement
3. Terms and Conditions
4. Privacy Policy
## 3. Roles and Responsibilities
3.1. **Controller Responsibilities**
As Controller, you shall:
– Comply with all applicable Data Protection Laws
– Ensure you have lawful basis for Processing Personal Data
– Obtain necessary consents from Data Subjects
– Provide Data Subjects with required privacy notices
– Respond to Data Subject requests within legal timeframes
– Notify us of any restrictions or changes to Processing instructions
– Ensure data provided to us is accurate and lawful to process
3.2. **Processor Responsibilities**
As Processor, we shall:
– Process Personal Data only according to your documented instructions
– Ensure persons authorized to process Personal Data are bound by confidentiality
– Implement appropriate technical and organizational security measures
– Engage Sub-processors only with your consent
– Assist you in responding to Data Subject requests
– Notify you of Security Incidents without undue delay
– Delete or return Personal Data upon termination
– Make available information necessary to demonstrate compliance
## 4. Details of Processing
### 4.1. Subject Matter
Processing of Personal Data through the Import Export Suite application for bulk import, export, update, and management of Shopify store data.
### 4.2. Duration
The duration of Processing is the term of your subscription to the Service, plus any retention period required by law or requested by you.
### 4.3. Nature and Purpose
The nature and purpose of Processing is to:
– Import data from files (CSV, XLSX, JSON, XML) into your Shopify store
– Export data from your Shopify store to downloadable files
– Update existing data in your Shopify store
– Schedule automated imports and exports
– Validate and transform data for compatibility
– Provide analytics and reporting features
### 4.4. Types of Personal Data
Personal Data processed may include:
**Customer Data:**
– Names and contact information (email, phone, address)
– Order history and purchase behavior
– Customer preferences and settings
– Customer tags and notes
– Marketing preferences
**Product Data:**
– Vendor information (if individuals)
**Order Data:**
– Shipping addresses
– Billing addresses
– Customer notes
– Transaction information
**Metafield Data:**
– Any custom fields that may contain Personal Data
**Admin User Data:**
– Store owner/admin email addresses
– User activity logs
### 4.5. Categories of Data Subjects
Data Subjects may include:
– Your customers (end consumers)
– Your suppliers or vendors (if individuals)
– Your store administrators and staff
– Any other individuals whose data you process through the Service
## 5. Processing Instructions
5.1. **Documented Instructions**
We will process Personal Data only based on your documented instructions, which are:
– Your use of the Service through the application interface
– Your configuration of import/export settings
– Your upload of data files for processing
– Your API calls and automated workflows
– Support requests and communications with us
5.2. **Instruction Changes**
You may modify instructions by:
– Changing settings in the application
– Contacting support@iesuite.com for special requests
– Updating your subscription plan
5.3. **Unlawful Instructions**
If we believe your instructions violate Data Protection Laws, we will:
– Immediately inform you of our concerns
– Suspend Processing until the matter is resolved
– Document the suspension and rationale
## 6. Security Measures
6.1. **Technical Measures**
We implement the following technical security measures:
– **Encryption:**
– Data in transit: TLS 1.2+ encryption for all data transfers
– Data at rest: AES-256 encryption for stored files
– **Access Control:**
– Role-based access control (RBAC) for staff
– Multi-factor authentication (MFA) for administrative access
– Principle of least privilege
– **Network Security:**
– Firewall protection
– Intrusion detection systems
– Regular security scanning
– **Data Isolation:**
– Logical separation of customer data
– Dedicated database schemas per customer
6.2. **Organizational Measures**
We implement the following organizational security measures:
– **Staff Training:**
– Regular security awareness training
– GDPR compliance training
– Confidentiality agreements for all staff
– **Access Management:**
– Background checks for personnel with data access
– Regular access reviews and revocations
– Logging of all access to Personal Data
– **Incident Response:**
– Documented incident response procedures
– 24/7 monitoring and alerting
– Regular incident response drills
– **Policies and Procedures:**
– Information security policy
– Data retention policy
– Acceptable use policy
– Change management procedures
6.3. **Security Testing**
– Regular vulnerability assessments
– Annual penetration testing by third parties
– Code security reviews
– Dependency scanning for vulnerabilities
6.4. **Certifications**
We are working towards achieving:
– SOC 2 Type II certification (planned 2025)
– ISO 27001 certification (planned 2026)
## 7. Sub-processors
7.1. **Authorization**
By accepting this DPA, you provide general authorization for us to engage Sub-processors.
