← Back

Data Processing Addendum

Effective 2026-05-02. Forms part of the Terms of Service.

This Data Processing Addendum ("DPA") is entered into between you ("Controller") and Valiotti Data ("Processor") and applies to all Personal Data processed by Processor on behalf of Controller in connection with the ShopWhy service. Capitalized terms have the meanings given in the GDPR.

1. Subject matter and duration

Processor will process Personal Data only to provide the Service described in the Terms of Service, for the duration of the subscription, plus the retention windows defined in our Privacy Policy.

2. Nature, purpose and categories

  • Nature of processing: storage, structuring, aggregation, AI-assisted analysis, transmission to authorized subprocessors.
  • Purpose: deliver Shopify analytics features to Controller.
  • Data subjects: Controller's customers and store visitors.
  • Data categories: identifiers (customer id, email, name), commercial data (orders, products, refunds), technical data (timestamps, ids), and analytics-related telemetry.
  • Special categories: none.

3. Processor obligations

  • Process Personal Data only on documented instructions from Controller (the Terms and this DPA constitute such instructions).
  • Ensure persons authorized to process Personal Data are bound by confidentiality.
  • Implement technical and organizational measures listed in Annex A.
  • Engage subprocessors only under written contract with at least equivalent protections.
  • Assist Controller in responding to data subject requests.
  • Notify Controller of personal data breaches without undue delay (target: within 72 hours).
  • Delete or return all Personal Data on termination, except as required by law.

4. Subprocessors

Controller authorizes the subprocessors listed in our Privacy Policy (Section 4). Processor will provide at least 30 days' notice of new subprocessors and will accommodate reasonable objections.

5. International transfers

Where Personal Data is transferred outside the EEA / UK, the parties enter into the EU Standard Contractual Clauses (Module 2: controller-to-processor). The SCCs are incorporated by reference; a signed copy is available on request.

6. Audits

Once per year, Controller may request audit reports (e.g., SOC 2 Type II once available, ISO 27001 statements of applicability). On-site audits are available to enterprise customers under reasonable scope and notice.

Annex A — Security measures

  • TLS 1.2+ for all data in transit.
  • Encryption at rest (database storage layer).
  • AES-256-GCM encryption for all third-party access tokens (Shopify, ad platforms).
  • HMAC-verified webhooks; OAuth state and signature validation on every install.
  • Role-based access control inside the application; per-shop authorization on every API.
  • Centralized structured logging; Sentry error monitoring with PII scrubbing.
  • Daily encrypted database backups with 30-day rolling retention, restore-tested quarterly.
  • Principle of least privilege for staff access, MFA enforced on production systems.
  • Annual external penetration test.

Acceptance

This DPA is automatically accepted upon use of the Service by any business customer subject to GDPR. A counter-signed copy is available on request from privacy@shopwhy.valiotti.tech.