Data Processing Addendum

This Shoprocket Data Processing Addendum ("Addendum") modifies the Shoprocket Terms & Conditions ("Agreement") between you ("You") and Shoprocket LTD (company no. 12656598, registered in England & Wales at 20-22 Wenlock Road, London, NG 17U). If you have a separate SLA with Shoprocket, references to the Agreement mean that SLA. This Addendum is subject to and incorporated into the Agreement. Any capitalized term not defined here has the meaning given in the Agreement.

---

Definitions

• Account Settings: Configurations for your Shoprocket Account (including security) that let you manage how Shoprocket processes Personal Data.

• Business Purposes: The Services defined in the Agreement.

• Client Account Data: Personal Data about your relationship with Shoprocket (e.g. authorized contacts, billing details), plus info Shoprocket collects for account management, identity checks, or legal requirements.

• Client Usage Data: Usage data processed by Shoprocket in connection with your use of the Services (e.g. logs, performance metrics, abuse prevention data).

• Data Protection Legislation: Includes the CCPA, EU GDPR, Swiss Federal Act on Data Protection, UK GDPR, DPA 2018, and PECR 2003, each as updated. Terms (e.g. "Data Controller," "Data Processor") follow the EU GDPR.

• EEA: European Economic Area.

• EU SCCs: The Standard Contractual Clauses per Commission Decision 2021/914.

• Ex-EEA Transfer: A transfer of Personal Data (under EU GDPR) outside the EEA without an adequacy decision under Article 45 EU GDPR.

• Ex-UK Transfer: A transfer of Personal Data (under UK GDPR) outside the UK without an adequacy decision by the UK Secretary of State.

• Service Provider: As defined in the CCPA.

• Services: Shoprocket's tools for creating/managing online stores ("Shoprocket Store"), handling products, payments, shipping, marketing, and any tool or service Shoprocket may offer.

• Shoprocket Account: Your account giving access to the Services, including Account Settings, at https://www.shoprocket.io.

• Shoprocket Privacy Policy: The notice at https://shoprocket.io/privacy, as updated.

• Shoprocket Store: Your ecommerce site hosted or facilitated by Shoprocket.

• Special Category Data: As defined in Articles 4(13), 4(14), 4(15), and 9 of EU/UK GDPR (as applicable).

• Standard Contractual Clauses (SCCs): The EU SCCs and UK SCCs, as relevant.

• UK SCCs: The EU SCCs as amended by the UK ICO's IDTA Addendum.

• We/Us/Our: Shoprocket LTD (including "Shoprocket" and "Shoprocket.io").

• You/Your: The contractual party named in the Agreement.

---

Customer Instructions

This Addendum and the Agreement (including instructions in your Account Settings) form the Documented Instructions for how Shoprocket processes Personal Data. Shoprocket will only process Personal Data as instructed. Additional instructions outside these terms require prior written agreement (and may entail extra fees).

Shoprocket may terminate this Addendum and the Agreement if your instructions contravene Data Protection Legislation or deviate from agreed instructions. Given the nature of processing, Shoprocket generally cannot judge if your instructions infringe the law; if it does form such an opinion, it will inform you, and you may modify or withdraw the instructions.

---

Data Processing

1. Shoprocket's Processing

   • Data Processor/Service Provider: Except for Client Account Data and Client Usage Data, Shoprocket processes Personal Data (under EU/UK GDPR) or personal information (under CCPA) on your behalf.

   • Independent Data Controller: Shoprocket is a Data Controller for Personal Data collected directly from Store customers and for Client Account Data or Client Usage Data.

2. Storage

   • Personal Data is stored on:

     1. AWS servers in Ireland (or other EEA regions),

     2. Hetzner servers in Nuremberg/Falkenstein (Germany).

3. Scope and Purpose

   • Shoprocket only processes Personal Data as necessary for the Business Purposes you specify (consistent with the purchased Services) and in compliance with Data Protection Legislation.

   • If required by law to process differently, Shoprocket will notify you unless prohibited by law.

   • Shoprocket promptly follows your written instructions to amend, transfer, or delete Personal Data, or to stop unauthorized processing.

   • Shoprocket keeps Personal Data confidential unless disclosure is authorized or legally required.

   • Shoprocket assists with your compliance obligations (e.g., data subject requests, DPIAs) at no extra cost.

