Platform
AI
Cases
Blog
About
Contact Request Demo

Data Processing Agreement

How we process personal data on behalf of our customers.

1. Introduction

1.1 This Data Processing Agreement ("DPA") supplements the main agreement between Customer and SHOPLAB Sweden AB ("Supplier"), hereinafter referred to as the "Main Agreement", and governs the handling of personal data. The Customer serves as the primary contact point, even when data involves affiliated entities. Customer responsibilities include coordinating instructions and sharing information with relevant parties.

1.2 This DPA takes precedence over the Main Agreement regarding personal data matters. It complies with the requirements of GDPR for written controller-processor agreements and runs concurrently with the Main Agreement, terminating upon its conclusion.

2. Definitions

  • Customer: The contracting entity defined in the Main Agreement, including group companies.
  • Controller: The party determining purposes and means of personal data processing.
  • Data Breach: Security breach causing accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to processed data.
  • Data Protection Laws: Applicable privacy legislation, including national laws and GDPR (EU 2016/679).
  • Data Subject: An identified or identifiable natural person.
  • Instructions: Written directives for personal data processing, detailed in this agreement and updated via written modifications.
  • Personal Data: Information referring to identified or identifiable natural persons.
  • Processing: Any operation performed on personal data, whether automated or manual.
  • Processor: A party processing personal data on the Controller's behalf.
  • Subcontractor: Third parties engaged to fulfill processor obligations while processing personal data.
  • Transfer: Cross-border personal data movement outside the EU.

3. Processing of Personal Data

3.1 The nature, purpose, types of data, and categories of data subjects are specified in Appendix 1.

3.2 The Customer acts as Controller and is responsible for legal collection and data accuracy.

3.3 The Supplier and its Subcontractors process data solely per Customer instructions and this agreement. The Supplier ensures Subcontractors comply with this DPA and applicable laws.

3.4 The Customer provides clear processing directives. The Supplier notifies the Customer if instructions may violate data protection laws. The Supplier may decline instructions risking data breaches but conducts no independent legal research.

3.5 The Supplier may charge time-and-materials fees for work resulting from amended instructions or other additional tasks.

4. Supplier's Personnel

4.1 The Supplier ensures personnel maintain secrecy, receive adequate training, and maintain binding non-disclosure undertakings. Confidentiality obligations persist after agreement termination.

4.2 Only personnel requiring access for fulfilling Main Agreement obligations may access personal data.

5. Protection of Personal Data

5.1 The Supplier implements technically and organizationally appropriate protections proportionate to data sensitivity, existing risks, and implementation costs. Data remains protected from unauthorized changes, destruction, access, and dissemination per GDPR Article 32.

5.2 The Supplier notifies the Customer promptly of data subject requests regarding access, correction, or deletion. The Supplier does not respond independently except to acknowledge receipt and forward requests. The Supplier assists the Customer in managing inquiries unless legally prevented.

5.3 The Supplier aids the Customer in fulfilling controller duties per GDPR Article 28(3)(a)-(h).

5.4 The Supplier notifies the Customer promptly of government authority inquiries unless legally prohibited. The Supplier provides reasonable assistance but cannot respond on the Customer's behalf.

5.5 The Supplier receives time-and-materials compensation for data protection-related assistance unless Data Protection Laws specify otherwise.

6. Subcontractors

6.1 The Supplier may engage Subcontractors for specified purposes as outlined in Appendix 1. Current Subcontractors appear in Appendix 1.

6.2 The Supplier ensures written Subcontractor agreements mirror this DPA's requirements.

6.3 The Supplier may terminate or engage new Subcontractors, providing written notice fourteen (14) days before engagement when possible. The Customer may object within ten (10) days of notice.

6.4 In case of dispute, parties discuss resolution within thirty (30) days. If unresolved, either party may terminate the Main Agreement and DPA. The Customer acknowledges objections may impact service availability; the Supplier holds no advance payment refund obligations.

6.5 The Supplier bears full responsibility for Subcontractor personal data processing.

6.6 The Supplier maintains a Subcontractor list and provides copies upon request.

7. Audits

7.1 The Supplier provides the Customer and independent auditors reasonable access to information and premises for DPA and Data Protection Laws compliance verification.

7.2 Customers provide thirty (30) days' written notice unless authorities require otherwise. Auditors execute confidentiality undertakings and follow Supplier security protocols. Audits minimize business disruption and information security risks for other customers. Customers prioritize existing audit reports and limit audits to once yearly unless Data Protection Laws require otherwise. Audits exclude trade secrets and proprietary information unless legally required.

7.3 The Supplier promptly corrects non-compliance identified through audits.

7.4 The Supplier reserves time-and-materials charges for audit assistance, provided Data Protection Laws obligations remain unaffected.

8. Incidents and Data Breaches

8.1 Per quality management procedures, the Supplier evaluates suspected unauthorized access or processing events. Risks of unplanned or illegal deletion, loss, alteration, or unauthorized release trigger prompt Customer notification with relevant incident information. The Supplier develops mitigation steps and cooperates with Customer in protecting personal data and restoring confidentiality, privacy, and availability.

8.2 The Supplier notifies the Customer promptly upon Data Breach awareness per GDPR Article 33. The Supplier investigates, implements damage reduction measures, identifies root causes, and prevents recurrence. The Supplier updates the Customer on investigation progress and cooperates in reducing damage and protecting data subjects.

