Data Processing Addendum
Last updated: April 12, 2026
This DPA forms part of the Terms of Service between MerchOps ("Processor") and the Shopify merchant ("Controller"). Entered into pursuant to Article 28 GDPR (EU) 2016/679.
1. Definitions
- "Controller" — the Shopify merchant who installs MerchOps apps.
- "Processor" — MerchOps, operated by a sole proprietor registered in Bulgaria.
- "Personal Data" — any data processed by the Processor on behalf of the Controller under GDPR.
- "Sub-processor" — a third party engaged by the Processor to process Personal Data.
2. Scope of processing
| Service | Data categories | Processing activities |
|---|---|---|
| MerchOps SEO | Shop domain, product data, image URLs | Image analysis for alt text. Images processed in memory only, never stored. |
| MerchOps Stock | Shop domain, product data, order line items, inventory levels | Sales velocity calculation, inventory monitoring, alert generation. |
3. Processor obligations
- Process Personal Data only on documented instructions from the Controller.
- Ensure authorized persons are bound by confidentiality.
- Implement appropriate technical and organizational security measures.
- Assist the Controller in responding to data subject rights requests.
- Notify the Controller without undue delay of any personal data breach.
- Delete or return all Personal Data within 30 days of termination.
- Make available all information to demonstrate Article 28 compliance.
4. Sub-processors
The Controller provides general authorization for sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI image analysis (Claude Vision) for SEO app | United States |
| Hetzner Online GmbH | Cloud hosting | Germany (EU) |
| Resend, Inc. | Transactional email | United States |
Changes to sub-processors will be communicated to the Controller with opportunity to object.
5. International transfers
Transfers to the US (Anthropic, Resend) are protected by the EU-US Data Privacy Framework and/or Standard Contractual Clauses.
6. Security measures
- TLS 1.2+ encryption in transit.
- Encryption at rest for database contents.
- Access tokens stored securely, never in logs or UI.
- Product images never stored — in-memory processing only.
- Minimal OAuth scopes per app.
- Regular security patching.
7. Data deletion on termination
Upon uninstallation, all Personal Data is deleted within 30 days. Confirmation available on request to merchopshelp@gmail.com.
8. Data breach notification
Notification within 72 hours of awareness, including: nature of breach, affected data subjects, likely consequences, and measures taken.