   • Shoprocket notifies you of legal changes that might affect the Agreement or this Addendum.

4. Shoprocket as Independent Data Controller

   • For Client Account Data and Client Usage Data, Shoprocket is not a joint controller but processes that data for managing its relationship with you, preventing fraud/security incidents, meeting legal obligations, etc., in accordance with the Shoprocket Privacy Policy.

5. CCPA

   • Except for Client Account Data and Client Usage Data, Shoprocket is your Service Provider under the CCPA; it won't "sell" such personal information and only uses it to perform the Services or as otherwise permitted by law.

6. Add-ons

   • You may integrate third-party add-ons ("Add-Ons") under separate EULAs with each publisher. Shoprocket transfers necessary Personal Data to the Add-On Publisher, but is not responsible for their processing. Current Add-Ons marketed by Shoprocket include:

     • Amazon, eBay, Facebook Marketplace, Google Shopping, Instagram Shopping: Multi-channel fulfillment and syncing.

     • Affirm, Afterpay, Alipay, Apple Pay, Click to Pay, GrabPay, GooglePay, iDEAL, Klarna, Microsoft Pay, PayPal, P24, Sofort, Stripe, WeChat Pay: Payment integrations supporting various methods/currencies.

     • Zapier: Automates data transfers/workflows between Shoprocket and other applications.

   • If Shoprocket and you have SCCs, your instruction to integrate Add-Ons is consent to transfer Personal Data to those Add-On Publishers if required by the SCCs.

7. Your Responsibilities

   • You are the Data Controller for any Personal Data collected or processed by Shoprocket on your behalf.

   • You are responsible for meeting notices/consents requirements and ensuring compliance with Data Protection Legislation.

---

Personal Data Types and Processing Purposes

• Subject Matter: Personal Data you upload to the Services, including your Shoprocket Account or Store.

• Duration: Determined by you (until you suspend/terminate your Shoprocket subscription or relevant integrations).

• Purpose: To provide the Services at your instruction (e.g., operating your Shoprocket Store/Account).

• Nature of Processing: Shoprocket's ecommerce platform (and any Sub-processors/Add-On Publishers) may store or process Personal Data.

• Types of Personal Data: Data you upload (e.g. contact info, customer details, transaction records).

• Data Subjects: You, your customers, employees, contractors, agents, suppliers, or vendors.

---

Security of Data Processing

Shoprocket will maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, or destruction-aligned with Article 32 of the EU/UK GDPR. Measures include (as appropriate):

• Pseudonymization/encryption of data;

• Ensuring confidentiality, integrity, availability, and resilience of systems;

• Restoring data availability in a timely manner after incidents;

• Regularly testing, assessing, and evaluating these measures.

Shoprocket's Employees

• Shoprocket ensures employees, contractors, and agents handling Personal Data are trained, bound by confidentiality, and fully aware of their data protection obligations.

Security (Restated)

• Shoprocket continuously updates technical/organizational safeguards to prevent unauthorized processing, including encryption, system resilience, recoverability, and effectiveness testing.

---

Personal Data Breach

1. Notification

   • Shoprocket notifies you within 72 hours (and without undue delay) if it becomes aware of:

     1. Loss/damage of Personal Data;

     2. Any accidental, unauthorized, or unlawful processing;

     3. A Personal Data Breach.

2. Information

   • Shoprocket provides a description of the incident, affected data categories/numbers, and measures taken or proposed to mitigate impact.

3. Cooperation

   • Shoprocket coordinates with you on the investigation and won't inform third parties without your written consent unless legally required.

4. Costs

   • Shoprocket covers reasonable expenses for these obligations unless the incident arises from your instructions, negligence, or breach, in which case you cover Shoprocket's reasonable expenses (including professional advisers).

