Data Processing Agreement

February 19, 2023 2023-02-25 10:57

Data Processing Agreement

This DPA is deemed incorporated into any agreement that has as scope the services provided by MINSTEIN, a company representing a Shopify partner (hereinafter called the “Company“) and the Company is acting as a data processor. By contracting our services, the client agrees to be legally bound by this DPA.


  1. The Company is a Shopify Partner and the Shopify Merchant using Minstein Services is hereinafter called the Client.
  2. According to the terms and conditions of the Merchant Agreement(Main Agreement), the Client agrees to buy and the Company agrees to provide access to its own Shopify apps (Services). For the purpose of providing the Services to the Client, the Company may have access to information and personal data (“Client Data”)
  3. The Client authorizes the Company to purchase or use related services through search engines, social networks, technology providers, publisher websites or automated or similar exchange platforms, cloud providers, including those operated by companies such as Amazon, Google, Facebook or others (collectively or separately referred to as the “Platforms”), these platforms may process the Client’s data and / or the Client may be subject to certain obligations in accordance with the standard terms and conditions of the platforms (collectively, the “Platform Agreements” ).


Applicable Law

means, as applicable and binding for the Client, the Company, and/or Services:

(a) any law, statute, regulation, or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided or in connection with;

(b) the common law and laws of equity applicable to the parties from time to time;

(c) any binding court order, judgment, decree; or

(d) any applicable regulation, policy, rule, or order that is binding on a Party and that is issued or given by a regulatory body that has jurisdiction over a Party or any assets, resources, or business of that Party;

Client data

means personal data received from or processed in any way on behalf of the Client, directly or indirectly, by the Company or a sub-Processor, in connection with or as part of the provision of the Services under the Main Agreement;

Data path

means the description of the intention (purpose) of the use, processing, and transfer paths of the Client Data during the provision of Services according to the Company’s directions

Personal data protection laws

means as applicable and binding for the Client, Company, and/or Services:

(a) in the member states of the European Union: GDPR and all relevant laws or regulations of the member states that implement or correspond to one of them;

(b) any provisions on data protection in the Applicable Law; or

(c) any applicable law of any country that may apply to the provision of the Services which are sent in writing by the Client to the Company in advance

Losses in relation to personal data processing

refers to all liabilities:

(a) costs (including legal costs), claims, actions, settlements, interest, taxes, proceedings, expenses, losses, and damages (in relation to physical damages); and

(b) to the extent permitted by applicable law:

  (i) administrative fines, penalties, sanctions, debts, or other remedies imposed by a supervisory authority;

  (ii) compensation that is ordered by a supervisory authority to be paid to a data subject; and

  (iii) the reasonable costs of complying with investigations by a supervisory authority;

but excluding: any current or anticipated loss of income or profits; loss of contracts; loss of customers or reputation; moral damage; any direct or indirect loss or damage, regardless of its origin and whether caused by tort (including negligence), breach of contract or otherwise, regardless of whether such loss or damage is foreseeable, foreseen or known;

Data subject request

means a request made by a data subject to exercise any rights belonging to the data subject in accordance with personal data protection laws;


refers to the general data protection regulation (EU) 2016/679;

Data breach

relates to any breach of data security resulting in the destruction, loss, alteration, unauthorized disclosure, or access of any Client Data or any other unlawful processing of Client Data;

Confidentiality statements

means the information and consents obtained in a legally correct manner, from the data subjects, regarding the processing of their personal data by the parties and by any Processor, sub-processor, or Controller for the provision of the Services, including in accordance with any data path;

Processing instructions

has the meaning given in clause 2.1.1


means another processor contracted by the Company to carry out the processing activities of the Client data on behalf of the Client

Supervisory authority

means any local, national, or multinational public authority, regulatory or supervisory authority, or other body responsible for approving and managing data protection laws


means any third party involved in the processing of Client Data in connection with the Services which does not include the Client and the Company

Personal Data, Controller, Processor, Data Subject, Processing

have the meaning given to such terms in Personal data protection laws

1. Data Controller and Data Processor

1.1 The parties agree that, for the Client’s data, the Client will be the Data Controller and the Company will be the Data Processor, including situations where the Client’s data originates from a third party, like a Platform operator and that platform will act as joint controller with the Client with respect to such Client Data. In all cases, the status of the parties will be interpreted in accordance with the Personal data protection laws, but it is acknowledged and agreed that, if processing the Client’s data under this Processing   Agreement, the Company will always act as a Data Processor.

