HomeSolutionsAboutDocumentation

Data Processing Addendum

Last updated: May 26, 2026

Effective: May 26, 2026

This Data Processing Addendum (“DPA”) forms part of the Zapstra Terms of Service, any applicable order form, statement of work, Shopify app installation, subscription, service agreement, or other written agreement governing Customer’s use of Zapstra Services (collectively, the “Agreement”).

This DPA applies when Zapstra LLC (“Zapstra,” “we,” “us,” or “our”) Processes Customer Personal Data on behalf of a customer, merchant, business, or organization (“Customer,” “you,” or “your”) in connection with the Services.

By using the Services, installing a Zapstra app, approving Shopify app permissions, accepting an Order Form, or otherwise agreeing to the Agreement, Customer agrees to this DPA.

1. Scope and Relationship to Agreement

This DPA applies only to Zapstra’s Processing of Customer Personal Data on behalf of Customer in connection with the Services.

This DPA supplements the Agreement. If there is a conflict between this DPA and the Agreement regarding Processing of Customer Personal Data, this DPA controls only for that conflict. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control for the applicable restricted transfer.

Except as expressly modified by this DPA, the Agreement remains in full force and effect.

This DPA does not apply to information that Zapstra Processes as an independent controller or business for its own purposes, including account administration, billing, business operations, security monitoring, legal compliance, fraud prevention, analytics, marketing, product administration, or communications, except where Applicable Data Protection Laws require otherwise. Zapstra’s Processing of such information is described in Zapstra’s Privacy Policy.

2. Definitions

For purposes of this DPA:

Agreement” means the Zapstra Terms of Service, any applicable Order Form, statement of work, Shopify app installation, subscription, service agreement, beta terms, design partner terms, or other written agreement governing use of the Services.

Applicable Data Protection Laws” means all privacy, data protection, data security, breach notification, consumer privacy, and similar laws applicable to Zapstra’s Processing of Customer Personal Data under the Agreement, including where applicable the GDPR, UK GDPR, Swiss FADP, CCPA, and other U.S. State Privacy Laws.

CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations.

Controller,” “Processor,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Process,” “Processing,” and “Supervisory Authority” have the meanings given to them under the GDPR or other Applicable Data Protection Laws.

Customer Data” means data, content, files, records, Shopify store data, product data, inventory data, order data, fulfillment data, supplier data, customer data, support data, logs, screenshots, exports, or other information submitted to, uploaded to, transmitted through, or made available to Zapstra by or on behalf of Customer.

Customer Personal Data” means Customer Data that constitutes Personal Data and that Zapstra Processes on behalf of Customer as a Processor, service provider, contractor, or similar role under Applicable Data Protection Laws.

Customer Organization” means the Zapstra organization, workspace, account, billing account, or administrative grouping under which Customer may operate one or more Shops, users, apps, modules, or Services.

De-Identified Data” means data that does not identify and cannot reasonably be used to identify Customer, a Shop, a Data Subject, household, device, or individual, taking into account reasonably available means.

Documented Instructions” means Customer’s instructions to Zapstra for Processing Customer Personal Data, including the Agreement, this DPA, Order Forms, app configurations, Shopify permissions, API calls, support requests, product settings, written instructions from authorized users, and Customer’s use of the Services.

GDPR” means Regulation (EU) 2016/679.

Order Form” means any online checkout, Shopify billing approval, invoice, quote, statement of work, subscription selection, email confirmation, or other written agreement identifying paid Services, scope, fees, or commercial terms.

Restricted Transfer” means a transfer of Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country or recipient that does not provide an adequate level of protection under Applicable Data Protection Laws.

Security Incident” means a breach of Zapstra’s security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Zapstra. Security Incident does not include unsuccessful attempts or activities that do not compromise Customer Personal Data, such as unsuccessful login attempts, pings, port scans, denial-of-service attacks, or similar events.

Services” means Zapstra’s websites, software, Shopify apps, APIs, integrations, automations, beta products, early-access products, support, consulting, custom-development services, design partner programs, documentation, and related offerings.

Shop” means a Shopify store, Shopify shop, storefront, merchant account, or other store-level account connected to or Processed through the Services.

Standard Contractual Clauses” or “SCCs” means the standard contractual clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, as updated, amended, replaced, or superseded from time to time.

Subprocessor” means a third party engaged by Zapstra to Process Customer Personal Data on behalf of Customer in connection with the Services.

UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office, as updated, amended, replaced, or superseded from time to time.

UK GDPR” means the GDPR as incorporated into the laws of the United Kingdom.

U.S. State Privacy Laws” means U.S. state privacy laws applicable to Processing under this DPA, including where applicable the CCPA, Colorado Privacy Act, Connecticut Data Privacy Act, Virginia Consumer Data Protection Act, Utah Consumer Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, and similar state consumer privacy laws.

3. Roles of the Parties

For Customer Personal Data Processed by Zapstra on behalf of Customer, Customer is the Controller, business, or equivalent entity under Applicable Data Protection Laws, and Zapstra is the Processor, service provider, contractor, or equivalent entity.

If Customer is itself acting as a Processor on behalf of a third-party Controller, Customer represents and warrants that Customer has authority to appoint Zapstra as a Subprocessor and to provide Documented Instructions to Zapstra.