---

Sub-processors

Shoprocket currently uses these Sub-processors for hosting/processing data, infrastructure/network services, or other service functions:

Name	Description	Location
200OK LLC (Profitwell)	Subscription reporting/analytics.	MA, USA
Amazon Web Services EMEA SARL	Cloud hosting, computing, storage.	Luxembourg, EU
Automattic, Inc. (Gravatar)	Allows users to upload profile images to Shoprocket accounts.	CA, USA
Cloudflare, Inc.	Network security and connectivity.	CA, USA
Crisp IM SAS	Live chat and customer messaging app for user support.	France, EU
Facebook Technologies Ireland	Facebook Pixels for conversions, ad optimization, audience building.	Ireland, EU
Google Ireland Limited	Google Analytics (behavior analytics), Adwords (ad placement/monetization).	Ireland, EU
GmbH	Cloud hosting, computing, and storage.	Germany, EU
TPS Unlimited, Inc. (Taxjar)	Tax automation for EU VAT & US sales tax on Shoprocket Stores.	CA, USA
Twilio, Inc. (Sendgrid)	Multi-channel messaging (email, SMS, WhatsApp).	Ireland, EU
Twitter, Inc.	Twitter Pixel for conversion tracking and ad performance metrics.	CA, USA

You authorize Shoprocket to use the above Sub-processors and give general authorization for Shoprocket to add others ("Authorised Subprocessors"). Shoprocket will provide at least 30 days' notice (via website, email, or Account notification) before using a new Sub-processor. You may object within 10 days of notice, in writing, for reasonable data-protection grounds. If an essential Sub-processor is involved and no alternative is found within 90 days, you may discontinue or terminate the relevant Services (still paying any fees due).

If you don't object within 10 days, the new Sub-processor is deemed approved. Where Shoprocket engages a Sub-processor, it:

• Restricts access to only what's necessary for providing or improving the Services;

• Imposes the same data-protection obligations on them;

• Remains liable for their compliance.

If SCCs apply, your authorization counts as prior written consent under Clause 9(c) or relevant UK SCC clauses. Shoprocket may redact non-essential commercial details before sharing sub-processing contracts with you.

---

Transfers of Personal Data

Shoprocket may transfer Personal Data outside the EEA, UK, or Switzerland to provide the Services (e.g., some Add-On Publishers/Sub-processors in the US). Where no adequacy decision applies, Shoprocket will ensure appropriate safeguards per Data Protection Legislation.

• Ex-EEA Transfers: Covered by the EU SCCs (Module One for Shoprocket as Controller, Module Two for Shoprocket as Processor). Certain clauses (e.g., Clause 7's docking) do not apply; disputes are under Irish law/courts.

• Ex-UK Transfers: Covered by the IDTA Addendum.

• Transfers from Switzerland: Similar to EU SCCs, with modifications for Swiss FADP.

• Supplementary Measures:

  • No formal government data-access requests exist as of this Addendum's date.

  • If compelled to disclose your data, Shoprocket will notify you (unless prohibited) and help you seek protective measures.

  • Shoprocket and you will regularly discuss whether laws in the importing country afford equivalent protection or require additional measures.

  • If any transfer mechanism ceases to be valid or a Supervisory Authority suspends it, Shoprocket may implement alternative arrangements or suspend transfers.

Where you approve a Sub-processor/Add-On outside the EEA, you also authorize Shoprocket to sign SCCs on your behalf.

---

Complaints, Data Subject Requests, and Third-Party Rights

Shoprocket will promptly give you any info or assistance you need to:

1. Fulfill Data Subject rights (access, rectification, erasure, portability, objections, etc.).

2. Address or comply with information/assessment notices from regulators.

Shoprocket notifies you immediately if it receives complaints or communications about the processing, and within 14 days if it gets a Data Subject request. Shoprocket assists in responding, and won't disclose Personal Data to third parties unless required by law or your instructions.

---

Term and Termination

This Addendum remains effective as long as the Agreement does, or Shoprocket retains any related Personal Data. Provisions that must survive for data protection remain in force. Any material breach of this DPA is a material breach of the Agreement, entitling you to terminate immediately without further liability.

If Data Protection Legislation changes prevent a party from fulfilling its obligations, the parties can suspend processing until compliance is achieved. If not resolved within 90 days, either party may terminate with immediate effect on notice.

---

Data Return and Destruction

• Upon request, Shoprocket provides you (or a third party you nominate in writing) with copies or access to Personal Data in a format you specify (where reasonable).

• On termination, Shoprocket returns or deletes Personal Data unless continued storage is legally required. If deletion is impracticable or illegal, Shoprocket blocks further processing and continues to protect the data.

