Data Processing Agreement (DPA)

Effective Date: March 5, 2026 Version: 1.0

1. Definitions

Controller: The Shopify merchant who installs and uses the Aserta app and determines the purposes and means of processing personal data.

Processor: Aserta Ltd, which processes personal data on the Controller's behalf in accordance with instructions.

Personal Data: Any information relating to an identified or identifiable natural person (e.g., customer names, email addresses in product descriptions).

Processing: Any operation performed on personal data, including collection, storage, use, transmission, or deletion.

Data Subject: Any person whose personal data is processed (e.g., end customers of the Controller's Shopify store).

Sub-processor: Any third party engaged by Aserta to process personal data on behalf of the Controller (e.g., cloud hosting providers).

2. Scope and Purpose

2.1 Scope of Processing

This DPA applies to the processing of personal data contained in:

• Product descriptions, titles, and ingredient lists in the Controller's Shopify store
• Product tags and metafields used for compliance auditing
• Any personal data incidentally included in product content (e.g., customer testimonials with names)

2.2 Purpose of Processing

Aserta processes personal data solely for the following purposes:

• Performing automated compliance audits and ingredient identification
• Applying text formatting to product descriptions
• Generating compliance reports and audit trails
• Maintaining the security and integrity of the Service
• Complying with legal obligations

2.3 Prohibited Uses

Aserta will NOT:

• Process personal data for marketing, advertising, or profiling purposes
• Share personal data with third parties for their own purposes
• Use personal data to build consumer databases or customer lists
• Combine personal data from multiple Stores for analytics or insights
• Process personal data for any purpose beyond those outlined in Section 2.2

3. Nature of Processing

Processing Activity	Description	Legal Basis
Collection	Aserta receives product data via Shopify API when the app is installed	Contract (Service provision)
Storage	Personal data is stored in encrypted databases hosted on Render	Contract (Service provision)
Analysis	Automated scanning of product descriptions for regulatory keywords	Contract (Service provision)
Modification	Text formatting and metadata updates applied to product descriptions	Contract (with Controller's instructions)
Deletion	Data deleted upon app uninstall or at Controller's request	Contract & GDPR (right to erasure)

4. Controller Instructions

4.1 Lawful Basis

The Controller warrants that they have obtained all necessary lawful bases and consents to process personal data through the Aserta Service. Aserta relies on the Controller's representations regarding:

• Lawfulness of data collection and use
• Disclosure to end customers that their data will be processed by Aserta
• Compliance with privacy laws in their jurisdiction

4.2 Limitations on Processing

Aserta will only process personal data in accordance with:

• The Controller's explicit written instructions
• The terms of this DPA and the Privacy Policy
• Applicable data protection laws

Any processing beyond these scopes is prohibited. If Aserta receives conflicting instructions, Aserta may decline to process until clarification is received.

5. Data Processor Responsibilities

5.1 Security Measures

Aserta implements technical and organizational measures to protect personal data, including:

• Encryption: AES-256 encryption for data at rest; TLS 1.2+ for data in transit
• Access Control: Role-based access control (RBAC) with authentication required for all personnel
• Monitoring: Continuous security monitoring and intrusion detection systems
• Backups: Encrypted backups stored separately from production systems
• Firewalls: Web Application Firewall (WAF) and DDoS protection via Render
• Regular Audits: Annual penetration testing and security assessments

5.2 Sub-processors

Aserta may engage sub-processors for the following functions:

• Cloud Hosting: Render (database storage, application hosting)
• API Integration: Shopify (for store data access and webhook delivery)

A complete list of sub-processors is available at: https://getaserta.com/subprocessors

The Controller will be notified of any new sub-processors at least 30 days before they begin processing personal data. The Controller has the right to object to the use of new sub-processors.

5.3 International Data Transfers

Personal data is processed on servers located in the United States (Render infrastructure). Aserta relies on Standard Contractual Clauses (SCCs) and Shopify's Data Transfer Addendum to authorize these transfers in compliance with GDPR Article 44-49.

6. Data Subject Rights

6.1 Right to Access

Data subjects have the right to request access to their personal data. Upon receiving a request from the Controller or directly from a data subject (via Shopify webhooks), Aserta will:

• Acknowledge the request within 24 hours
• Provide a copy of the personal data within 30 days
• Include information about processing purposes and categories of recipients

6.2 Right to Rectification

Aserta will correct inaccurate personal data upon the Controller's written request. The Controller is responsible for ensuring the accuracy of data in their Shopify store.