9. Return and Deletion of Personal Data

9.1 Within thirty (30) days of Main Agreement expiration, the Supplier deletes all processed personal data, including backups. Alternatively, upon Customer's written request provided promptly, the Supplier returns all personal data.

10. Liability and Limitation of Liability

10.1 The Supplier bears responsibility only when the Supplier or Subcontractors breach DPA or Data Protection Laws obligations, causing data subject or third-party claims, damages, or authority penalties. The Customer indemnifies the Supplier for claims caused by the Customer.

10.2 The Supplier's aggregate DPA liability shall never exceed fifty (50) percent of remuneration received under the Main Agreement during the preceding six-month period.

11. Transfer of Personal Data

11.1 Processing activities, including storage, occur as specified in Appendix 1. The Supplier or Subcontractors may perform services outside the European Economic Area (EEA) directly or via onward transfer.

11.2 The Customer grants explicit written consent, authorization, and instruction to the Supplier for extra-EEA personal data transfers under the following conditions:

  • Adequacy Determination: The recipient holds EU Commission recognition for adequate data protection (certification, framework, or arrangements).
  • Appropriate Safeguards: The Supplier or Subcontractor implements GDPR Article 46 safeguards.
  • Binding Corporate Rules: GDPR Article 47 approved Binding Corporate Rules safeguard transfers and data subject rights.
  • Standard Contractual Clauses: Transfers employ Standard Contractual Clauses, supplemented with appropriate measures per EU recommendations and European Data Protection Board guidance.

Appendix 1 - Processing Details

Data Subjects

Categories include: Customer Data (members, suppliers), Order Data, Authorized System Users, and registered individuals.

Categories of Personal Data

  • Customer Data: Name, surname, address details, postal code, region, country, telephone, email, birth date, identification number, gender, IP address, purchase history, activities, and other stored information.
  • Order Data: Products, quantities, prices, order values, shipping options.
  • Authorized Users: Name, surname, email, IP address, password, activities.
  • Product Data: Images, video.

Sensitive Data Restriction: Article 9 GDPR sensitive personal data cannot be processed in the System unless parties explicitly amend instructions in writing.

Uploaded Images/Video

Uploaded images and videos constitute personal data under GDPR. The regulation defines personal data broadly, including indirect identifiers like photographs and videos. Image processing technologies enable individual identification, especially when combined with additional information. This classification applies the same GDPR principles and requirements to uploaded images as other personal data, including obtaining clear informed consent and respecting access, rectification, erasure, and processing restriction rights.

Processing Nature and Purpose

Personal data is typically imported from external sources or the data controller, sometimes from external service providers. The Customer determines the purpose of Personal Data Processing. The Supplier's Processing purposes remain limited to:

  • Providing agreed services including software provision, support, and other Main Agreement services
  • Implementing, managing, and monitoring supporting infrastructure and fulfilling technical and organizational data protection requirements
  • Communicating with Customer and personnel
  • Implementing Customer instructions per Section 3.4
  • Managing service problems, incidents, and data breaches

Processing Duration

Personal data is processed throughout the Main Agreement term. The data controller establishes specific retention periods for different personal data categories.

Security Measures

The Supplier implements technically and organizationally appropriate protections proportionate to data sensitivity, particular risks, technical capabilities, and implementation costs. Personal data protection prevents unauthorized changes, destruction, access, and dissemination. The Supplier implements GDPR Article 32 measures:

  1. Personal data pseudonymization and encryption
  2. Ensuring ongoing processing system and service confidentiality, integrity, availability, and resilience
  3. Timely availability and access restoration following physical or technical incidents
  4. Regular technical and organizational security measure testing, assessment, and evaluation

Technical Security Measures

  • Data Separation: Customer data uses logical separation, identifiers, and tagging, restricting access to authorized customers only.
  • Encryption: Data transfers employ current established encryption practices. Stored data is encrypted where feasible, minimally using disk-level encryption.
  • Testing: Regular independent vulnerability and penetration testing plus routine security updates and patches.
  • API Protection: Public API endpoints require secret API keys preventing unauthorized system access.
  • Access Control: Private administration access (Console, Web GUI) employs IAM service protection.

Organizational Measures

  • Change Control: SHOPLAB maintains structured change management, reviewing and testing changes before production deployment, with rollback capabilities.
  • Secure Testing: SHOPLAB maintains separate production and testing environments.
  • Risk Management: SHOPLAB maintains documented risk handling processes and routines, periodically assessing information system, processing, storage, and transmission risks.

Physical Access Control

System and personal data access is restricted to personnel requiring access on a need-to-know basis. User authentication protects data processing system access.

Subcontractors

SHOPLAB primarily employs Amazon Web Services (AWS) as hosting provider for personal data processing and storage.

Subcontractor Country of Jurisdiction Processing Jurisdiction(s) Processing Description
Sendinblue GmbH Germany Belgium, France Marketing and status updates to system users
BunnyWay d.o.o. Slovenia EU Image content delivery network, storage, streaming
Cloudflare USA EU Content delivery network and web application firewall
Amazon Web Services EMEA SARL Luxembourg Austria, Denmark, England, Finland, France, Germany, Ireland, Italy, Poland, Spain, Sweden Processing, sending, receiving, storing both short and long-term in databases and file storage

Contact Information

If you have any questions regarding this DPA you can contact us through the details below:

Email: legal@shoplab.se
Telephone: +46 10-200 77 62