• SCC Certifications: If SCCs apply, Shoprocket will certify deletion under Clause 8.1(d) of the EU SCCs (or UK SCCs) upon your written request.

• If any law/regulation requires Shoprocket to retain certain data, it will notify you of the basis, timeline, and then delete when no longer required.

• Shoprocket certifies deletion within 30 days after completing it.

---

Records

Shoprocket keeps detailed, accurate, up-to-date records of all Personal Data processing (e.g., security measures, sub-processors, processing purposes, any international transfers). These records must let you verify Shoprocket's compliance. Copies are provided upon request.

---

Warranties

Shoprocket warrants that:

1. Its employees, subcontractors, or agents with access to Personal Data are reliable, trustworthy, and suitably trained.

2. It will process Personal Data in full compliance with Data Protection Legislation and related laws.

3. It has no reason to believe the law prevents providing the agreed Services.

4. Considering technology and costs, it will take appropriate measures to prevent unauthorized processing or accidental damage/loss, ensuring security proportional to the risk and data sensitivity.

---

Execution and Modifications

By signing the Agreement, you agree to and are bound by this Addendum. Shoprocket may update this Addendum on 30 days' written notice if needed for legal or regulatory reasons. If you object and no mutual solution is reached, you may terminate the affected Services by written notice within that period (owing any fees incurred). No further claims arise from such termination.

Annex A

Shoprocket Security Standards

(Capitalized terms not defined here have the meanings assigned in the Addendum.)

This Annex outlines Shoprocket's technical and organizational measures to:

1. Secure Personal Data against accidental or unlawful loss, access, or disclosure;

2. Identify foreseeable risks to security and prevent unauthorized access to the Services (including your Shoprocket account);

3. Minimize security risks via risk assessment and testing.

Shoprocket designates one or more employees to oversee these information security practices and respond to related inquiries.

---

1. Shared Responsibility Model

Shoprocket is a cloud-based, SaaS application hosted by:

• Amazon Web Services (AWS) in the eu-west-1 region (Ireland)

• Hetzner Online in Falkenstein, Germany

AWS runs the main Shoprocket platform, infrastructure, and data hosting. Hetzner Online provides additional dedicated server space for images, digital downloads, logs, and invoices. Under this model:

• Shoprocket manages application-level security (e.g., user access, application patches).

• AWS / Hetzner manage physical security and the underlying cloud environment.

For more details on AWS's and Hetzner's security, please see their respective documentation.

---

2. AWS and Hetzner Online Servers

AWS

Shoprocket selected AWS after careful review under Articles 28(3)(c) and 32 of the UK GDPR. AWS is certified under numerous standards (e.g., SOC 1/2/3, ISO 27001/27017/27018, PCI DSS, FedRAMP, HITRUST) and provides extensive compliance documentation. Shoprocket configures AWS to store Personal Data only in the EU/EEA.

Hetzner Online

Hetzner Online, certified under DIN ISO/IEC 27001, provides dedicated server space for certain data backups and logs. Hetzner Online's data centers in Nuremberg and Falkenstein are audited and certified by third parties, implementing an Information Security Management System (ISMS).

---

3. Design, Integrity, and Availability of the Shoprocket Application

• Architecture: Built with a JavaScript framework, the Shoprocket application relies on Amazon's Relational Database Service (Amazon RDS) for MySQL.

• High Performance and Redundancy: AWS automatically handles load balancing, and Shoprocket maintains daily backups on Amazon S3. Backups are stored in different AWS regions for resilience. Additionally, backups are stored on Hetzner Online's dedicated servers (with RAID-1 disk systems).

• Security by Design: Shoprocket regularly checks for known web vulnerabilities (e.g., OWASP Top Ten) and implements XSS-protection and sanitization. A specialist third-party annually tests the code and infrastructure for vulnerabilities, supplemented by a third-party vulnerability scanning service.

---

4. Encryption

• At Rest: Personal Data on AWS/Hetzner is encrypted using AES-256 or higher.

• Key Management: AWS Key Management Service (KMS) ensures no one (including AWS staff) can access plaintext keys; keys rotate annually. Hetzner implements full-disk AES-256 encryption plus mandatory authentication.

• In Transit: All external data transfers use TLS 1.2+. APIs and web interfaces require HTTPS (no unencrypted connections).