1.2 The Company will process the Client’s data in accordance with:

1.2.1 the obligations of the Data Processor under Personal data protection laws regarding the fulfilment of their obligations under this processing agreement; and

 1.2.2 the terms of this Data Processing Agreement

1.3 The Client must comply with:

1.3.1 all Personal data protection laws in relation to the processing of Client Data, the Services, and the exercise and enforcement of Client rights and obligations under this Data Processing Agreement and any platform agreements, including (without limitation) the retention of all records and notices of relevant regulation according to Personal data protection laws; and;

1.3.2 the terms of this Data Processing Agreement and any applicable Platform Agreements

1.4 The Client warrants and undertakes that:

1.4.1 all Client data must comply with Personal data protection laws in all respects, including their collection, storage, and processing (this also means that the Client will provide all correct information necessary for fair processing including obtaining consent necessary, from the Data Subjects), with Personal data protection laws;

 1.4.2 all Client data may be lawfully processed by the Company and any third party used to provide the Services and in accordance with any Data path

1.4.3 in respect of all Client Data:

(a) where the Client Data is provided directly by the Client, the Client shall implement and present appropriate mechanisms:

         (i) to ensure that notifications and confidentiality statements are provided and that they are obtained from the data subjects;

         (ii) through which the data subjects can request the modification of their personal data or can request the renunciation of the processing of their personal data;

         (iii) to exclude from its own database, the data of the data subjects who opted for the Client’s refusal to process their data, in accordance with point 1.4.3 (a)ii;

         (iv) to ensure that the Client does not issue Processing Instructions for the data subjects who have opted for the Client’s refusal to process their data, in accordance with point 1.4.3 (a) iii;

         (v) ensure that the Client Data is up-to-date and accurate and notify the Company of any changes to the Client Data; and

(b) where the Client Data is not provided directly by the Client, the Client has ensured that the data providers have complied with the Personal Data Protection Laws and that the data provided by the Client can be used by the Company for the provision of the Services

 1.4.4 Client Data shall not include:

      (a) Personal data belonging to underaged data subjects, as defined by any applicable law;

      (b) special categories of personal data; or

      (c) location data,

unless the legal basis for processing such data in accordance with Personal data protection laws as part of the Services was first established by the Client;


1.4.5 All instructions that the Client will give to the Company regarding personal data will always comply with the Personal data protection laws.

1.5 The Client shall not unreasonably withhold, delay or withhold consent to any change requested by the Company to ensure that the Services and the Company (and each Sub-Processor, including any Platforms) can comply with the Personal Data Protection Laws.

1.6 The Client agrees to the following:

   (a) Where, as part of the services it provides, the Company is required to:

      (i) to obtain directly from the data subjects personal data or Personal Data belonging to the Client; or

      (ii) obtain consent from any data subjects for any use, further use or use for any additional purpose,

   It is the Client’s responsibility to provide all necessary forms for any notices regarding privacy statements regarding the lawful acquisition/acquisition of such Client Data for use by the Company in the delivery of the Services (including but not limited to third-party cookies, tags pixels and other relevant tags used by the Company’s suppliers on the Client’s websites) and verify that the privacy notices and statements used by third parties to acquire any Client Data and for the Client are satisfactory to ensure compliance with all applicable Personal data protection laws of the Client’s personal data and their subsequent use by the Client, the Company or any third party; and

(b) The Company (including any Sub-Processor) shall not be liable for any loss, delay or damage of any kind caused to the Client, by the Client’s failure to fulfill its obligation to provide the Company with any notification or confidentiality statement, requested in due time.