7.2. **Current Sub-processors**
We currently use the following Sub-processors:
| Sub-processor | Service Provided | Location | Data Processed |
|————–|——————|———-|—————-|
| Amazon Web Services (AWS) | Cloud hosting and storage | EU (Frankfurt), US | All data processed by the Service |
| Shopify Inc. | E-commerce platform | Canada, US | Store data as per Shopify’s infrastructure |
| Vercel Inc. | Application hosting | US, EU | Application code and temporary processing data |
| PostgreSQL (self-hosted) | Database | EU (Germany) | Structured data storage |
| Redis (self-hosted) | Caching and queuing | EU (Germany) | Temporary data for job processing |
7.3. **Sub-processor Obligations**
We ensure that Sub-processors:
– Are bound by data protection obligations equivalent to this DPA
– Implement appropriate technical and organizational measures
– Allow us to audit their compliance
– Process data only according to our instructions
7.4. **Changes to Sub-processors**
– We will notify you at least 30 days before adding or changing Sub-processors
– Notifications will be sent via email to your registered address
– Current list is maintained at: https://iesuite.com/subprocessors/
– You may object to new Sub-processors within 30 days of notification
– If you object, we will either not use the Sub-processor or allow you to terminate the Service
## 8. Data Subject Rights
8.1. **Assistance with Requests**
We will assist you in responding to Data Subject requests, including:
– Right of access
– Right to rectification
– Right to erasure (“right to be forgotten”)
– Right to restriction of processing
– Right to data portability
– Right to object
– Rights related to automated decision-making
8.2. **Request Handling**
– Data Subject requests received by us will be forwarded to you within 24 hours
– We will provide you with access to necessary data within 7 days
– You remain responsible for responding to Data Subjects within legal timeframes
8.3. **Tools Provided**
The Service provides the following tools to help you comply with Data Subject rights:
– Export functionality to provide data copies
– Delete functionality to erase data
– Search and filter capabilities to locate specific data
## 9. Data Breaches
9.1. **Notification to Controller**
In the event of a Security Incident, we will:
– Notify you without undue delay and within 24 hours of becoming aware
– Provide sufficient information to enable you to meet notification obligations
– Notify you via email to your registered address
9.2. **Information Provided**
Breach notifications will include:
– Description of the nature of the breach
– Categories and approximate number of Data Subjects affected
– Categories and approximate number of Personal Data records affected
– Likely consequences of the breach
– Measures taken or proposed to address the breach
– Contact point for further information
9.3. **Investigation and Remediation**
We will:
– Investigate the cause and extent of the breach
– Take immediate steps to mitigate the breach
– Document all breaches and remediation actions
– Cooperate with you in any breach investigations
9.4. **Your Responsibilities**
You remain responsible for:
– Determining whether to notify supervisory authorities
– Determining whether to notify affected Data Subjects
– Fulfilling legal notification obligations under GDPR
## 10. Data Retention and Deletion
10.1. **Retention Periods**
| Data Type | Retention Period | Reason |
|———–|——————|——–|
| Import/Export files | 30 days | Operational purposes |
| Job logs | 90 days | Troubleshooting and support |
| Error logs | 90 days | Technical debugging |
| Admin activity logs | 1 year | Security and compliance |
| Customer support data | 3 years | Legal obligations |
10.2. **Data Deletion**
Upon termination of the Service, we will:
– Delete all Personal Data within 30 days, unless:
– You request a different timeframe
– Legal obligations require longer retention
– Provide confirmation of deletion upon request
– Ensure Sub-processors also delete the data
10.3. **Data Return**
Instead of deletion, you may request return of your data:
– Data will be provided in a commonly used machine-readable format
– Export functionality in the Service allows you to retrieve data
– Request data return via support@iesuite.com before termination
10.4. **Backup Retention**
– Backup copies may persist for up to 90 days after deletion
– Backup data is subject to the same security measures
– Backup data is isolated and inaccessible for operational purposes
## 11. Audits and Compliance
11.1. **Right to Audit**
You have the right to audit our compliance with this DPA, subject to:
– Reasonable advance notice (at least 30 days)
– No more than one audit per year
– Signing a confidentiality agreement
– Scheduling during business hours
– Not disrupting our operations
11.2. **Information and Documentation**
We will make available to you:
– Documentation of our security measures
– Compliance certifications (SOC 2, ISO 27001 when available)
– Results of third-party audits and penetration tests (summary form)
– Policies and procedures relevant to Personal Data Processing
11.3. **Third-Party Audits**
You may use a qualified independent third-party auditor to conduct audits on your behalf, at your expense.