---

5. Restriction of Server Locations to the EEA/EU

Shoprocket stores data exclusively in the EEA (AWS in Ireland, Hetzner in Germany), minimizing risks tied to non-EEA data transfers (e.g., compliance with the Schrems II decision).

---

6. Availability Zones

Shoprocket's front-end/back-end systems are redundantly distributed across multiple availability zones (both AWS and Hetzner). Each zone has multiple ISPs, power sources, and high-speed links, ensuring high availability and optimal performance.

---

7. Intrusion Detection

Shoprocket uses an Intrusion Detection System (IDS) to monitor:

• Log files for unusual entries,

• File integrity changes,

• Network traffic (spoofing, known exploits, rootkits),

• Port changes, and

• AWS account events (e.g., changes in configuration).

Critical anomalies trigger automatic preventive measures. The IDS also supports PCI DSS 3.0 requirements.

---

8. Logging / Audit Trail

Shoprocket logs:

• System events,

• Errors,

• User activity,

• Database logins/requests,

• Other security-related events.

Using AWS CloudTrail, Shoprocket records all events in its cloud environments for transparency and forensics.

---

9. Monitoring

Shoprocket employs multiple monitoring tools to ensure availability and performance, tracking:

• Availability: Application accessibility, backend/system health;

• Resources: CPU, network interfaces, storage usage;

• Performance: Application/database response times;

• Security: IDS status, system updates, error/access logs.

Shoprocket staff also monitors security updates, vulnerability reports, and relevant security blogs (like OWASP).

---

10. Security Audits and Penetration Tests

Shoprocket conducts internal and external security tests periodically. External providers check for vulnerabilities, while internal audits assess technical and organizational measures for effectiveness.

---

11. Change Management

Shoprocket maintains version-controlled repositories for code changes, with a staging environment that mirrors production. Changes are tested prior to deployment, ensuring traceability of time/content.

---

12. Access Control

• Need-to-Know Principle: Only employees whose roles require system access receive it.

• IAM Systems: Access control uses AWS/Hetzner identity management.

• Security: Backend systems are only accessible via secure, authenticated connections. A very limited number of personnel have direct access to data for diagnostic purposes; such access is logged and monitored.

Annex B

Cross-Border Transfers

PART 1 - ex-EEA Transfers

1. Annex I.A of the Standard Contractual Clauses (SCCs)

   • Data Exporter: You (per the Agreement).

     • Contact details: As in the Agreement.

     • Role: Data Controller.

     • Module One: Data Importer is a Data Controller (for Client Account Data & Client Usage Data).

     • Module Two: Data Importer is a Data Processor (for all other Personal Data).

     • Signature/Date: By entering the Agreement & DPA, the Data Exporter is deemed to have signed the SCCs as of the Effective Date.

   • Data Importer: Shoprocket.

     • Contact details: As in the Agreement.

     • Signature/Date: By entering the Agreement & DPA, the Data Importer is deemed to have signed the SCCs as of the Effective Date.

2. Annex I.B of the SCCs

   • Data Subjects: Described in Addendum clause 4.6.

   • Personal Data categories: Described in Addendum clause 4.5.

   • No Special Category Data intended for transfer.

   • Frequency: Continuous basis for the Agreement's duration.

   • Nature: See Addendum clause 4.4.

   • Purpose: See Addendum clause 4.3.

   • Retention: Duration of the Agreement unless otherwise stated.

   • Sub-processor transfers: Subject matter, nature, and duration per Addendum clause 9.

3. Annex I.C of the SCCs

   • Competent Supervisory Authority: As in clause 10(e) of the Addendum.

   • Shoprocket Security Standards (Annex A) fulfill Annex II SCC requirements.

4. Conflict

   • If any conflict between the SCCs and the DPA or Agreement arises, the SCCs prevail.

---

PART 2 - ex-UK Transfers

1. The IDTA Addendum applies to ex-UK Transfers, effective 21 March 2022.

2. Terms not defined in the Agreement or DPA follow the meaning in Part 2 of Annex 2 (Mandatory Clauses).

Part 1: Tables

Table 1 of the IDTA Addendum

1. Table 1

   • Data Exporter: You (per the Agreement).

     • Contact details: As in the Agreement.

     • Signature/Date: By entering the Agreement & Addendum, Exporter is deemed to have signed the IDTA Addendum as of the Effective Date.