1.7 The Client also agrees that, where as part of the Services provided to the Client, the Client directly accesses the Platforms by means of any authentication credentials, authentication information and/or any other means, technologies, or methods designed to access such Platforms (“Platform Login Credentials”) provided to Client by Company, whether such access is read-only or otherwise, Client warrants and agrees that access to and use of such Platforms must comply with this Processing Agreement, the available Platform policies, and applicable law. Without limiting the foregoing, Client shall not in any way misappropriate any part of a Platform or any part thereof or may not modify, disassemble, decompile, reprogram, copy, reproduce or create derivative works from or in connection with a Platform or any part thereof, including without limitation, for the purpose of re-identifying any user.

1.8 The Client undertakes, confirms and guarantees for the following aspects:

1.8.1 the personal data processing operations carried out by the Company and any Platforms, including any data path, are appropriate for the purposes for which the Client intends to use the Client’s Data;

1.8.2 The Company and any Platforms present sufficient guarantees, expertise and resources to perform the Services in accordance with the requirements of the Personal Data Protection Law.

1.9 It is agreed and acknowledged that the Client is aware of and fully understands the Company’s processing operations described in this Data Processing Agreement and any data path.

2. Instructions and details regarding data processing

2.1 For the situations when the Company processes the Client’s data on behalf of the Client, the Company:

 2.1.1 unless it is obliged to proceed differently by the applicable Law (and will take measures to ensure that each person acting under its authority will proceed in this way), it will process the Client’s data only and only in compliance with the Client’s instructions as set out in this clause 2 and Annex 1 (Data Processing Details).

 2.1.2 where applicable laws require it to process Client data other than in accordance with processing instructions must notify Client of any such requirement prior to processing Client data (unless applicable law prohibits this information for reasons of important public interest);

 2.1.3 informs the Client if the Company becomes aware of a Processing Instruction that, in the Company’s opinion, violates Personal data protection laws, noting that:

      (a) the provisions of points 1.3 and 1.4 apply accordingly;

      (b) to the maximum extent permitted by law, the Company shall have no liability, whether arising in contract or in tort (including negligence) or otherwise, for any losses, costs, expenses or liabilities (including losses of data protection) from or in connection with any processing of personal data carried out in accordance with the Client’s Processing Instructions;

 2.1.4 assumes no responsibility to determine the purposes for which and how the Client’s data is processed

3. Technical and organisational measures

3.1 The Company implements and maintains, at its cost and expenses, the technical and organizational measures:

3.1.1 regarding the processing of Client data by the Company, as provided in Annex 2 (Technical and organizational measures); and

3.1.2 taking into account the nature of the processing, to assist the Client as much as possible in fulfilling the Client’s obligations to respond to requests coming from the persons concerned, requests related to the Client’s Data.

3.2 Considering the state of the art and the cost of their implementation and maintenance, the Client and the Company agree that the “Technical and Organizational Measures” provided in Annex 2 are able to ensure a level of security corresponding and adequate to the risks represented by the processing provided for in annex 1 and the nature of the data to the client and any additional technical and organizational measures, will be subject to an additional written agreement between the Client and the Company and at the cost and expense of the Client.

4. Using personnel and other sub-processors

4.1. The Company will not employ any Sub-Processor to carry out any activities regarding the processing of the Client’s data without his authorization (the authorization must not be withheld, conditioned or delayed), taking into consideration that the Client hereby authorizes the appointment:

   (a) to all sub-processors identified in any data path; and

   (b) to any company acting as Sub-Processor for the purpose of delivering the Services.

With respect to this clause 4.1, the Client acknowledges and agrees that, given the specific mode of delivery of the Services, an exact list of such Sub-processors, data providers, subcontractors and website publishers used to provide the Services may be provided on the Company website/page and will be provided at the Client request.

4.2 If the Client wishes to object to the appointment of any Sub-Processor at any time, the Client shall notify the Company accordingly within 1 working day, and the Company, in the absence of such notification, may appoint that Sub-Processor. If the Parties, acting reasonably, will not agree to the appointment of the proposed Sub-processor, the Company has the right to unilaterally terminate or terminate the Main Agreement with immediate effect, insofar as it relates to the services that require the use of the proposed sub-processor.

