Data Processing Agreement
Last updated: May 24, 2026
This Data Processing Agreement supplements the eshopOS Terms of Service and Privacy Policy. It applies when eshopOS processes personal data on behalf of a merchant as a data processor.
Key points
- eshopOS processes merchant customer data only as instructed by the merchant and as needed to provide the service.
- Merchants remain responsible for their own data-controller obligations.
- eshopOS uses technical and organizational security measures for platform data.
- eshopOS assists with data subject requests and breach response where required.
- Current external service operators are listed in the Infrastructure Annex.
1. Roles
Under applicable data protection laws:
- The merchant is generally the data controller for customer and store data it submits to eshopOS.
- eshopOS is generally the data processor for that merchant customer data.
- External providers engaged by eshopOS may be subprocessors where they process personal data for service delivery.
2. Processing details
Processing relates to the merchant's use of eshopOS commerce platform services.
The nature and purpose of processing includes providing, maintaining, securing, supporting, and improving commerce platform services as instructed.
When a merchant connects an external commerce platform, eshopOS processes the connected data only for the authorized connection, migration, synchronization, reporting, and store-operation purposes shown in the product flow.
3. Types of personal data
Data may include:
- Customer contact information such as names, emails, addresses, and phone numbers.
- Order and transaction data.
- Payment information processed by third-party payment processors.
- Customer service communications.
- Marketing preference data.
- Connected-platform catalog, inventory, location, and media data authorized by the merchant.
The first public Shopify connector release does not request Shopify customer data. If customer-data import is enabled later, it will require separate disclosure, merchant authorization, and applicable platform approval before use.
4. Data subject rights
eshopOS will provide reasonable assistance to help merchants respond to data subject requests. Merchants remain responsible for responding to requests concerning their own processing.
Where eshopOS receives a relevant request directly, it may notify or forward the request to the merchant where appropriate.
5. Security measures
eshopOS implements appropriate technical and organizational measures, including:
- Encryption in transit between clients and platform endpoints.
- Store-scoped access controls and permission checks.
- Authenticator verification for sensitive key, webhook, and payout actions where applicable.
- API key, OAuth app, and webhook secret rotation flows.
- Audit logging for authenticator, webhook, and developer credential actions.
- Webhook delivery records and test-event tooling for operational review.
Security controls evolve as product capabilities and operating requirements change.
6. Subprocessors
eshopOS uses external service operators where needed to deliver platform functionality. The current public list is available in the Infrastructure Annex.
The annex includes core providers and optional integrations referenced by product code or merchant/operator configuration.
7. Data transfers
Data may be transferred to jurisdictions where our providers operate. eshopOS applies appropriate safeguards, contractual protections, and security controls required by applicable law.
8. Personal data breach notification
If eshopOS identifies a personal data breach affecting merchant data, it will notify the merchant without undue delay as required by law and contract.
Notice may include the nature of the breach, categories of data affected, mitigation steps, and available information needed for compliance assessment.
9. Retention and deletion
eshopOS deletes or returns personal data upon request or account termination where technically feasible and legally permitted.
Data may be retained where required for legal obligations, provider requirements, dispute handling, security, backups, or legitimate operational needs.
10. Assistance and audits
eshopOS will provide reasonable assistance with data protection impact assessments, regulatory consultations, rights fulfillment, and security documentation where required.
Assistance and audits requested by a merchant may be provided at the merchant's cost unless a separate written agreement says otherwise.
11. Liability
Liability under this DPA is subject to the limitation of liability in the Terms of Service or applicable order form.
Merchants agree to indemnify eshopOS for claims arising from merchant breach of instructions, law, or data-controller obligations.