Customer is responsible for:

  1. determining the purposes and means of Processing Customer Personal Data;
  2. providing legally required notices to Data Subjects;
  3. obtaining legally required consents;
  4. establishing and documenting a lawful basis for Processing;
  5. ensuring Customer Personal Data may lawfully be provided to Zapstra;
  6. configuring Shopify permissions, app scopes, user access, API keys, integrations, and settings appropriately;
  7. responding to Data Subject requests except to the extent Zapstra is required to assist under this DPA;
  8. ensuring Customer’s use of the Services complies with Applicable Data Protection Laws; and
  9. ensuring Customer’s instructions to Zapstra are lawful.

Zapstra will Process Customer Personal Data only as described in this DPA, the Agreement, and Customer’s Documented Instructions, unless required otherwise by applicable law. If Zapstra is required by law to Process Customer Personal Data other than according to Customer’s Documented Instructions, Zapstra will inform Customer before such Processing unless legally prohibited from doing so.

4. Details of Processing

The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Schedule 1 — Details of Processing.

Customer acknowledges that the specific categories of Customer Personal Data Processed by Zapstra depend on:

  1. the Services Customer uses;
  2. the Shopify permissions or app scopes Customer approves;
  3. the data Customer uploads, submits, imports, or makes available;
  4. the integrations Customer enables;
  5. the workflows Customer configures;
  6. Customer’s support requests;
  7. Customer’s use of beta, design partner, API, or custom services; and
  8. the information available through Shopify or other connected platforms.

5. Customer Instructions

Customer instructs Zapstra to Process Customer Personal Data as necessary to:

  1. provide, operate, maintain, secure, and support the Services;
  2. provide Shopify apps, APIs, webhooks, integrations, automations, analytics, forecasts, recommendations, and workflows;
  3. process orders, inventory, products, fulfillments, draft orders, purchase orders, supplier records, shipping information, and related ecommerce operations;
  4. provide onboarding, implementation, support, debugging, troubleshooting, and training;
  5. provide beta, early-access, design partner, consulting, and custom-development services;
  6. monitor performance, reliability, usage, errors, and security;
  7. prevent, detect, and investigate fraud, abuse, errors, policy violations, and security incidents;
  8. comply with Shopify platform requirements and other third-party platform requirements;
  9. comply with applicable law;
  10. create Aggregated Data or De-Identified Data; and
  11. perform other activities described in the Agreement, this DPA, or Customer’s Documented Instructions.

Zapstra may refuse or suspend Processing instructions that Zapstra reasonably believes violate applicable law, third-party platform requirements, security obligations, or the Agreement.

6. Confidentiality

Zapstra will ensure that personnel authorized to Process Customer Personal Data are subject to confidentiality obligations or are otherwise bound by professional or contractual obligations of confidentiality.

Zapstra will limit access to Customer Personal Data to personnel and Subprocessors who need access for purposes authorized by this DPA and the Agreement.

7. Security Measures

Zapstra will maintain reasonable technical and organizational measures designed to protect Customer Personal Data from unauthorized access, disclosure, alteration, and destruction, as further described in Schedule 2 — Technical and Organizational Security Measures.

Customer acknowledges that security measures may evolve over time. Zapstra may update or modify its security measures provided that such updates or modifications do not materially reduce the overall level of protection for Customer Personal Data.

Customer is responsible for securing its own accounts, devices, Shopify permissions, third-party integrations, API keys, credentials, exports, local copies of data, and user access.

8. Subprocessors

Customer provides general authorization for Zapstra to engage Subprocessors to Process Customer Personal Data in connection with the Services.

Zapstra’s current Subprocessors and relevant customer-directed platforms are listed in Schedule 3 — Subprocessors and Third-Party Processing.

Zapstra will enter into written agreements with Subprocessors that impose data protection obligations materially similar to those imposed on Zapstra under this DPA, to the extent applicable to the nature of the services provided by the Subprocessor.

Zapstra remains responsible for Subprocessors’ performance of their data protection obligations to the extent required by Applicable Data Protection Laws.

Zapstra may add, replace, or remove Subprocessors from time to time. Where reasonably practicable, Zapstra will provide at least 30 days’ advance notice before authorizing a new Subprocessor to Process Customer Personal Data, either by email, account notice, in-app notice, website notice, subprocessor page, or other reasonable method.

If urgent replacement or addition of a Subprocessor is necessary for security, availability, compliance, continuity, legal, platform, or operational reasons, Zapstra may provide notice as soon as reasonably practicable.

Customer may object to a new Subprocessor on reasonable data protection grounds by providing written notice within 15 days after Zapstra’s notice. The objection must explain the specific data protection concern. Zapstra will use commercially reasonable efforts to address the concern.

If Zapstra cannot reasonably address Customer’s objection, Customer may terminate only the affected Services, subject to the Agreement. Customer is not entitled to a refund, credit, or penalty waiver unless expressly required by the Agreement or applicable law.

9. Customer-Directed Third-Party Platforms

The Services may connect with Shopify or other third-party platforms selected, authorized, or used by Customer.

Customer acknowledges that Shopify and other Customer-directed platforms may process Customer Personal Data under their own terms, policies, and agreements with Customer. Such platforms are not Subprocessors of Zapstra solely because Customer connects them to the Services, unless Zapstra separately engages them to Process Customer Personal Data on Zapstra’s behalf.

Zapstra is not responsible for third-party platforms’ privacy, security, availability, processing, policies, API changes, platform requirements, or acts or omissions.

10. Data Subject Requests

Zapstra will, taking into account the nature of the Processing and to the extent Customer cannot reasonably fulfill the request without Zapstra’s assistance, provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise rights under Applicable Data Protection Laws.