4.3. The Company appoints sub-processors in principle under agreements containing the same obligations as clauses 1-11 (inclusively), except for the situations acknowledged and agreed by the Client that some operators, agents or sub-agents appointed to provide the Services, including, most of the Platforms and certain multinational service providers will provide their services on non-negotiable terms (collectively called “Providers“), these terms being established, in the agreements published on the Platforms or in the general terms and conditions of data processing, (“Provider Terms” ). In such circumstances:

4.3.1 The Company will notify the Client of such providers;

4.3.2 in the absence of any objections from the Client, the Providers can be used to provide their Services;

4.3.3. Subject to the provisions of paragraph 4.3.2, the Providers and Provider Terms shall be deemed to be selected, approved, and authorized by the Client, and the Client is responsible, as the Data Controller, to determine and be aware of the Provider Terms at all times; and

 4.3.4. The Company will make reasonable efforts to assist the Client in understanding the Providers Terms

4.4 Without prejudice to clause 10.2, if the Services are provided in accordance with the Providers Terms, the Company will not be liable for any loss or damage generated by the processing of personal data, resulting from the actions, omissions or violations direct or indirect of such a provider and that exceed any limit of liability assumed by the Terms and conditions of the respective provider.

4.5 The Client acknowledges and agrees that these providers may appoint processors and Sub-processor in the delivery of the Services in accordance with the Providers Terms without notice and under obligations substantially different from those set forth in this Agreement and the Company shall have no obligations to the Client in respect to the processors and Sub-processors appointed by these providers.

4.6 The Company ensures that all Company personnel authorized to process the Client’s data are subject to a contractual obligation with the Company to maintain the confidentiality of the Client’s data (unless disclosure is required under applicable law, in which case the Company, if possible and not (is prohibited by applicable law, shall notify the Client of any such requirement, prior to such disclosure).

5. Assistance with regard to the support given in order for the Client to comply with the obligations imposed by the relevant legislation, including with regard to the rights of the data subjects

5.1 The Company sends the Client all the requests it receives from the data subjects within seven working days of receiving  the request.

5.2 The Company will provide the Client with the assistance that the Client reasonably requests (taking into account the  nature of the processing and the information available to the Company) to ensure compliance with the Client’s obligations under the Personal data protection laws regarding:

5.2.1 Data processing security;

5.2.2 data protection impact assessments (as defined in the Data Protection Act);

5.2.3 prior consultation with a supervisory authority regarding high-risk processing; and

5.2.4 notifications addressed to the Supervisory Authority and / or communications to the data subjects by the Client,

in response to any data breach, provided that the Company has the right to charge appropriate remuneration for such assistance in the event that such involvement would materially exceed what may reasonably be considered by the Company to be part of the services provided by the Company as a professional under the Main Agreement.

6. International data transfers

6.1 The Client agrees that the Company may transfer Client data to countries outside the European Economic Area (EEA) or any international organization (an International Recipient), provided that all Transfers by the Company of Client Data to an International Recipient) (in extent required by Personal data protection laws) to be carried out through appropriate security measures and in accordance with Personal data protection laws. The provisions of this Processing Agreement constitute the Client’s instructions regarding transfers in accordance with clause 2.1.

7. Records, information and auditing

7.1 The Company will keep, in accordance with Personal data protection laws binding on the Company, written records of all categories of processing activities carried out on behalf of the Client.

7.2 In accordance with the Personal data protection laws, the Company makes available to the Client the information it considers reasonably necessary to demonstrate the Company’s compliance with the obligations of the data processors, in accordance with the Personal data protection laws and to allow participation in audits (once a year at the most and subject to Company’s confidentiality undertakings), by Client (or other auditor mandated by the Client) for this purpose, subject to the guarantee of the Client who undertakes:

 7.2.1 To give the Company, in advance, a notification regarding the request for information, the audit and / or the inspection requested by the Client;

 7.2.2 Ensure that all information obtained or generated by the Client or its auditors in connection with requests, inspections, and audits of such information is strictly confidential (except as disclosed by the Supervisory Authority or in accordance with applicable law);

 7.2.3 Ensuring that this audit or inspection is carried out during normal business hours, with minimal disruption to the Company’s business, the Sub-processors’ business, and other Company’s clients; and

7.2.4 Pay the Company’s reasonable costs of assisting in the provision of information and in permitting and contributing to inspections and audits.

