Data Processing Addendum
Last updated: July 1, 2026
This Data Processing Addendum ("DPA") forms part of the Terms & Conditions between Ecommerce Ops, Inc. ("Ecommerce Ops", "we") and the customer ("Merchant", "you") and applies whenever we process personal data on your behalf. You accept this DPA when you agree to the Terms. Where this DPA conflicts with the Terms, this DPA controls for matters of data protection.
1. Definitions
"Data Protection Laws" means all privacy and data-protection laws that apply to the processing, including the EU GDPR, UK GDPR, and U.S. state privacy laws such as the CCPA/CPRA. "Controller", "Processor", "Business", "Service Provider", "Personal Data", "Processing", and "Data Subject" have the meanings given in the applicable Data Protection Laws. "Merchant Personal Data" means personal data we process on your behalf under the Terms (described in Annex A).
2. Roles and scope
For Merchant Personal Data, you are the Controller (or "Business") and we are the Processor (or "Service Provider"). We process Merchant Personal Data only to provide the Service and only on your documented instructions, which are given through the Terms, the Service's configuration, and your use of the Service. We will tell you if, in our opinion, an instruction infringes Data Protection Laws.
3. Processing only on instructions
We will not process Merchant Personal Data for any purpose other than performing the Service and complying with law. We do not "sell" or "share" Merchant Personal Data, and we do not retain, use, or disclose it outside the direct business relationship or for any purpose other than performing the Service, as those terms are used under the CCPA/CPRA.
4. Confidentiality
We ensure that personnel authorized to process Merchant Personal Data are bound by appropriate confidentiality obligations and access it only as needed to provide the Service.
5. Security
We implement appropriate technical and organizational measures to protect Merchant Personal Data, as described in Annex B and consistent with Article 32 of the GDPR.
6. Sub-processors
You give us general authorization to engage sub-processors to provide the Service. Our current sub-processors are listed in Annex C. We impose data-protection obligations on each sub-processor no less protective than those in this DPA, and we remain responsible for their performance. We will give you reasonable prior notice of any new sub-processor (by updating Annex C or the Privacy Policy), and you may object on reasonable data-protection grounds.
7. Data subject requests
Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights. If we receive such a request directly, we will direct the individual to you, the Controller.
8. Personal data breaches
We will notify you without undue delay — and, where feasible, within 72 hours — after becoming aware of a personal data breach affecting Merchant Personal Data, and will provide information reasonably available to us to help you meet your notification obligations.
9. Impact assessments
We will provide reasonable assistance with data-protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to us.
10. Return and deletion
On termination of the Service, we will, at your choice, return or delete Merchant Personal Data, and delete existing copies within a reasonable period (generally within 90 days), except where retention is required by law.
11. International transfers
We process Merchant Personal Data in the United States. If we transfer personal data subject to the EU or UK GDPR out of the EEA or UK, we will rely on an appropriate transfer mechanism, such as the Standard Contractual Clauses, which are incorporated by reference where applicable.
12. Audits
We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, on reasonable prior notice, no more than once per year (unless required by a supervisory authority), subject to confidentiality and without compromising the security of other customers.
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms.
14. Term
This DPA takes effect when you accept the Terms and continues for as long as we process Merchant Personal Data on your behalf.
Annex A — Details of processing
- Subject matter: provision of the Ecommerce Ops order-management and fulfillment Service.
- Duration: the term of the Terms, plus the return/deletion period in Section 10.
- Nature and purpose: syncing orders from connected channels, running pick/pack/ship, returns, refunds, and pushing fulfillment updates back to the channel.
- Types of personal data: end-customer name, shipping/billing address, email, order and line-item details, and tracking information.
- Categories of data subjects: the Merchant's customers and order recipients.
Annex B — Security measures
- Encryption of data in transit (HTTPS) and encryption of sensitive credentials at rest.
- Passwords protected using strong, industry-standard cryptographic hashing.
- Logical per-tenant data isolation so one customer cannot access another's data.
- Role-based access controls and audit logging.
- Reasonable measures for availability, backup, and resilience.
- Confidentiality obligations for personnel with access to personal data.
Annex C — Sub-processors
- Stripe — subscription billing and payments.
- Cloudflare — CDN, DNS, security, and bot protection.
- Resend — delivery of transactional email.
- Microsoft 365 — business email and support correspondence.
- Self-hosted infrastructure — the Service currently runs on our own managed infrastructure rather than a third-party cloud host; if that changes, the new provider will be listed here.