Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between BeyondReviews, operated by Simon Folmann, Denmark ("we", the "Processor") and the merchant using the BeyondReviews app for Shopify (the "Merchant", the "Controller"). It applies whenever we process personal data of the Merchant's customers on the Merchant's behalf and is automatically accepted when the Merchant installs the App. Terms like "personal data", "processing", and "data subject" have the meanings given in the GDPR (Regulation (EU) 2016/679).

1. Roles and scope

The Merchant is the controller of its customers' personal data; we are its processor. Where US state privacy laws such as the CCPA/CPRA apply, we act as the Merchant's "service provider", and we do not sell or share the personal data, retain it except as permitted, or combine it with data from other sources except as permitted for service providers. The subject matter, duration, nature, purpose, data categories, and data subjects of the processing are set out in the Annex.

2. Instructions and controller obligations

We process personal data only on the Merchant's documented instructions, which consist of the Terms, this DPA, the Merchant's configuration of the App, and the privacy webhooks Shopify sends on the Merchant's behalf. We will inform the Merchant if, in our opinion, an instruction infringes data protection law, and we may then suspend the instruction until it is resolved. If a law requires us to process otherwise, we will tell the Merchant before processing unless that law forbids it.

As controller, the Merchant is responsible for the lawfulness of the processing it instructs: it warrants that it has a valid legal basis, and where required consent, for the collection of the data and for the review request emails we send on its behalf; that it has informed its customers about the processing in its own privacy notice, including naming us as a processor; and that its instructions comply with the data protection laws that apply to it (see also Terms B3). The Merchant retains all controller rights under this DPA, including the rights to instruct, object to subprocessors (section 5), audit (section 11), and demand deletion (section 9).

3. Confidentiality

Every person we authorise to process the data is bound by a contractual or statutory duty of confidentiality, and access is limited to what each person needs to operate the service.

4. Security

We implement and maintain appropriate technical and organisational measures under Article 32 GDPR, including: encryption of data in transit (TLS 1.2+) and at rest, including backups; separation of test and production environments, with no production personal data used in testing; role-based access controls with logging of access to production data; strong authentication for staff access; a data loss prevention and backup strategy; and a documented security incident response process. We review these measures regularly and will not materially reduce the protection they provide during the term.

5. Subprocessors

The Merchant gives general authorisation for the subprocessors listed at beyondreviews.app/subprocessors, which states each subprocessor's purpose and location. We will update that page at least 14 days before adding or replacing a subprocessor; merchants can subscribe to updates on that page. If the Merchant objects on reasonable data protection grounds within those 14 days and we cannot offer a workaround, the Merchant may terminate by uninstalling the App, with a pro-rata refund of prepaid fees for the unused period. We impose data protection obligations on every subprocessor equivalent to those in this DPA and remain liable for their performance.

6. Data subject requests

Taking the nature of the processing into account, we assist the Merchant with appropriate technical and organisational measures to fulfil data subject requests (access, rectification, erasure, restriction, portability, objection). Requests arriving via Shopify's customers/data_request and customers/redact webhooks are fulfilled automatically within 30 days. If a data subject contacts us directly, we will forward the request to the Merchant without undue delay, and the Merchant authorises us to fulfil erasure requests directly where the data subject's identity is verified.

7. Personal data breach

We notify the Merchant without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Merchant's data. The notice describes the nature of the breach, the likely consequences, the measures taken or proposed, and a contact point, and we keep a register of breaches. We provide reasonable assistance with the Merchant's obligations under Articles 33 and 34 GDPR.

8. DPIAs and consultations

We provide reasonable assistance with data protection impact assessments and prior consultations under Articles 35 and 36 GDPR, insofar as they relate to our processing.

9. Return and deletion at the end of the contract

When the Merchant uninstalls the App, Shopify issues its shop/redact instruction to us 48 hours later. We treat that instruction, or the Merchant's earlier written request, as the Merchant's documented deletion instruction, and delete the personal data processed under this DPA within 30 days of receiving it; encrypted backups are purged within 90 days. Before uninstalling, the Merchant may export its reviews from the App or request a machine-readable export. On request, we provide written confirmation of deletion. We may retain data a law requires us to retain, for as long as it requires, protected by this DPA's safeguards.

10. Data location and international transfers

Personal data processed under this DPA is stored and processed in the European Union, on Google Cloud infrastructure, encrypted at rest and in transit. The one exception is email delivery: our email provider (Resend) receives only the recipient's email address, and that transfer, like any other transfer of EU/EEA personal data to a country without an adequacy decision, is protected by the European Commission's Standard Contractual Clauses (module two or three, as applicable) incorporated into our agreement with the subprocessor, or by the EU-U.S. Data Privacy Framework where the recipient is certified. The locations of processing are listed on the Subprocessors page.

11. Audit

We make available the information reasonably necessary to demonstrate compliance with Article 28 GDPR, including summaries of our security measures and subprocessor agreements. The Merchant may audit compliance at most once per 12 months, on 30 days' written notice, during business hours, without disrupting the service, by written questionnaire in the first instance; the Merchant bears its own costs.

12. Liability and order of precedence

Liability under this DPA is subject to the limitations in the Terms, except where the GDPR does not permit limitation. If this DPA conflicts with the Terms, this DPA prevails for the processing of personal data.

Annex · Description of the processing