8. Notifications in case of data breaches

8.1 With regard to any security breach regarding the processing of the Client’s personal data, the Company will intervene, without delay:

 8.1.1 to notify the Client about data breaches regarding the processing of personal data; and

8.1.2 to provide the Client with details regarding the security data breach regarding the processing of personal data.

9. Deletion or returning Client Data and copies

9.1 The Company:

 9.1.1 upon the Client’s written request, return all originals or provide the Client with a copy of all Client data in the form the Client requests;

 9.1.2 will delete all copies of the Client Data (unless applicable law requires the storage of any data, and if so the Company will inform the Client of any such requirements) except that the Company will not be obliged to delete the copies kept in backup systems used exclusively for disaster recovery systems, given the onerous nature of such deletion  exercises, within a reasonable time, at the earliest: after the provision of the relevant services related to the processing has ended; or once the Company’s processing of any Client data is no longer necessary for the Company’s fulfillment of its relevant obligations under this data processing agreement and / or Main Agreement and/ or applicale laws.

10. Liability, Indemnities and Claims

10.1. The Company shall be liable and indemnify the Client for losses arising from the breach of the provisions regarding the processing of Client Data (however caused, regardless of contract, tort (including negligence) or otherwise) under or in connection with this Data Processing Agreement:

 10.1.1. only to the extent that any loss is caused by the processing of Client data under this Processing Agreement and directly results from the Company’s breach of clauses 1-11 (inclusive); and

10.1.2. in no event to the extent that any losses arising from the breach of the Data processing provisions (or the circumstances giving rise to them) are caused by any breach of this Agreement by the Client (including in accordance with clause 2.1.3(b)).

10.2. The Company makes no statements or guarantees regarding its suppliers, providers or regarding the Personal Data processing activities by the suppliers and will not compensate the Client for any data processing activities carried out by the suppliers.

10.3. The Client shall be liable and shall indemnify the Company in respect of all losses arising from the breach of the provisions regarding the processing of personal data suffered by the Company and any Sub-processor in connection with the following:

 10.3.1. Non-compliance by the Client with the Personal data protection laws of this Contract or the Terms and Conditions of the Providers;

 10.3.2. processing carried out by the Company or a Sub-processor in accordance with any Processing Instruction in breach of any Personal data protection laws; or

10.3.3. violation of any Personal data protection laws or any contractual obligation by an Operator, Authorized or Sub-authorized third parties, approved by the Client for the delivery of services.

10.3.4. breach by the Client of any of its obligations in accordance with clauses 1-11 (inclusive), except where the Company is liable under clause 10.1.

10.4. If a party receives a claim for indemnification from an individual relating to the processing of Client Data, it will promptly provide the other party with full notice and particulars of such claim. The party leading the action must:

10.4.1. not to make any admission of liability and not to accept any settlement agreement or settlement of the such claim without the prior written consent of the other party (the answer shall not be unreasonably delayed); and

 10.4.2. to consult fully with the other party in connection with any such action, but the terms of any settlement or settlement of the claim shall be solely the decision of the party responsible for paying and supporting the compensation

10.5. The parties agree that the Client shall not be entitled to claim from the Company any part of any compensation paid by the Client in relation to such damages to the extent that the Client is obliged to indemnify the Company by clause 10.2.

10.6. This clause 10 envisages the sharing of responsibility for the losses generated by non-compliance with the provisions relating to data processing between the parties, including with regard to the compensation of the data subjects, without prejudice to the provisions of the Personal data protection laws, except:

 10.6.1. the situation in which it is not permitted by the applicable legislation (including Personal data protection laws) and

 10.6.2. the fact that it does not impact the liability of either party in front of the data subject

11. Survival of Personal Data Protection Provisions

11.1. Clauses 1-11 (inclusive) shall survive termination (for any reason) or expiration of this Data Processing

Agreement and shall continue:

 11.1.1. indefinitely in the case of clauses 9-11 (inclusive); and

 11.1.2. up to 12 months from the date before termination or expiry of this Data Processing Agreement in the case of clauses 1-8 (inclusive), provided that any termination or expiration of clauses 1-8 (inclusive) shall not affect either party’s rights and remedies under such clauses at the time of termination or expiration.

11.2. In the event of a conflict between the terms of this Data Processing Agreement and the Main Agreement or any other agreement governing the relationship between the parties, the terms of this Data Processing Agreement shall prevail.