If Zapstra receives a Data Subject request relating to Customer Personal Data, Zapstra may refer the request to Customer unless Zapstra is legally required to respond directly.

Customer is responsible for verifying the identity and authority of the requester and for determining whether and how to respond to a Data Subject request.

Zapstra may charge reasonable fees for assistance with Data Subject requests that are excessive, repetitive, technically complex, outside standard functionality, or not required by Applicable Data Protection Laws.

11. Shopify Privacy Webhooks and Shop-Scoped Redaction

Where required for Shopify apps, Zapstra may receive and respond to Shopify privacy and compliance webhooks, including customers/data_request, customers/redact, and shop/redact.

Customer acknowledges that Zapstra’s data model may support multiple Services, apps, modules, and Shops under a shared Customer Organization.

Zapstra will treat Shopify shop/redact requests as Shop-scoped redaction instructions unless applicable law, Shopify requirements, Customer’s written instructions, or the Agreement require broader deletion.

Customer Data for a Shop will be deleted, redacted, or de-identified within 30 days after Zapstra receives Shopify’s valid shop/redact webhook for that Shop, except to the extent retention is permitted or required under this DPA, the Agreement, applicable law, security obligations, audit obligations, backup practices, fraud-prevention obligations, dispute-resolution needs, or compliance requirements.

Where Customer operates multiple Shops under a single Customer Organization, deletion or redaction will be performed per Shop. A redaction request for one Shop does not require Zapstra to delete, redact, or disable Customer Data for other active Shops, apps, modules, Services, or Customer Organization records unless required by applicable law or Customer’s valid written instruction.

Zapstra may delete or de-identify Customer Organization-level records when there are no remaining active Shops, apps, modules, Services, billing obligations, legal retention requirements, security retention requirements, support obligations, or other legitimate retention needs associated with that Customer Organization.

12. Return and Deletion of Customer Personal Data

Upon termination of the Agreement, expiration of the applicable Services, valid written deletion request, or receipt of a valid platform deletion instruction, Zapstra will delete, redact, return, or de-identify Customer Personal Data in accordance with this DPA, the Agreement, Customer’s Documented Instructions, and applicable law.

Unless otherwise required by applicable law or the Agreement, Zapstra will delete or de-identify Customer Personal Data within 30 days after the applicable deletion trigger, subject to the retention exceptions in this Section.

Zapstra may retain Customer Personal Data to the extent necessary for:

  1. legal, tax, accounting, audit, or regulatory obligations;
  2. security, fraud prevention, abuse prevention, or incident investigation;
  3. dispute resolution or enforcement of the Agreement;
  4. backup, archival, or disaster recovery systems;
  5. compliance with Shopify or other platform requirements;
  6. records of deletion, redaction, consent, access, or compliance activity;
  7. support records and communications;
  8. billing and transaction records; or
  9. other legitimate business purposes permitted by Applicable Data Protection Laws.

Backup, audit, and security copies may be retained for up to 90 days, or longer where required by law, legal hold, security investigation, dispute, or compliance obligation, and will be deleted or overwritten in the ordinary course.

Zapstra may retain Aggregated Data and De-Identified Data indefinitely.

13. Security Incidents and Personal Data Breaches

Zapstra will notify Customer without undue delay and, where feasible, within 72 hours after confirming a Personal Data Breach affecting Customer Personal Data.

Zapstra’s notice will include information reasonably available to Zapstra, which may include:

  1. the nature of the Personal Data Breach;
  2. categories of Customer Personal Data affected;
  3. categories of Data Subjects affected;
  4. likely consequences, if known;
  5. measures taken or proposed to address the Personal Data Breach;
  6. measures recommended for Customer to mitigate potential adverse effects; and
  7. a contact point for follow-up.

Zapstra may provide information in phases as it becomes available.

Zapstra’s notice of or response to a Security Incident is not an admission of fault, liability, or violation of law.

Customer is responsible for determining whether a Security Incident requires notification to Data Subjects, Supervisory Authorities, regulators, customers, merchants, Shopify, or other third parties, except where Zapstra has a direct legal obligation.

14. Assistance with Compliance

Taking into account the nature of Processing and the information available to Zapstra, Zapstra will provide reasonable assistance to Customer, to the extent required by Applicable Data Protection Laws and where Customer cannot reasonably fulfill the obligation without Zapstra’s assistance, with:

  1. Data Subject requests;
  2. security obligations;
  3. Personal Data Breach notifications;
  4. data protection impact assessments;
  5. prior consultations with Supervisory Authorities;
  6. deletion, redaction, access, and export requests;
  7. Shopify privacy compliance workflows; and
  8. other obligations required by Applicable Data Protection Laws.

Zapstra may charge reasonable fees for assistance that is excessive, repetitive, outside standard functionality, requires custom engineering, requires legal analysis specific to Customer, or is not required by Applicable Data Protection Laws.

15. Audits and Compliance Information

Zapstra will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and operational restrictions.

Zapstra may satisfy audit obligations by providing documentation, written responses, security summaries, subprocessor information, compliance questionnaires, policies, technical descriptions, or third-party reports if available.

Customer may request such information no more than once per calendar year unless a Security Incident affecting Customer Personal Data or a legally binding request requires additional review.

Onsite audits, penetration tests, source code reviews, vulnerability scans, infrastructure access, employee interviews, or inspections of Zapstra systems are not permitted unless legally required or separately agreed in writing.

