Sign in Start Free Trial
Sign in
Home/
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

DATA PROCESSING AGREEMENT

Between:

Client Shopify store (“Controller”)

And:

iPacky AS (“Processor”) Fossveien 72, 1405 Langhus, Norway

Effective Date: 01.01.2021

1. DEFINITIONS

1.1 “Personal Data” means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.

1.2 “Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

1.3 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

1.4 “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

1.5 “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.6 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.7 “Services” means the iPacky app for Shopify.

2. SCOPE AND PURPOSE OF PROCESSING

2.1 Nature of Processing: The Processor shall process Personal Data solely for the purpose of providing the Services as described in the main service agreement between the parties.

2.2 Types of Personal Data: The Personal Data processed under this Agreement includes:

  • Contact information of Controller
  • Account credentials of Controller
  • Usage data and analytics of actions performed in iPacky

2.3 Categories of Data Subjects: The Data Subjects include:

  • Controller’s customer data is NOT stored in our system
  • Controller’s employees

2.4 Duration: Processing shall continue for the duration of the Services agreement, unless terminated earlier in accordance with this Agreement.

3. PROCESSOR OBLIGATIONS

3.1 Instructions: The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Immediately inform the Controller if an instruction infringes GDPR or other data protection law
  • Not process Personal Data for any purpose other than providing the Services

3.2 Confidentiality: The Processor shall ensure that persons authorized to process Personal Data:

  • Have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Process Personal Data only on instructions from the Controller

3.3 Security Measures: The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Ability to restore availability and access to Personal Data in a timely manner following an incident
  • Regular testing and evaluation of security measures

3.4 Sub-processing: The Processor shall:

  • Not engage another processor without prior specific or general written authorization from the Controller
  • Where general authorization is given, inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller opportunity to object
  • Ensure any sub-processor is bound by the same data protection obligations as set out in this Agreement
  • Remain fully liable for the performance of sub-processor obligations

3.5 Data Subject Rights: The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

3.6 Data Breach Notification: The Processor shall:

  • Notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach
  • Provide sufficient information to enable the Controller to meet its obligations under Articles 33 and 34 GDPR
  • Assist the Controller in investigating, mitigating, and remediating the Data Breach

3.7 Data Protection Impact Assessments: The Processor shall assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required.

3.8 Audit Rights: The Processor shall:

  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR
  • Allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller
  • Provide audit reports from recognized third-party auditors (e.g., SOC 2, ISO 27001) as an alternative to on-site audits where appropriate

4. CONTROLLER OBLIGATIONS

4.1 The Controller warrants that:

  • It has a lawful basis for processing the Personal Data
  • It has provided appropriate notices to Data Subjects
  • It has obtained any necessary consents
  • Its instructions to the Processor comply with applicable data protection law

4.2 The Controller shall:

  • Provide the Processor with all information necessary for the Processor to perform its obligations
  • Respond promptly to any queries from the Processor regarding processing instructions

5. INTERNATIONAL DATA TRANSFERS

5.1 The Processor shall not transfer Personal Data to any country outside the European Economic Area (EEA) unless:

  • The destination country has an adequacy decision from the European Commission; or
  • Appropriate safeguards are in place as specified in Article 46 GDPR; or
  • A derogation under Article 49 GDPR applies

5.2 Where transfers are made to sub-processors outside the EEA, the Processor shall ensure Standard Contractual Clauses (SCCs) or equivalent safeguards are in place.

5.3 Current transfer mechanisms in use: None

6. SUB-PROCESSORS

6.1 The Controller provides general authorization for the Processor to engage sub-processors.

6.2 Current sub-processors: The Processor currently uses the following sub-processors:

Sub-processor

Purpose

Location

Azure

Cloud hosting

North Europe  (Ireland)

6.3 The Processor shall maintain an up-to-date list of sub-processors at https://ipacky.com/dpa and notify the Controller of any changes 30 days before engaging a new sub-processor. Except for sub-processor location change within EEA.

6.4 The Controller may object to a new sub-processor within 15 days of notification. If a reasonable objection cannot be resolved, either party may terminate the affected Services.

7. DATA RETENTION AND DELETION

7.1 Upon termination of the Services or upon request from the Controller, the Processor shall:

  • Return all Personal Data to the Controller in a commonly used, machine-readable format; or
  • Delete all Personal Data and certify such deletion in writing

7.2 The Processor may retain Personal Data only where required by applicable law, and shall inform the Controller of such requirement.

7.3 Retention period: Personal Data shall be retained for the duration of the Services agreement plus 90 days, unless otherwise instructed by the Controller.

8. LIABILITY AND INDEMNIFICATION

8.1 Each party shall be liable for damages caused by processing that infringes GDPR or this Agreement, in accordance with Article 82 GDPR.

8.2 The Processor shall indemnify the Controller against any claims, damages, or losses arising from the Processor’s breach of this Agreement or GDPR.

8.3 The total liability of the Processor under this Agreement shall not exceed 1000 USD.

9. TERM AND TERMINATION

9.1 This Agreement shall remain in effect for the duration of the Services agreement between the parties.

9.2 Either party may terminate this Agreement:

  • Upon termination of the Services agreement
  • Upon material breach by the other party that remains uncured for 30 days after written notice
  • If required to do so by applicable law or regulatory order

9.3 Sections 7 (Data Retention and Deletion), 8 (Liability), and any provisions that by their nature should survive, shall survive termination.

10. GENERAL PROVISIONS

10.1 Governing Law: This Agreement shall be governed by the laws of Norway.

10.2 Dispute Resolution: Any disputes shall be resolved through Follo og Nordre Østfold Tingrett (Follo district court).

10.3 Amendments: This Agreement may only be amended in writing signed by both parties.

10.4 Entire Agreement: This Agreement constitutes the entire agreement between the parties regarding data processing and supersedes all prior agreements on this subject.

10.5 Severability: If any provision is found invalid, the remaining provisions shall continue in full force.