Data Processing Agreement — Catalogist
Last updated: [Effective Date]
Draft — remove this banner before publishing. Not legal advice. This DPA is written around how Catalogist actually processes data and follows GDPR Article 28. Have qualified counsel review it for your jurisdiction(s) before you rely on it, and replace every
[bracketed]placeholder.
This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Terms of Service between Iscovici Labs – by Ori Iscovici (“Catalogist,” “Processor,” “we”) and the merchant who installs the Catalogist – Bulk Product Editor app (“you,” “Controller”). It governs our processing of Personal Data on your behalf where the EU GDPR, UK GDPR, or a comparable law applies. By installing or using the App, you accept this DPA. Where it conflicts with the Terms on the subject of data processing, this DPA controls.
Capitalized terms not defined here have the meaning given in the GDPR.
1. Roles and scope
You are the Controller of the Personal Data we process to provide the App; Catalogist is the Processor. We process Personal Data only to provide and support the App, only on your documented instructions (including those given through your use of the App), and as required by law. If a law requires us to process beyond your instructions, we will inform you first unless that law prohibits it.
2. Details of processing (GDPR Art. 28(3))
- Subject matter: providing a Shopify catalog-editing app with change history and undo.
- Duration: for the term of your installation, plus the deletion window in §8.
- Nature and purpose: reading and editing your products/inventory at your direction; recording edits and prior values to enable preview and undo; operating, securing, and supporting the App.
- Types of Personal Data: your store’s
.myshopify.comdomain and plan; the Shopify offline access token issued to the App; and — to the extent it constitutes Personal Data (e.g. where you are a sole trader) — the edit history and operational metadata associated with your store. We do not process your end-customers’ personal data or your orders. - Categories of data subjects: you (the merchant) and your authorized staff.
3. Our obligations as Processor
We will: (a) process only on your instructions (§1); (b) ensure persons authorized to process are bound by confidentiality; (c) implement the technical and organizational security measures in Annex C; (d) respect the conditions for engaging sub-processors (§4); (e) assist you, taking into account the nature of processing, in responding to data-subject requests (§5); (f) assist you with security, breach notification, data protection impact assessments, and prior consultation (Arts. 32–36); (g) delete or return Personal Data on termination (§8); and (h) make available information necessary to demonstrate compliance and allow for audits (§9).
4. Sub-processors
You give general authorization for us to engage the sub-processors listed in Annex B. We impose data-protection obligations on each sub-processor that are no less protective than this DPA, and we remain responsible for their performance. We will give you at least 30 days’ notice (via the App or email) before adding or replacing a sub-processor; if you reasonably object on data-protection grounds, you may terminate by uninstalling the App before the change takes effect.
5. Data subject rights
Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, to fulfill your obligation to respond to requests to exercise data-subject rights (access, rectification, erasure, restriction, portability, objection). Because we hold only the limited data in §2, most requests can be met through Shopify’s compliance webhooks and our deletion process (§8). If a data subject contacts us directly, we will refer them to you unless legally required to act.
6. Personal data breach
We will notify you without undue delay and within 72 hours of becoming aware of a Personal Data Breach affecting data we process for you, with the information you reasonably need to meet your own obligations under Arts. 33–34. Notice goes to the email associated with your Shopify account.
7. International transfers
Where we transfer Personal Data out of the EEA or UK to a country without an adequacy decision, the transfer is governed by appropriate safeguards — the EU Standard Contractual Clauses (2021/914) and, for the UK, the UK International Data Transfer Agreement (IDTA) / Addendum — incorporated by reference, or by safeguards in our sub-processors’ DPAs. The relevant sub-processors and regions are in Annex B.
8. Return and deletion
On termination of your installation, we will delete the Personal Data we hold for you
(including the access token, edit history, and undo snapshots) within [30] days, except
to the extent retention is required by law, in which case we will isolate and protect it. We
respond to Shopify’s shop/redact webhook on the same basis. On request, we will confirm
deletion in writing.
9. Audits
We will make available information reasonably necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits, including inspections, by you or an auditor you mandate — no more than once per 12 months, on reasonable notice, during business hours, subject to confidentiality, and at your cost — or by providing an up-to-date third-party report or our security documentation where available.
10. Liability and precedence
Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service. This DPA does not relieve us of obligations we have directly under the GDPR as a processor.
Annex A — Processing details
As described in §2 above.
Annex B — Sub-processors
| Sub-processor | Purpose | Processing region(s) | Safeguard |
|---|---|---|---|
| Shopify | Platform the App runs on; OAuth, billing, compliance webhooks | Global | Shopify DPA |
| Neon | Managed PostgreSQL (store id, token, edit history, metadata) | [US / EU region] | SCCs in provider DPA |
| Cloudflare R2 | Object storage (undo snapshots) | [Region] | SCCs in Cloudflare DPA |
| PostHog | Product analytics (events keyed to store domain), when enabled | [EU Cloud / US] | Provider DPA / SCCs |
| [Hosting provider] | Runs the App server | [Region] | [SCCs / DPA] |
Fill in the actual regions and the provider DPA links before publishing; never publish with a
[bracketed]sub-processor row.
Annex C — Security measures
Encryption in transit (TLS 1.2+); encryption at rest provided by our database and storage providers; scoped, least-privilege credentials; access tokens treated as secrets and never logged; segregation of production access; logging and monitoring; and an incident-response process. [State application-level encryption of the access token here once implemented — see the hardening backlog; do not overstate until it is.]