If an onsite audit is legally required or separately agreed:

  1. Customer must provide at least 30 days’ written notice;
  2. the audit must occur during normal business hours;
  3. the audit must be limited to the scope required by Applicable Data Protection Laws;
  4. the audit must not unreasonably disrupt Zapstra’s operations;
  5. the audit must not compromise security, confidentiality, trade secrets, or other customers’ data;
  6. Customer must use an independent auditor reasonably acceptable to Zapstra;
  7. all auditors must sign confidentiality obligations acceptable to Zapstra;
  8. Customer is responsible for all costs and expenses; and
  9. Zapstra may object to audit activities that create security, confidentiality, legal, operational, or technical risk.

16. International Transfers

Customer authorizes Zapstra and its Subprocessors to Process Customer Personal Data in the United States and other countries where Zapstra or its Subprocessors operate, subject to this DPA and Applicable Data Protection Laws.

For Restricted Transfers from the European Economic Area, United Kingdom, or Switzerland, the terms in Schedule 4 — International Data Transfers apply.

Where the Standard Contractual Clauses apply, the parties agree that:

  1. Customer is the data exporter;
  2. Zapstra is the data importer;
  3. Module Two applies where Customer is a Controller and Zapstra is a Processor;
  4. Module Three applies where Customer is a Processor and Zapstra is a Subprocessor;
  5. the details of Processing are described in Schedule 1;
  6. the security measures are described in Schedule 2; and
  7. the Subprocessors are described in Schedule 3.

17. U.S. State Privacy Laws

For Customer Personal Data subject to U.S. State Privacy Laws, the terms in Schedule 5 — U.S. State Privacy Addendum apply.

Without limiting Schedule 5, Zapstra will not sell or share Customer Personal Data, retain, use, or disclose Customer Personal Data outside the business purposes described in the Agreement and this DPA, or combine Customer Personal Data with personal information from other sources except as permitted by Applicable Data Protection Laws.

18. AI-Assisted Processing

Customer acknowledges that Zapstra may use AI-assisted tools and AI-related Subprocessors to provide, support, troubleshoot, analyze, parse, summarize, develop, test, secure, or improve the Services.

Zapstra will not intentionally use Customer Personal Data to train general-purpose AI models unless Customer has provided separate authorization or Zapstra has provided additional notice where required by Applicable Data Protection Laws.

Zapstra will use reasonable measures to limit Customer Personal Data submitted to AI-assisted tools to what is reasonably necessary for the applicable Service, support request, document parsing, troubleshooting activity, product function, or Customer instruction.

Customer should not submit unnecessary sensitive personal information, payment card numbers, health information, government identifiers, authentication credentials, or other unnecessary confidential information through support channels, prompts, uploads, forms, documents, or integrations.

AI-assisted Subprocessors that Process Customer Personal Data are listed in Schedule 3 where applicable.

19. Sensitive Personal Data

Customer agrees not to submit sensitive personal data, special categories of personal data, protected health information, government identifiers, full payment card numbers, authentication credentials, children’s data, biometric data, or other highly sensitive information to the Services unless:

  1. the information is necessary for Customer’s use of the applicable Services;
  2. Customer has obtained all legally required rights, notices, consents, and authorizations;
  3. Customer’s submission complies with Applicable Data Protection Laws;
  4. the applicable Service is designed to Process that type of data; and
  5. Zapstra has agreed to such Processing where required.

Zapstra does not intentionally store full payment card numbers. Payment card processing, where applicable, is handled by third-party payment processors.

20. Aggregated and De-Identified Data

Zapstra may create, use, retain, disclose, and commercialize Aggregated Data and De-Identified Data for analytics, benchmarking, product development, operations, security, research, reporting, and business purposes.

Zapstra will not attempt to re-identify De-Identified Data except as permitted by Applicable Data Protection Laws, including for testing whether de-identification measures are effective.

21. Customer Warranties

Customer represents and warrants that:

  1. Customer has all rights, permissions, notices, consents, and legal bases necessary to provide Customer Personal Data to Zapstra;
  2. Customer’s Documented Instructions comply with Applicable Data Protection Laws;
  3. Customer’s use of the Services complies with Applicable Data Protection Laws;
  4. Customer has provided all required notices to Data Subjects;
  5. Customer has obtained all required consents and authorizations;
  6. Customer has authority to connect Shops, approve Shopify app permissions, authorize integrations, and submit Customer Personal Data;
  7. Customer will not submit prohibited or unnecessary sensitive data; and
  8. Customer will configure the Services, app scopes, integrations, automations, and user permissions appropriately.

22. Liability

Each party’s liability arising out of or relating to this DPA is subject to the exclusions and limitations of liability in the Agreement.

This DPA does not create any separate or additional liability cap, indemnity, warranty, representation, remedy, or cause of action except as expressly stated.

Nothing in this DPA limits liability to the extent such limitation is prohibited by Applicable Data Protection Laws.

23. Term

This DPA remains in effect for as long as Zapstra Processes Customer Personal Data on behalf of Customer.

Sections that by their nature should survive termination will survive, including provisions relating to deletion, confidentiality, security, audits, international transfers, liability, and U.S. State Privacy Laws.

24. Changes to this DPA

Zapstra may update this DPA from time to time.

If Zapstra makes material changes, Zapstra may provide notice by posting the updated DPA, emailing Customer, providing in-app notice, updating a legal page, or using another reasonable method.

Continued use of the Services after the effective date of an updated DPA constitutes acceptance of the updated DPA, except where Applicable Data Protection Laws require a different process.

