Effective date: 2026-05-04
Version: 1.0
This Data Processing Addendum ("DPA") forms part of the Dovera.ai Terms of Service or Master Services Agreement (the "Agreement") between Dovera.ai ("Processor") and the customer entity that has accepted the Agreement ("Controller", together with Processor the "Parties").
It applies whenever Processor processes personal data on Controller's behalf in the course of providing the Dovera.ai service (the "Service"), including but not limited to data accessed via the Shopify Admin API, Google API services, or any other integration the Controller has authorized.
Capitalized terms have the meaning given in the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended ("CCPA/CPRA"), and any other applicable data protection law (collectively, "Data Protection Laws"), unless otherwise defined here.
Processor processes Personal Data only as a processor on Controller's documented instructions, including those given through the configuration of the Service and through this DPA. Controller is responsible for the lawful basis of processing, including obtaining any required consent from Data Subjects and providing required notices.
Processor ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
Processor implements appropriate technical and organizational measures to protect Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, consistent with Article 32 GDPR. Current measures include:
A current summary of security measures is available on request.
Controller authorizes Processor to engage the Sub-processors listed in Section 5 of our Privacy Policy (or as otherwise notified to Controller).
Processor:
Processor will, taking the nature of the processing into account, assist Controller in fulfilling its obligation to respond to Data Subject requests under Data Protection Laws (rights of access, rectification, erasure, restriction, portability, objection). Where a Data Subject contacts Processor directly, Processor will refer the Data Subject to Controller and notify Controller without undue delay.
Where the Service is connected to Shopify and Processor receives a customers/data_request, customers/redact, or shop/redact webhook from Shopify, Processor will action the webhook on Controller's behalf within the timeframes Shopify mandates.
Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country not deemed to provide an adequate level of protection, the Parties rely on the European Commission's Standard Contractual Clauses (Module Two — Controller to Processor; Module Three — Processor to Sub-processor) incorporated by reference and the UK International Data Transfer Addendum where applicable. Processor implements supplementary measures consistent with the recommendations of the European Data Protection Board.
Processor will, at Controller's choice, delete or return all Personal Data after the end of the provision of services relating to processing, and delete existing copies, unless retention is required by applicable law.
Default retention windows:
customers/redact and equivalent): acted on immediately upon receipt.Processor will notify Controller without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data. The notification will include, to the extent then known: the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and the measures taken or proposed.
Notifications will be sent to the email address Controller has provided for security communications. Controller is responsible for maintaining a current contact.
On Controller's reasonable written request, Processor will make available to Controller information necessary to demonstrate compliance with this DPA. Audits may take the form of (a) Sub-processor or third-party audit reports (e.g. SOC 2 reports of Sub-processors), or (b) a written questionnaire response. On-site audits are limited to once per year, at Controller's expense, on at least 30 days' notice, and during business hours, except where required by a competent supervisory authority.
Where Personal Data is subject to the CCPA/CPRA, Processor acts as a "Service Provider" or "Contractor". Processor will not (a) sell or share Personal Data, (b) retain, use, or disclose Personal Data for any purpose other than performing the services described in the Agreement, or (c) combine Personal Data received from or on behalf of Controller with Personal Data Processor receives from or on behalf of another person, except as permitted by Data Protection Laws.
This DPA forms part of the Agreement. In the event of conflict between this DPA and the Agreement, this DPA prevails for matters of data protection. Liability is limited as set out in the Agreement.
Processor may update this DPA from time to time as required by changes in Data Protection Laws or Sub-processors. Material changes will be notified at least 30 days before they take effect.
This DPA is governed by the law of the Agreement, except where Data Protection Laws require otherwise.
For questions about this DPA, contact us at: [email protected]
To execute: by accepting the Agreement and continuing to use the Service, Controller is deemed to have entered into this DPA. A signed counterpart is available on request.
Dovera.ai is committed to processing personal data lawfully, fairly, and transparently on behalf of every customer.