12. Term and Termination of Services

12.1. This Data Processing Agreement expires at the latest on:

12.1.1. Termination or expiration of the Main Agreement or

12.1.2. Cessation of any processing of Client data by the Company on behalf of the Client in accordance with the provision of the Services.

12.2. The Client and the Company have the right to suspend and/or terminate this Data Processing Agreement at any time by giving three months’ notice to the other party.

13. Applicable Law

13.1. This Data Processing Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the choice of law specified in the Main Agreement.

13.2. The parties irrevocably agree that the courts specified in the Main Agreement shall have exclusive jurisdiction to resolve any dispute or claim arising out of or in connection with this Data Processing Agreement or its subject matter or form (including non-contractual disputes or claims).


MInstein will process the Client Data as a Data Processor for the purpose of providing the Services in accordance with these documented instructions from the Client:

Scope of processing

Categories of Data Subjects

Categories of personal data

Processing operations

Render services and provide products related to Client’s Shopify store 

Customers and/or potential customers of the Client in relation to the Client’s Shopify store 

Personal data related to Customers and/or potential customers of the Client in relation to Client Shopify store such as name, surname, email address, location/postal address, IP , device, address, information regarding customers’ orders to Client, invoice, billing details and shipping details, data processed through cookies and local storage tools on the Client’s store in relation to Minstein Services

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction


The data will be processed by the Company for the duration of the Services, the Main Agreement, and according to the requirements of the Applicable Law.

As the Client decides how the personal information of its customers will be used, the Client shall make sure its customers understand how the Client (and we on the Client’s behalf) collect and process their personal information, by, at a minimum, posting a privacy policy on Client store that describes the information merchants collect, how it is used and who is shared with, including without limitation details regarding cookies.

Client’s written requests should be sent to us through Shopify tools like the Privacy Portal. In the specific case of Shopify end customers’ data, GDPR compliance is honoured as enabled by virtue of the implementation of Shopify’s data protection mechanisms.


Information security policy

The Company will put in place a fully documented and internally approved information security policy based on best practices and international security standards (eg. ISO 27001, NIST, etc.), indicating management direction and support for information security. 

This information security policy will be reviewed and updated on a yearly basis.

Security of Personnel

Contractual agreements with employees and contractors will include their responsibilities for information security.

All employees, contractors, and third-party users are asked to agree to terms and conditions reflecting the organization’s policies for information security (e.g. confidentiality or non-disclosure agreements).

Management behaviour and policies drive, require, and encourage all employees, contractors, and 3rd party users to apply security in accordance with established policies and procedures.

All employees, contractors, and 3rd party users undergo regular security awareness training appropriate to their role and function within the organization.

A process is in place to ensure all employees and external users return the organization’s assets on termination of their employment, contract, or agreement.

Access Controls

The Company will ensure that only identified, authenticated and authorized users gain access to information, operational applications, Services, and information systems. Obsolete access rights are removed in the timeliest manner possible, in order to prevent unauthorized access and potential misuse. 

The Company will apply the ‘least privileges’ and ‘need-to-know’ principles and ensure where appropriate segregation of duties.

All user accounts will use 2-factor authentication (if supported by the platform). 

Infrastructure access will be provided only to specialized employees and restricted to read-only access granted via VPN connections and 2-factor authentication.

All exceptions (including service accounts or functional accounts) must be risk assessed, justified, and periodically reviewed.

Specific computerized authentication systems based on strong authentication techniques (jointly use at least two different authentication techniques) are implemented for Applications processing Traffic and Judicial Data. This must be applied to all personnel, including the technical staff (application manager, system administrators, network administrators, and database managers) irrespective of the specific access mode (local/remote) to the processing system in question.

The Access Control Policy is based on need-to-know, role-based access and segregation of duties principles.

An Appointed Responsible Manager formally approves access to Information Systems, including checks to verify identity, segregation of duties, and/or checks to verify sensitive access requirements have been addressed before granting access.

All user access-related requests will be logged for all merchant operations, assessed, approved, and implemented in accordance with defined user access management processes. The allocation and use of privileged access rights will be controlled and restricted to the minimum. 