25. Contact

Questions about this DPA may be sent to:

Zapstra LLC
500 East McBee Ave, Suite 100, #1173
Greenville, SC 29601
Email: support@zapstra.com
Subject line for privacy requests: “Privacy Request” or “GDPR Request”

Schedule 1 — Details of Processing

1. Subject Matter

Zapstra Processes Customer Personal Data to provide the Services, including Shopify apps, ecommerce operations software, inventory tools, purchasing tools, supplier workflows, purchase order tools, product and catalog workflows, APIs, webhooks, automations, analytics, support, custom services, beta products, early-access products, and design partner programs.

2. Duration

Zapstra Processes Customer Personal Data for the duration of the Agreement and for any additional period permitted or required by this DPA, the Agreement, applicable law, Shopify platform requirements, backup retention, security obligations, fraud-prevention needs, audit obligations, dispute-resolution needs, or compliance obligations.

3. Nature of Processing

Processing may include collection, receipt, access, hosting, storage, retrieval, organization, structuring, consultation, analysis, parsing, transformation, transmission, synchronization, disclosure to Subprocessors, restriction, redaction, deletion, de-identification, aggregation, and other Processing necessary to provide the Services.

4. Purposes of Processing

Zapstra Processes Customer Personal Data for purposes including:

  1. providing Shopify apps and related functionality;
  2. connecting to Shopify Admin APIs, webhooks, billing, and app functionality;
  3. processing products, variants, inventory, locations, orders, fulfillments, draft orders, returns, discounts, bundles, components, suppliers, purchase orders, and related operational records;
  4. providing inventory, purchasing, replenishment, forecasting, planning, supplier, cost, workflow, API, webhook, and analytics functionality;
  5. parsing purchase orders, supplier documents, and uploaded files;
  6. providing support, troubleshooting, debugging, onboarding, implementation, and training;
  7. analyzing support tickets and customer-submitted support information;
  8. sending transactional emails and service communications;
  9. processing payments, subscriptions, billing, invoices, and account administration;
  10. monitoring usage, performance, errors, reliability, and security;
  11. maintaining logs, audit records, and compliance records;
  12. responding to Shopify privacy webhooks and other deletion, access, or redaction workflows;
  13. preventing, detecting, and investigating fraud, abuse, errors, policy violations, and security incidents;
  14. providing beta, early-access, pilot, design partner, consulting, and custom-development services;
  15. improving, testing, developing, and securing the Services;
  16. creating Aggregated Data and De-Identified Data;
  17. complying with applicable law and platform requirements; and
  18. performing other purposes described in the Agreement, this DPA, Customer’s settings, Customer’s app configuration, or Customer’s Documented Instructions.

5. Categories of Data Subjects

Depending on the Services used, Customer Personal Data may relate to:

  1. Customer’s owners, administrators, staff, users, contractors, and representatives;
  2. Shopify merchants and merchant staff;
  3. Customer’s customers and prospective customers;
  4. order recipients and shipping contacts;
  5. suppliers, vendors, manufacturers, distributors, 3PL contacts, carriers, and fulfillment partners;
  6. business contacts;
  7. support contacts;
  8. beta users and design partner contacts;
  9. API users, developers, and technical contacts; and
  10. other individuals whose Personal Data is submitted to or Processed through the Services.

6. Categories of Customer Personal Data

Depending on the Services used, Customer Personal Data may include:

  1. names;
  2. email addresses;
  3. phone numbers;
  4. billing addresses;
  5. shipping addresses;
  6. company names;
  7. job titles and business contact information;
  8. Shopify store identifiers and shop URLs;
  9. user account information;
  10. authentication and authorization metadata;
  11. Shopify customer records;
  12. order records;
  13. draft order records;
  14. fulfillment records;
  15. return records;
  16. shipping and tracking data;
  17. product, variant, SKU, inventory, and location records;
  18. supplier and vendor contact information;
  19. purchase order records and uploaded purchase order documents;
  20. payment status, payout, dispute, account, and transaction metadata, but not full payment card numbers intentionally stored by Zapstra;
  21. gift card identifiers or related metadata where processed through approved Shopify scopes;
  22. marketing event data where processed through approved Shopify scopes;
  23. support communications;
  24. screenshots, logs, exports, CSVs, documents, files, or sample data submitted by Customer;
  25. app usage, feature usage, error, diagnostic, and security logs;
  26. IP addresses, device data, browser data, and technical metadata;
  27. API requests, webhook payloads, and integration metadata; and
  28. other information Customer submits or makes available through the Services.

7. Sensitive Data

The Services are not designed to intentionally Process sensitive personal data, special categories of personal data, protected health information, biometric data, government identifiers, full payment card numbers, or children’s data unless expressly agreed or necessary for a specific Service.

Customer should not submit such data unless permitted by the Agreement and Applicable Data Protection Laws.

8. Frequency of Processing

Processing may occur continuously, periodically, on demand, in real time, or as triggered by Customer’s use of the Services, Shopify webhooks, API calls, scheduled jobs, support requests, integrations, or Customer instructions.

9. Retention

Customer Personal Data is retained as described in the Agreement, this DPA, the Privacy Policy, and Customer’s settings.

Shop-scoped deletion and redaction are handled as described in Section 11 of this DPA and Schedule 6.

Backup, audit, security, fraud-prevention, compliance, and legal records may be retained as described in Section 12.

Aggregated Data and De-Identified Data may be retained indefinitely.

