Data Processing Agreement (DPA)

Effective date: 16 June 2026 · Version: 1.1 · Previous version: 1.0 (5 March 2026)
About this agreement

This Data Processing Agreement (“DPA”) forms part of the contract between Aserta Ltd (“Aserta”, “Processor”) and the Shopify merchant who installs the Aserta app (“Merchant”, “Controller”).

It governs processing where you are the controller and Aserta is your processor — principally product catalogue text accessed via the Shopify API for compliance audits.

Separate from this DPA: Aserta also processes merchant account data (shop domain, OAuth token, subscription state, etc.) as an independent controller. That processing is described in our Privacy Policy, not this DPA.

Related documents: Privacy Policy · Subprocessors · Terms of Service

1. Definitions

Controller: The Merchant who installs and uses the Aserta app and determines the purposes and means of processing personal data relating to their business and product catalogue.

Processor: Aserta Ltd, which processes personal data on the Controller’s documented instructions solely to provide the compliance audit service described in this DPA.

Personal Data (under this DPA): Any personal data contained in product catalogue content that Aserta accesses, analyses, or modifies through the Shopify API in providing the Service — for example, a testimonial quote with a customer name in a product description. Product ingredients and titles are usually not personal data.

Processing: Any operation performed on personal data, including access, analysis, modification, transmission, storage, or deletion.

Data Subject: An identifiable natural person whose personal data appears in product content processed under this DPA. Aserta does not routinely process the Controller’s buyers’ order, account, or payment data.

Sub-processor: A third party engaged by Aserta to process personal data on the Controller’s behalf under this DPA (listed at getaserta.com/subprocessors).

Service: The Aserta Shopify application and related compliance audit features subscribed to by the Controller.

2. Scope and purpose

2.1 In scope (processor processing)

This DPA applies to personal data Aserta processes on your instructions when providing the Service, including personal data contained in:

2.2 Out of scope (Aserta as controller)

The following is not covered by this DPA because Aserta acts as an independent controller (see Privacy Policy):

2.3 Purpose of processing

Aserta processes personal data solely for the following purposes:

2.4 Prohibited uses

Aserta will NOT:

3. Nature of processing

Aserta primarily accesses product data via the Shopify API, analyses it, and writes results back to your Shopify store (including metafields and, where you apply updates, description formatting). Full product descriptions are not routinely archived in Aserta’s database; persistent records on Aserta systems relating to the Service are limited mainly to shop connection metadata and monitored product identifiers (see Privacy Policy).

Activity Description
Access & analysis Read product catalogue fields via Shopify API; run rule-based compliance checks
Modification Write audit metafields and, when you use Apply Compliance Updates, apply formatting or warning blocks you request
Transient processing Product text processed in memory during audits and webhook handling
Deletion Cease processing on uninstall; delete Aserta-held connection records promptly; Shopify GDPR webhooks implemented (see Section 6)

4. Controller Instructions

4.1 Lawful basis

The Controller is responsible for ensuring it has a lawful basis to process personal data in its product catalogue and to instruct Aserta to process that data. Aserta processes personal data under this DPA only:

4.2 Limitations on Processing

Aserta will only process personal data in accordance with:

Any processing beyond these scopes is prohibited. If Aserta receives conflicting instructions, Aserta may decline to process until clarification is received.

5. Data Processor Responsibilities

5.1 Security measures

Aserta implements appropriate technical and organisational measures, including:

Encryption at rest and other hosting security features depend on our database/hosting tier; see Render’s documentation and our Subprocessors page.

5.2 Sub-processors

Aserta uses sub-processors to host and operate the Service, including:

Current sub-processors, locations, and roles are published at https://getaserta.com/subprocessors.html.

We will give reasonable notice (aiming for at least 30 days) before a new sub-processor processes personal data under this DPA. You may object within that period by emailing dpo@getaserta.com.

5.3 International data transfers

Aserta’s application database is hosted in the United States (Render). Where personal data is transferred outside the UK, Aserta uses appropriate safeguards, which may include the UK International Data Transfer Agreement (IDTA) and/or UK Addendum to EU Standard Contractual Clauses with sub-processors, and Shopify’s contractual transfer mechanisms for data processed through the Shopify platform.