11.4. **Audit Reports**
We conduct regular third-party security audits and will provide:
– Executive summaries of audit results
– Confirmation of remediation of identified issues
– Updated certifications as they are obtained
## 12. International Data Transfers
12.1. **Transfer Mechanisms**
When Personal Data is transferred outside the European Economic Area (EEA), we ensure adequate protection through:
– **Standard Contractual Clauses (SCCs):**
– We incorporate the EU Commission’s SCCs (2021 version)
– SCCs are available upon request
– **Adequacy Decisions:**
– We rely on EU Commission adequacy decisions where applicable
– **Additional Safeguards:**
– Encryption of data in transit and at rest
– Access controls limiting access to EEA data
– Regular assessments of third-country data protection laws
12.2. **Data Localization**
– Primary data processing occurs in the EU (Germany)
– You may request EU-only data processing (additional fees may apply)
– Shopify processes data in accordance with their infrastructure (Canada, US)
12.3. **UK Data Transfers**
For transfers from the UK:
– We use the UK International Data Transfer Agreement (IDTA)
– UK Addendum to SCCs where appropriate
12.4. **Transfer Impact Assessment**
We have conducted Transfer Impact Assessments (TIAs) for all third-country transfers and will provide summaries upon request.
## 13. Liability and Indemnification
13.1. **Liability Allocation**
Each party’s liability under this DPA is subject to the liability provisions in the Terms and Conditions.
13.2. **GDPR Article 82**
Under GDPR Article 82:
– We are liable only for damages caused by Processing that violates GDPR
– We are not liable if we prove we are not responsible for the event causing damage
– You are responsible for demonstrating the damage suffered
13.3. **Indemnification**
We will indemnify you against claims from Data Subjects resulting from our breach of this DPA, except where you provided unlawful instructions.
## 14. Term and Termination
14.1. **Effective Date**
This DPA is effective from the date you accept the Terms and Conditions or begin using the Service, whichever is earlier.
14.2. **Duration**
This DPA remains in effect for as long as we Process Personal Data on your behalf.
14.3. **Termination**
This DPA terminates automatically upon:
– Termination of the Terms and Conditions
– Completion of all data deletion or return
– Your written notice of termination
14.4. **Survival**
The following provisions survive termination:
– Data deletion and return obligations
– Confidentiality obligations
– Audit rights (for reasonable period)
– Liability and indemnification
## 15. Governing Law and Jurisdiction
15.1. **Governing Law**
This DPA is governed by the laws of the Netherlands.
15.2. **Jurisdiction**
For EU/EEA Data Subjects, the competent supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
15.3. **Dispute Resolution**
Disputes will be resolved through:
1. Good faith negotiations
2. Mediation (if negotiations fail)
3. Competent courts of the Netherlands
## 16. Changes to this DPA
16.1. **Modifications**
We may update this DPA to:
– Reflect changes in Data Protection Laws
– Reflect changes in our Processing activities
– Improve clarity or add detail
16.2. **Notice of Changes**
Material changes will be communicated:
– Via email at least 30 days in advance
– By posting updated DPA at https://iesuite.com/data-processing-agreement/
– With effective date clearly indicated
16.3. **Objection to Changes**
If you object to material changes:
– Notify us within 30 days
– You may terminate the Service without penalty
– Continued use constitutes acceptance
## 17. Contact Information
For questions regarding this DPA or to exercise your rights:
**Data Protection Contact:**
HoppaYou
Email: privacy@iesuite.com
Address: [Your Business Address]
**Data Protection Officer:**
Email: dpo@iesuite.com
## 18. Annexes
### Annex 1: Technical and Organizational Measures
Detailed in Section 6 of this DPA.
### Annex 3: Standard Contractual Clauses
Available upon request to privacy@iesuite.com
—
## Acceptance
By using Import Export Suite, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.
This DPA was last updated on December 30, 2024 and is effective immediately.
**Controller (You):**
By using the Service, you accept this DPA on behalf of your organization.
**Processor (HoppaYou):**
This DPA is accepted by HoppaYou as of the date indicated above.