Schedule 2 — Technical and Organizational Security Measures

Zapstra maintains reasonable technical and organizational measures designed to protect Customer Personal Data. Measures may include the controls listed below, as applicable to the Services, infrastructure, data type, and risk.

1. Hosting and Infrastructure Security

  1. Services are hosted primarily on Google Cloud Platform infrastructure.
  2. Production services may use Cloud Run, Pub/Sub, Cloud Storage, Cloud Build, Cloud Tasks, Secret Manager, Cloud KMS, Cloud Monitoring, Cloud Logging, Firestore, BigQuery, Firebase, and related Google Cloud services.
  3. Services are deployed with regional separation where applicable, including U.S., EU, and Australia regional deployments.
  4. Cloud Run services are configured with service-specific service accounts and restricted access where applicable.
  5. Infrastructure access is limited based on business need.

2. Encryption

  1. Data in transit is protected using TLS where applicable.
  2. Data at rest is encrypted using cloud-provider encryption mechanisms.
  3. OAuth tokens and sensitive application secrets are protected using application-level encryption where applicable.
  4. Certain PII vault components use KMS-backed envelope encryption where applicable.
  5. Secrets are stored in Google Secret Manager or equivalent protected secret-management systems.

3. Access Controls

  1. Access to production systems is restricted to authorized personnel.
  2. Access is granted based on role and business need.
  3. Personnel access uses Google SSO and MFA where applicable.
  4. Service accounts are scoped based on least-privilege principles where feasible.
  5. Firestore security rules and access controls restrict access to sensitive paths where applicable.
  6. Access to PII vault functionality is restricted using appropriate authorization claims or equivalent access controls.

4. Logging, Monitoring, and Auditability

  1. Zapstra uses logging and monitoring tools to monitor system performance, errors, and security-relevant events.
  2. PII access or reveal events may be logged through dedicated audit channels where applicable.
  3. GDPR or privacy deletion/redaction activities may be recorded in audit collections or compliance logs.
  4. Logs are retained based on operational, security, compliance, and retention needs.
  5. Logs are access-controlled and used for support, security, debugging, compliance, and operational purposes.

5. Application and Development Security

  1. Code changes to protected branches are subject to code review and branch protection.
  2. Secrets are not intentionally stored in production code repositories.
  3. Zapstra uses secure development practices appropriate for its size, stage, risk profile, and Services.
  4. Zapstra may use automated build and deployment tools.
  5. Zapstra may update dependencies, infrastructure, and code to address security, reliability, or platform requirements.

6. Tenant and Data Separation

  1. Customer data is logically separated using organization, shop, tenant, account, or similar identifiers.
  2. Shared canonical systems may support multiple apps, Shops, or modules under a Customer Organization while maintaining logical scoping.
  3. Deletion and redaction may be scoped by Shop, app, organization, or other relevant data boundary depending on the applicable instruction and legal requirement.

7. Data Minimization and Privacy Controls

  1. Zapstra aims to Process Customer Personal Data only as reasonably necessary for the Services, Customer instructions, support, security, compliance, and legitimate business purposes.
  2. Shopify protected customer data is requested and Processed based on approved app scopes and Service functionality.
  3. Customer Personal Data may be redacted, deleted, or de-identified as required by Shopify compliance workflows, Customer instructions, and Applicable Data Protection Laws.
  4. Zapstra may create Aggregated Data and De-Identified Data for analytics, security, product improvement, and business purposes.

8. Incident Response

  1. Zapstra maintains processes to identify, investigate, and respond to suspected Security Incidents.
  2. Confirmed Personal Data Breaches affecting Customer Personal Data are handled according to Section 13 of this DPA.
  3. Zapstra may use logs, monitoring, support records, infrastructure records, and Subprocessor information to investigate incidents.

9. Business Continuity and Backups

  1. Zapstra uses cloud infrastructure designed to provide durability and reliability.
  2. Backup, restoration, and disaster-recovery practices may vary by Service, product stage, and infrastructure component.
  3. Zapstra does not commit to specific recovery point objectives, recovery time objectives, backup intervals, or disaster-recovery timelines unless expressly stated in a separate written agreement.

10. Personnel and Contractor Controls

  1. Personnel with access to Customer Personal Data are subject to confidentiality obligations.
  2. Contractor access is limited based on role and business need.
  3. Zapstra may revoke access when no longer needed.

11. Limitations

Zapstra does not represent that it currently maintains SOC 2 certification, ISO 27001 certification, a 24/7 monitored security operations center, a formal recurring penetration-testing program, fixed RPO/RTO commitments, or enterprise-level disaster recovery unless separately stated in writing.

Schedule 3 — Subprocessors and Third-Party Processing

Zapstra may use the following Subprocessors and customer-directed platforms to provide, support, secure, analyze, or improve the Services.

This schedule is intended to be broad enough to cover current and future Zapstra Services using the same categories of infrastructure and subprocessors.