6. Data subject rights and Shopify GDPR webhooks

6.1 Controller responsibilities

The Controller is responsible for responding to data subject requests relating to personal data in their store. Aserta will assist the Controller, where reasonable, with requests that relate to personal data processed under this DPA.

6.2 Shopify mandatory webhooks

Aserta implements Shopify’s mandatory endpoints (customers/data_request, customers/redact, shop/redact). Because the Service focuses on product catalogue text and Aserta does not routinely store end-customer profile or order data, these webhooks typically require no additional deletion beyond confirming Aserta holds no relevant records. If personal data were present in our systems, Aserta would delete it within a reasonable period.

6.3 Assistance

Upon the Controller’s written request relating to personal data processed under this DPA, Aserta will respond within one month, unless a longer period is permitted by law. Requests may include access, rectification, erasure, restriction, or portability where applicable and technically feasible.

7. Personal data breaches

7.1 Notification to Controller

If Aserta becomes aware of a personal data breach affecting personal data processed under this DPA, Aserta will notify the Controller without undue delay after becoming aware of the breach, and provide information reasonably available about the nature of the breach, likely consequences, and measures taken or proposed.

7.2 Investigation

Aserta will investigate the breach, take reasonable steps to mitigate harm, and cooperate with the Controller regarding supervisory authority notifications where required.

8. Cooperation and Audits

8.1 Cooperation with Data Subjects

Aserta will cooperate with data subjects' requests for access, correction, deletion, and other rights. The Controller may direct such requests to Aserta, and Aserta will respond within 30 days.

8.2 Cooperation with Supervisory Authorities

Aserta will cooperate with requests from the UK Information Commissioner's Office (ICO) and other data protection authorities. The Controller will be informed of such requests (unless legally prohibited).

8.3 Audits

Upon reasonable written request, Aserta will provide information necessary to demonstrate compliance with this DPA. The Controller may audit Aserta’s compliance no more than once per year on reasonable notice, unless required by a supervisory authority or following a material breach.

9. Data retention and deletion

9.1 Retention

Data Retention
Product data processed under this DPA Processed on demand via API while the app is installed; audit outputs remain in your Shopify store until you change or remove them
Monitored product IDs on Aserta systems While the app is installed (see Privacy Policy for controller data)
Hosting backups Up to 90 days after deletion, for disaster recovery only
Server/security logs Limited operational period for security and troubleshooting

9.2 Deletion on uninstall

When the Controller uninstalls the app, Aserta deletes active store connection records promptly (including OAuth credentials). A limited grace-period record may be retained until a prepaid period expires (see Privacy Policy). Processing of product data under this DPA ceases when the app is uninstalled or access is revoked.

10. Limitation of Liability

To the maximum extent permitted by law, Aserta's liability under this DPA shall be limited to the fees paid by the Controller in the 12 months preceding the claim, or £50, whichever is greater. This limitation does not apply to:

11. Confidentiality

Aserta ensures that all personnel with access to personal data are bound by confidentiality agreements. Personnel will not disclose personal data to third parties without authorization, except as required by law.

12. Term and Termination

12.1 Term

This DPA commences when the Controller installs the Aserta app and continues for the duration of the service agreement.

12.2 Termination

Upon termination of the Service (including app uninstall):

13. Governing Law and Dispute Resolution

This DPA shall be governed by the laws of England and Wales and the UK GDPR. Any disputes arising from this DPA shall be resolved through the courts of England and Wales, in accordance with the dispute resolution procedures outlined in our Terms of Service.

14. Contact Information

For questions about this DPA or data protection compliance, please contact:

Data Protection Officer (DPO):
Email: dpo@getaserta.com
Postal Address: Aserta Ltd, Eldridge Gardens, Romsey, Hampshire, United Kingdom

15. Changes to This DPA

Aserta may update this DPA to comply with changes in data protection laws. Material changes will be communicated to the Controller with 30 days' notice. Continued use of the Service constitutes acceptance of updated terms.

Acceptance

By installing the Aserta app, the Controller accepts this DPA as part of the agreement to use the Service. If you require a countersigned copy, contact dpo@getaserta.com.

Aserta Ltd
Eldridge Gardens, Romsey, Hampshire, United Kingdom
Effective date: 16 June 2026 · Version 1.1