This Data Processing Agreement (“DPA”) forms part of the contract between Aserta Ltd (“Aserta”, “Processor”) and the Shopify merchant who installs the Aserta app (“Merchant”, “Controller”).
It governs processing where you are the controller and Aserta is your processor — principally product catalogue text accessed via the Shopify API for compliance audits.
Separate from this DPA: Aserta also processes merchant account data (shop domain, OAuth token, subscription state, etc.) as an independent controller. That processing is described in our Privacy Policy, not this DPA.
Related documents: Privacy Policy · Subprocessors · Terms of Service
Controller: The Merchant who installs and uses the Aserta app and determines the purposes and means of processing personal data relating to their business and product catalogue.
Processor: Aserta Ltd, which processes personal data on the Controller’s documented instructions solely to provide the compliance audit service described in this DPA.
Personal Data (under this DPA): Any personal data contained in product catalogue content that Aserta accesses, analyses, or modifies through the Shopify API in providing the Service — for example, a testimonial quote with a customer name in a product description. Product ingredients and titles are usually not personal data.
Processing: Any operation performed on personal data, including access, analysis, modification, transmission, storage, or deletion.
Data Subject: An identifiable natural person whose personal data appears in product content processed under this DPA. Aserta does not routinely process the Controller’s buyers’ order, account, or payment data.
Sub-processor: A third party engaged by Aserta to process personal data on the Controller’s behalf under this DPA (listed at getaserta.com/subprocessors).
Service: The Aserta Shopify application and related compliance audit features subscribed to by the Controller.
This DPA applies to personal data Aserta processes on your instructions when providing the Service, including personal data contained in:
aserta_app.compliance_audit);The following is not covered by this DPA because Aserta acts as an independent controller (see Privacy Policy):
Aserta processes personal data solely for the following purposes:
Aserta will NOT:
Aserta primarily accesses product data via the Shopify API, analyses it, and writes results back to your Shopify store (including metafields and, where you apply updates, description formatting). Full product descriptions are not routinely archived in Aserta’s database; persistent records on Aserta systems relating to the Service are limited mainly to shop connection metadata and monitored product identifiers (see Privacy Policy).
| Activity | Description |
|---|---|
| Access & analysis | Read product catalogue fields via Shopify API; run rule-based compliance checks |
| Modification | Write audit metafields and, when you use Apply Compliance Updates, apply formatting or warning blocks you request |
| Transient processing | Product text processed in memory during audits and webhook handling |
| Deletion | Cease processing on uninstall; delete Aserta-held connection records promptly; Shopify GDPR webhooks implemented (see Section 6) |
The Controller is responsible for ensuring it has a lawful basis to process personal data in its product catalogue and to instruct Aserta to process that data. Aserta processes personal data under this DPA only:
Aserta will only process personal data in accordance with:
Any processing beyond these scopes is prohibited. If Aserta receives conflicting instructions, Aserta may decline to process until clarification is received.
Aserta implements appropriate technical and organisational measures, including:
Encryption at rest and other hosting security features depend on our database/hosting tier; see Render’s documentation and our Subprocessors page.
Aserta uses sub-processors to host and operate the Service, including:
Current sub-processors, locations, and roles are published at https://getaserta.com/subprocessors.html.
We will give reasonable notice (aiming for at least 30 days) before a new sub-processor processes personal data under this DPA. You may object within that period by emailing dpo@getaserta.com.
Aserta’s application database is hosted in the United States (Render). Where personal data is transferred outside the UK, Aserta uses appropriate safeguards, which may include the UK International Data Transfer Agreement (IDTA) and/or UK Addendum to EU Standard Contractual Clauses with sub-processors, and Shopify’s contractual transfer mechanisms for data processed through the Shopify platform.
The Controller is responsible for responding to data subject requests relating to personal data in their store. Aserta will assist the Controller, where reasonable, with requests that relate to personal data processed under this DPA.
Aserta implements Shopify’s mandatory endpoints (customers/data_request, customers/redact, shop/redact). Because the Service focuses on product catalogue text and Aserta does not routinely store end-customer profile or order data, these webhooks typically require no additional deletion beyond confirming Aserta holds no relevant records. If personal data were present in our systems, Aserta would delete it within a reasonable period.
Upon the Controller’s written request relating to personal data processed under this DPA, Aserta will respond within one month, unless a longer period is permitted by law. Requests may include access, rectification, erasure, restriction, or portability where applicable and technically feasible.
If Aserta becomes aware of a personal data breach affecting personal data processed under this DPA, Aserta will notify the Controller without undue delay after becoming aware of the breach, and provide information reasonably available about the nature of the breach, likely consequences, and measures taken or proposed.
Aserta will investigate the breach, take reasonable steps to mitigate harm, and cooperate with the Controller regarding supervisory authority notifications where required.
Aserta will cooperate with data subjects' requests for access, correction, deletion, and other rights. The Controller may direct such requests to Aserta, and Aserta will respond within 30 days.
Aserta will cooperate with requests from the UK Information Commissioner's Office (ICO) and other data protection authorities. The Controller will be informed of such requests (unless legally prohibited).
Upon reasonable written request, Aserta will provide information necessary to demonstrate compliance with this DPA. The Controller may audit Aserta’s compliance no more than once per year on reasonable notice, unless required by a supervisory authority or following a material breach.
| Data | Retention |
|---|---|
| Product data processed under this DPA | Processed on demand via API while the app is installed; audit outputs remain in your Shopify store until you change or remove them |
| Monitored product IDs on Aserta systems | While the app is installed (see Privacy Policy for controller data) |
| Hosting backups | Up to 90 days after deletion, for disaster recovery only |
| Server/security logs | Limited operational period for security and troubleshooting |
When the Controller uninstalls the app, Aserta deletes active store connection records promptly (including OAuth credentials). A limited grace-period record may be retained until a prepaid period expires (see Privacy Policy). Processing of product data under this DPA ceases when the app is uninstalled or access is revoked.
To the maximum extent permitted by law, Aserta's liability under this DPA shall be limited to the fees paid by the Controller in the 12 months preceding the claim, or £50, whichever is greater. This limitation does not apply to:
Aserta ensures that all personnel with access to personal data are bound by confidentiality agreements. Personnel will not disclose personal data to third parties without authorization, except as required by law.
This DPA commences when the Controller installs the Aserta app and continues for the duration of the service agreement.
Upon termination of the Service (including app uninstall):
This DPA shall be governed by the laws of England and Wales and the UK GDPR. Any disputes arising from this DPA shall be resolved through the courts of England and Wales, in accordance with the dispute resolution procedures outlined in our Terms of Service.
For questions about this DPA or data protection compliance, please contact:
Data Protection Officer (DPO):
Email: dpo@getaserta.com
Postal Address: Aserta Ltd, Eldridge Gardens, Romsey, Hampshire, United Kingdom
Aserta may update this DPA to comply with changes in data protection laws. Material changes will be communicated to the Controller with 30 days' notice. Continued use of the Service constitutes acceptance of updated terms.
By installing the Aserta app, the Controller accepts this DPA as part of the agreement to use the Service. If you require a countersigned copy, contact dpo@getaserta.com.
Aserta Ltd
Eldridge Gardens, Romsey, Hampshire, United Kingdom
Effective date: 16 June 2026 · Version 1.1