ProviderPurposeData ProcessedLocation / Region
Google Cloud PlatformApplication hosting, eventing, storage, build/deployment, tasks, secrets, KMS, monitoring, logging, infrastructureCustomer Data and Customer Personal Data as needed to provide the ServicesU.S., EU, Australia, and other configured regions
Google FirestoreOperational database and canonical data storeCustomer Data and Customer Personal DataU.S., EU, Australia, and other configured regions
Google BigQueryAnalytics, canonical event logs, operational analytics, reporting, diagnosticsCustomer Data and Customer Personal Data, depending on Service configurationU.S., EU, Australia, and other configured regions
Google FirebaseAuthentication, hosting, functions, website and app infrastructureAccount credentials, authentication data, website telemetry, app dataPrimarily U.S. or configured Google regions
Google Cloud Document AIPurchase order and document parsingUploaded documents, supplier information, PO details, line items, prices, and related document contentU.S. or configured Google regions
Google Cloud Vision APIOCR fallback and image/document analysisUploaded documents, images, supplier information, PO details, line items, and related document contentU.S. or configured Google regions
OpenAIAI-assisted document parsing, support-ticket analysis, workflow assistance, product copy assistance where enabled, and other AI-assisted Service functionalitySupplier PO documents, support ticket text, shop/order metadata, product copy, and other Customer-submitted content as needed for the applicable ServiceU.S. or regions made available by provider
StripePayment processing, billing, checkout, subscription, invoice, and payment-related servicesBilling contact information, payer information, payment metadata; Zapstra does not intentionally store full payment card numbersU.S. and other Stripe processing locations
SendGrid / Twilio SendGridTransactional email, service email, support email, marketing email where enabledMerchant email addresses, support correspondence, transactional email metadataU.S. and other provider locations
ShippoCarrier tracking lookups and shipping-related functionalityTracking numbers, carrier metadata, shipping metadataU.S. and other provider locations
Frankfurter / ECB-backed FX serviceForeign exchange rate lookupsGenerally no Customer Personal Data; public FX rate requestsEU
ShopifyCustomer-directed source platform, Admin API, webhooks, billing, app permissions, app installation, order/product/customer/inventory/fulfillment data flowsShopify store, merchant, customer, order, product, inventory, fulfillment, billing, and app data depending on approved scopes and Customer configurationShopify-controlled locations

Notes

  1. Shopify is generally a Customer-directed platform rather than a Zapstra Subprocessor, because Customer independently maintains its Shopify relationship and authorizes Zapstra to connect to Shopify. Shopify is included here for transparency.
  2. GitHub Copilot or similar developer tools may be used for internal development assistance, but Zapstra does not intentionally submit production Customer Personal Data to such tools.
  3. Zapstra may update this schedule or publish a subprocessor page from time to time.
  4. Zapstra may use additional subprocessors for a specific enterprise, custom, beta, or professional-services engagement if disclosed in the applicable Order Form, statement of work, or written notice.

Schedule 4 — International Data Transfers

1. EEA Transfers

For Restricted Transfers of Customer Personal Data from the European Economic Area to Zapstra in a country that does not provide an adequate level of protection under Applicable Data Protection Laws, the Standard Contractual Clauses are incorporated by reference and apply as follows:

  1. Module Two applies where Customer is a Controller and Zapstra is a Processor.
  2. Module Three applies where Customer is a Processor and Zapstra is a Subprocessor.
  3. Clause 7, the optional docking clause, applies.
  4. Clause 9, Option 2, general written authorization for Subprocessors, applies, with the notice period described in Section 8 of this DPA.
  5. Clause 11(a), optional independent dispute resolution language, does not apply unless required by law.
  6. Clause 17 governing law is the law of Ireland unless Customer is established in an EU Member State whose law permits third-party beneficiary rights, in which case the law of that Member State may apply where required.
  7. Clause 18 forum and jurisdiction are the courts of Ireland unless another EU Member State forum is required by the SCCs.
  8. Annex I is completed by Schedule 1 of this DPA.
  9. Annex II is completed by Schedule 2 of this DPA.
  10. Annex III is completed by Schedule 3 of this DPA.

2. UK Transfers

For Restricted Transfers of Customer Personal Data from the United Kingdom, the UK Addendum is incorporated by reference and applies to the Standard Contractual Clauses as modified by this Schedule.

The parties agree that:

  1. the information required by Table 1 of the UK Addendum is the party information in the Agreement and this DPA;
  2. the selected SCC modules are as described above;
  3. the information required by Table 3 of the UK Addendum is contained in Schedules 1, 2, and 3 of this DPA;
  4. either party may terminate the UK Addendum as permitted by its mandatory clauses; and
  5. the UK Addendum will be interpreted according to UK Data Protection Laws.

3. Swiss Transfers

For Restricted Transfers of Customer Personal Data from Switzerland, the Standard Contractual Clauses apply with the following modifications:

  1. references to the GDPR include the Swiss FADP to the extent applicable;
  2. references to EU Member States include Switzerland where appropriate;
  3. references to Supervisory Authorities include the Swiss Federal Data Protection and Information Commissioner;
  4. data subjects in Switzerland may enforce their rights under the SCCs as permitted by Swiss law; and
  5. the SCCs will be interpreted to provide an adequate level of protection for Swiss Personal Data.

4. Transfer Impact

Zapstra will implement reasonable safeguards designed to protect Customer Personal Data in connection with Restricted Transfers.

Customer acknowledges that Customer is responsible for determining whether its use of the Services complies with transfer requirements applicable to Customer, taking into account the Services selected, Customer’s configuration, Customer’s location, Data Subject locations, Subprocessors, and Customer’s own legal obligations.

Schedule 5 — U.S. State Privacy Addendum

This Schedule applies to Customer Personal Data subject to U.S. State Privacy Laws.

1. Roles

Customer is the business, controller, or equivalent entity.

Zapstra is the service provider, contractor, processor, or equivalent entity with respect to Customer Personal Data Processed on behalf of Customer.

2. Permitted Purposes

Zapstra will Process Customer Personal Data only for the business purposes described in the Agreement, this DPA, Customer’s Documented Instructions, and as otherwise permitted by U.S. State Privacy Laws.

