Subprocessors

Last updated: 16 June 2026 · Previous version: 5 March 2026

About this page

This page lists third parties Aserta Ltd uses to host and operate the Aserta Shopify app. It should be read with our Privacy Policy and Data Processing Agreement (DPA).

Controller and processor roles: Aserta acts as data controller for merchant account data (e.g. shop domain, OAuth credentials, subscription state). Aserta acts as data processor when auditing product catalogue text on your instructions. The parties listed below support both aspects of the service.

When we process product data as your processor, these parties are our sub-processors under the DPA. If you object to a new sub-processor, contact dpo@getaserta.com within 30 days of notification.

How we use subprocessors

We do not sell merchant data. We engage infrastructure and platform providers only to deliver the app. We require appropriate contractual safeguards, including data processing terms and transfer mechanisms where data is hosted outside the UK.

Current Subprocessors

Render

Function: Cloud Hosting Provider

Purpose: Render hosts the Aserta application, API, and PostgreSQL database in the United States.

Data processed: Merchant account data Aserta controls (shop domain, display name, OAuth token, subscription/trial fields, monitored product IDs) and product audit data Aserta processes on your instructions. Product descriptions are generally not personal data unless they identify an individual.

Aserta’s role: Render is Aserta’s infrastructure provider. When Aserta processes your product data as your processor, Render acts as Aserta’s sub-processor.

Location: United States

Security: TLS for data in transit; hosting security as described in Render’s documentation (including encryption at rest where enabled for our database tier).

Privacy policy: render.com/privacy

DPA: Render offers a Data Processing Addendum — contact dpo@getaserta.com if you need details of Aserta’s arrangements with Render.

Active since: 2025

Shopify

Function: API Integration & Data Access

Purpose: Shopify provides the commerce platform and Admin API through which you authorise Aserta to access your store. App billing for Aserta modules is handled through Shopify’s billing systems.

Data processed: Store and product data read or written via the Shopify API (e.g. product titles, descriptions, tags, metafields); OAuth authorisation; subscription status from Shopify; mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact).

Roles: You are the controller for your store and product data. Aserta is your processor for product compliance audits. Shopify is an independent controller for its own platform services (and handles payment data we do not receive). Aserta lists Shopify here because API access, billing, and webhooks run through Shopify’s systems.

Location: United States / Canada (Shopify infrastructure)

Privacy policy: shopify.com/legal/privacy

Transfers: Shopify’s contractual transfer mechanisms apply to data processed through the Shopify platform. See Shopify’s Data Processing Addendum and our DPA.

Active since: 2025

Planned subprocessors (not in use today)

We do not currently use the services below. We will update this page and our Privacy Policy before any of them process personal data:

Subprocessor Name	Function	Status	Expected Integration
SendGrid (Twilio)	Email notifications for compliance alerts and billing updates	Under Evaluation	Q3 2026
Sentry	Error logging and application monitoring	Under Evaluation	Q2 2026

Policy on subprocessor changes

Notification

Before engaging a new sub-processor that will process personal data on your behalf, we will provide reasonable notice by:

Updating this Subprocessors page;
Updating our Privacy Policy where material; and
Notifying merchants in the Aserta app or via Shopify partner communications where appropriate.

We aim to give at least 30 days’ notice before a new sub-processor begins processing personal data under the DPA.

Right to object

Under our DPA, you may object to a new sub-processor within 30 days of notification. Email dpo@getaserta.com with subject line Subprocessor Objection — [name]. We will consider objections in good faith and discuss alternatives where reasonable.

Standards we require

Sub-processors must provide appropriate contractual commitments, including:

Processing only on documented instructions (where acting as Aserta’s sub-processor);
UK GDPR–aligned data protection terms;
Encryption in transit (TLS);
Appropriate access controls; and
International transfer safeguards where data leaves the UK.

Your rights

As a merchant using Aserta, you can:

Review who supports our service on this page;
Object to new sub-processors under the DPA within the notification period;
Request information via dpo@getaserta.com; and
Terminate the app if you do not accept a material sub-processor change.

Questions

Contact our data protection contact:
dpo@getaserta.com
Aserta Ltd, Eldridge Gardens, Romsey, Hampshire, United Kingdom

Change Log

Date	Change	Details
2026-06-16	Controller/processor alignment	Aligned with Privacy Policy (16 June 2026): roles, Render/Shopify descriptions, notification process
2026-03-05	Page created	Initial list published: Render and Shopify