6.3 Right to Erasure (Right to be Forgotten)

Upon the Controller's request or receipt of a Shopify webhook requesting deletion, Aserta will:

• Delete all personal data within 30 days
• Confirm deletion to the Controller
• Maintain records of deletion for audit purposes

Exceptions: Aserta may retain data where required by law (tax, accounting, legal proceedings) or where the data no longer constitutes personal data (aggregated, anonymized data).

6.4 Right to Data Portability

Upon the Controller's request, Aserta will provide personal data in a structured, commonly-used, machine-readable format (CSV, JSON) within 30 days.

6.5 Right to Object

Data subjects may object to the processing of their personal data. Aserta will cease processing upon the Controller's instruction, except where processing is required by law.

7. Breach Notification

7.1 Notification Timeline

In the event of a personal data breach, Aserta will:

• Notify the Controller without undue delay, and no later than 72 hours after discovery
• Provide details about the nature of the breach and data affected
• Describe the likely consequences for data subjects
• Provide recommendations for mitigation

7.2 Investigation and Remediation

Aserta will:

• Conduct a prompt investigation into the cause of the breach
• Implement technical measures to prevent similar breaches
• Maintain detailed documentation of the breach and response
• Cooperate with supervisory authorities and the Controller's legal team

8. Cooperation and Audits

8.1 Cooperation with Data Subjects

Aserta will cooperate with data subjects' requests for access, correction, deletion, and other rights. The Controller may direct such requests to Aserta, and Aserta will respond within 30 days.

8.2 Cooperation with Supervisory Authorities

Aserta will cooperate with requests from the UK Information Commissioner's Office (ICO) and other data protection authorities. The Controller will be informed of such requests (unless legally prohibited).

8.3 Audits and Assessments

Aserta will:

• Conduct annual security audits and penetration testing
• Maintain documentation of processing activities
• Provide the Controller with audit reports and certificates of compliance upon request
• Allow the Controller (or their auditor) to conduct audits on reasonable notice

9. Data Retention and Deletion

9.1 Retention Schedule

Aserta retains personal data according to the following schedule:

Data Category	Retention Period	Justification
Active product data	Duration of app installation	Service provision
Backup copies	Up to 90 days after deletion	Disaster recovery
Audit logs	1 year	Legal compliance & dispute resolution
Transaction logs	6 years	Tax and accounting compliance (UK law)

9.2 Deletion Upon Request

Upon the Controller's request or app uninstallation, Aserta will delete all personal data within 30 days, except where retention is required by law.

10. Limitation of Liability

To the maximum extent permitted by law, Aserta's liability under this DPA shall be limited to the fees paid by the Controller in the 12 months preceding the claim, or £50, whichever is greater. This limitation does not apply to:

• Data breaches caused by Aserta's negligence or willful misconduct
• Violations of the Controller's explicit instructions
• Breach of confidentiality obligations

11. Confidentiality

Aserta ensures that all personnel with access to personal data are bound by confidentiality agreements. Personnel will not disclose personal data to third parties without authorization, except as required by law.

12. Term and Termination

12.1 Term

This DPA commences when the Controller installs the Aserta app and continues for the duration of the service agreement.

12.2 Termination

Upon termination or expiration of the service agreement:

• Aserta will delete all personal data within 30 days
• Aserta will cease all processing of personal data
• Aserta will provide a certificate of deletion upon request

13. Governing Law and Dispute Resolution

This DPA shall be governed by the laws of England and Wales and the UK GDPR. Any disputes arising from this DPA shall be resolved through the courts of England and Wales, in accordance with the dispute resolution procedures outlined in our Terms of Service.

14. Contact Information

For questions about this DPA or data protection compliance, please contact:

Data Protection Officer (DPO):
Email: dpo@getaserta.com
Postal Address: Aserta Ltd, Eldridge Gardens, Romsey, Hampshire, United Kingdom

15. Changes to This DPA

Aserta may update this DPA to comply with changes in data protection laws. Material changes will be communicated to the Controller with 30 days' notice. Continued use of the Service constitutes acceptance of updated terms.