Permitted purposes include:

  1. providing the Services;
  2. maintaining and improving the Services;
  3. providing support, troubleshooting, implementation, and security;
  4. processing Shopify app data and integrations;
  5. processing orders, products, inventory, fulfillments, suppliers, and related ecommerce operations;
  6. sending service communications;
  7. billing and payment support;
  8. detecting, preventing, and investigating security incidents, fraud, errors, and abuse;
  9. complying with law and platform requirements;
  10. creating Aggregated Data or De-Identified Data; and
  11. other purposes permitted for service providers, contractors, or processors under U.S. State Privacy Laws.

3. Prohibited Uses

Zapstra will not:

  1. sell Customer Personal Data;
  2. share Customer Personal Data for cross-context behavioral advertising;
  3. retain, use, or disclose Customer Personal Data for purposes other than the permitted purposes described in this DPA and the Agreement;
  4. retain, use, or disclose Customer Personal Data outside the direct business relationship between Zapstra and Customer except as permitted by U.S. State Privacy Laws;
  5. combine Customer Personal Data with personal information received from another source except as permitted by U.S. State Privacy Laws;
  6. use Customer Personal Data for targeted advertising except as instructed by Customer and permitted by law; or
  7. use Customer Personal Data to build or modify household or consumer profiles for Zapstra’s independent commercial purposes.

4. Same Level of Privacy Protection

Zapstra will provide the same level of privacy protection required of service providers, contractors, or processors under applicable U.S. State Privacy Laws.

Zapstra will notify Customer if Zapstra determines it can no longer meet its obligations under this Schedule.

Customer may take reasonable and appropriate steps to help ensure Zapstra uses Customer Personal Data consistently with Customer’s obligations under U.S. State Privacy Laws, including through the audit and compliance mechanisms described in this DPA.

5. Subprocessors

Zapstra may engage Subprocessors as described in this DPA.

Zapstra will require Subprocessors to comply with obligations materially similar to those imposed on Zapstra under this Schedule to the extent applicable to their Processing of Customer Personal Data.

6. Consumer Requests

Zapstra will provide reasonable assistance to Customer in responding to consumer privacy requests as described in Section 10 of this DPA.

Customer is responsible for verifying requests and determining whether and how to respond.

7. De-Identified Data

If Zapstra creates or receives De-Identified Data, Zapstra will:

  1. take reasonable measures to ensure the data cannot reasonably be associated with an individual, household, or device;
  2. publicly commit, through this DPA or another public statement, to maintain and use the data in de-identified form and not attempt to re-identify it except as permitted by law; and
  3. contractually require recipients of De-Identified Data to comply with applicable de-identification obligations where required by law.

Schedule 6 — Shopify Privacy Webhook and Shop-Scoped Deletion Terms

This Schedule applies where Customer uses Zapstra Services with Shopify.

1. Shopify Privacy Webhooks

Zapstra may receive and process Shopify privacy compliance webhooks, including:

  1. customers/data_request;
  2. customers/redact; and
  3. shop/redact.

Zapstra will use reasonable efforts to respond to valid Shopify privacy compliance webhooks in accordance with Shopify requirements, the Agreement, this DPA, and applicable law.

2. Customer Data Access Requests

For customers/data_request webhooks, Zapstra may generate or provide responsive records relating to the relevant customer, order, Shop, or Customer Organization, depending on available data and applicable scope.

Customer remains responsible for determining how to respond to Data Subjects unless Shopify or applicable law requires otherwise.

3. Customer Redaction Requests

For customers/redact webhooks, Zapstra will redact, delete, or de-identify relevant customer-level Personal Data from applicable records where required by Shopify requirements, applicable law, and available identifiers.

Customer acknowledges that some records may be retained in redacted, de-identified, aggregated, audit, backup, security, fraud-prevention, or legally required form.

4. Shop Redaction Requests

For shop/redact webhooks, Zapstra will delete, redact, or de-identify Customer Data for the relevant Shop within 30 days after receipt of a valid webhook, subject to retention exceptions described in the DPA.

Where Zapstra maintains a shared canonical base that supports multiple Shops, apps, modules, or Services under a Customer Organization, redaction is scoped to the relevant Shop.

A shop/redact webhook for one Shop does not require deletion of:

  1. other Shops under the same Customer Organization;
  2. data associated with other active apps, modules, or Services;
  3. Customer Organization-level records needed to support remaining active Shops or Services;
  4. billing, legal, tax, security, audit, fraud-prevention, or compliance records;
  5. Aggregated Data or De-Identified Data;
  6. records retained in backups until overwritten or deleted in the ordinary course; or
  7. records Zapstra is legally permitted or required to retain.

5. Organization-Level Deletion

Zapstra may perform Customer Organization-level deletion or de-identification when:

  1. all Shops under the Customer Organization have been redacted, deleted, disconnected, or terminated;
  2. all app relationships, Service relationships, and billing relationships have ended;
  3. no active Services remain;
  4. no legal, tax, accounting, security, fraud-prevention, audit, dispute-resolution, platform, or compliance reason requires retention; and
  5. Zapstra determines that organization-level records are no longer needed.

6. Reinstallation and Reactivation

If Customer reinstalls an app, reconnects a Shop, reactivates a Service, or creates a new Customer Organization after deletion or redaction, Zapstra may treat the reinstallation, reconnection, or reactivation as a new authorization to Process Customer Data for the applicable Shop or Services.