   • Data Importer: Shoprocket.

     • Contact details: As in the Agreement.

     • Signature/Date: By entering the Agreement & DPA, Importer is deemed to have signed the IDTA Addendum as of the Effective Date.

Table 2 of the IDTA Addendum

1. Table 2

   • Approved EU SCCs: The clauses/modules from the Approved EU SCCs in effect for this Addendum.

   • Modules/clauses used:

     • Module 1 and Module 2, Clause 7 and Clause 11 (option) do not apply, Clause 9a is General Authorization with a 30-day notice period (Addendum clause 9.2).

     • No combination of Personal Data from Importer with Exporter data.

Table 3 of the IDTA Addendum

1. Annex I.A

   • Data Exporter: You (controller).

   • Data Importer: Shoprocket (controller for Client Account/Usage Data; processor for other Personal Data).

   • Signature/Date: Deemed signed upon entering Agreement & DPA.

2. Annex I.B

   • Data subjects, data categories, absence of Special Category Data, continuous transfers, nature/purpose of processing, and retention match clauses 4.4, 4.3, 4.5, 4.6 of the Addendum.

   • Sub-processor info per Addendum clause 9.

   • Annex III (list of Sub-processors) does not apply, as Shoprocket uses general authorization.

Table 4 of the IDTA Addendum

1. The Importer may end this IDTA Addendum under clause 26 of this IDTA Addendum.

Part 2: Mandatory Clauses

1. Each Party is bound by these IDTA Addendum terms in exchange for the other Party's agreement, enabling data subjects to enforce rights as stated.

2. Entering this IDTA Addendum equals signing the Approved EU SCCs (including any required signature per Annex 1A/Clause 7).

Interpretation

1. Terms from the Approved EU SCCs carry their same meaning here; additional relevant terms (e.g., "Addendum EU SCCs," "Approved Addendum," "UK Data Protection Laws") are defined within this IDTA Addendum.

2. This IDTA Addendum must be interpreted consistently with UK Data Protection Laws and must meet "Appropriate Safeguards."

3. Any amendment to the Approved EU SCCs not permitted under them or the Approved Addendum is void. Conflicting provisions revert to the unamended SCC terms.

4. If there's a conflict with UK Data Protection Laws, the latter applies.

5. Any ambiguity is resolved to best align with UK Data Protection Laws.

6. References to legislation include any revised or consolidated versions.

Hierarchy

1. Clause 5 of the Approved EU SCCs states they prevail over other agreements, but for Restricted Transfers, the hierarchy in Section 17 below applies.

2. If inconsistent or conflicting with the Approved EU SCCs, the Approved Addendum overrides except where the SCCs provide greater protection to data subjects, in which case the SCC terms override.

3. Nothing here affects any SCCs the parties use for EU GDPR compliance.

Incorporation and Changes to the EU SCCs

1. The IDTA Addendum incorporates the Approved EU SCCs with necessary modifications so they function for UK-related transfers, override Clause 5's hierarchy, and ensure they are governed by English law/courts (unless otherwise chosen for Scotland or Northern Ireland).

2. If no specific alternative is agreed, Section 22 applies.

3. No further amendments to the Approved EU SCCs are allowed beyond what's needed in Section 19.

4. Amendments to the Addendum EU SCCs include clarifications regarding references to UK Data Protection Laws, replacing references to Regulation (EU) 2016/679 with "UK Data Protection Laws," removing references to Regulation (EU) 2018/1725, adjusting Clause 17/18 to English law/courts, etc. Footnotes do not form part of the IDTA except footnotes 8, 9, 10, 11.

Amendments to this IDTA

1. Parties may change Clauses 17 or 18 to refer to Scottish or Northern Irish courts.

2. Parties may also adjust Table formatting upon mutual written agreement, ensuring the same level of protection remains.

3. The ICO can issue a revised Approved Addendum from time to time, which automatically amends this IDTA Addendum from its effective date, possibly requiring a review by the parties.

4. If the ICO's changes substantially and disproportionately increase a party's costs or risk, and no reduction of those costs/risks is feasible, that party may end this IDTA on reasonable notice to the other before the revised Addendum takes effect.

5. No third party's consent is required for changes, but modifications must meet the terms of this IDTA Addendum.