Asset owners will review users’ access rights at regular intervals. The access rights of all employees and external party users to information and information processing facilities will be removed upon termination of their employment, contract, or agreement, or adjusted upon role change.

Operational security

Data will be backed up on a regular basis, protected from unauthorized access or modification during storage, and available to be recovered in a timely manner in the event of an incident or disaster.

All data at rest shall be protected by appropriate security mechanisms, including cryptographic and access controls (as appropriate).

Information about technical vulnerabilities of information systems will be obtained in a timely fashion, exposure to such vulnerabilities is evaluated on a daily basis and appropriate measures are taken to mitigate the associated risk.

Where the Services infrastructure is managed and/or hosted by Company, subject to the Agreement between the Client and Company: 

  • proper segregation of duties will be ensured to mitigate the risk of fraud. Regular review of the application of the segregation of duty controls will be applied. 
  • logs will be completed by Company for all systems accessing or storing the Client assets to include all alerts, maintenance, and intervention activity, such as:
    • User actions on Services infrastructure
    • Administrator and operator activities
    • Faults
    • Changes to security and system configuration parameters
    • Changes to application software
    • Use of privileged functions

Proper protection and availability of the logs will be ensured. Logs should be kept for a period of at least twelve (12) months or longer if legally required 

The development, test, and operational environment will be separated

Any data provided by the Client will be securely deleted after its agreed period of use or at any first written request of the Client 

The Company will implement proper procedures to anticipate capacity needs, back up all information, and protect the Services infrastructure against malicious code will be ensured.

Communication security

The Company will implement secure and reliable networks for accurate and prompt data transmission, to avoid communication disruptions, and to guarantee confidentiality and integrity as these could have a material adverse impact on the Client’s business and reputation.

Network architecture will be managed and controlled to protect the information in systems and applications against emerging security threats.

Appropriate security mechanisms (cryptographic and access controls) will be established and implemented to ensure the security of data in transit through private and public networks and the protection of IT Services from unauthorized access.

System Acquisition, Development, and Maintenance

The Company will ensure that information security is addressed within information systems across the entire lifecycle to reduce risks of vulnerabilities introduced during the system acquisition, development, and maintenance.

The Company will adopt secure coding standards when developing products and services.

Information security-related requirements will be embedded in the planning stage for new information systems or enhancements to existing information systems. 

The Company will protect the systems’ development environments and integrates efforts that cover the entire system development lifecycle.

Security rules for the development of software and systems will be established and applied to developments within the organization. If development is outsourced, the Company will obtain assurance that the external party complies with these rules.

Acceptance testing programs and related criteria will be established for new information systems, upgrades, and new versions. Test data will be carefully selected, protected, and controlled.

The code developed by Company will be free of malicious code and commonly recognized security defects. In addition, the Company will ensure its systems are tested for vulnerabilities before and after each major release.

Security Incident Management

The Company will ensure a consistent and effective approach to the management of information security incidents, including communication with the Client.

Management responsibilities and procedures will be established to ensure a quick, effective and orderly response to information security incidents 

Knowledge gained from analyzing and resolving information security incidents will be used to reduce the likelihood or impact of future incidents.

Business Continuity

The Company will develop and implement business continuity plans, disaster recovery plans, and a crisis management framework, based on international standards, to avoid an interruption of the Services exceeding an acceptable period of time, or where a specific Service Level has been defined, exceeding the relevant Service Levels.

The Company will maintain and update its plans and procedures on a regular basis (at least once a year).

The Company will define clear and understood procedures for activation, escalation, and control over its incident response.

Cloud-based services

In addition to the requirements above Company will: 

  • Inform the Client of the country and region that the Services are provided from and where databases are hosted and accessed from.
  • Make features available, to allow tracking of access to and usage of the cloud infrastructure, including fine-grain auditing of access to data within the databases and execution of administrative procedures.

Specific control measures

The business should ensure a formal methodology that defines its approach to system development.

The business should ensure that all requests for changes, system maintenance, and provider maintenance are documented. All implemented changes are traceable.

Implementation of identification, authentication, and authorization mechanisms to access systems and applications.

The business should establish procedures to ensure timely action relating to requesting, establishing, issuing, suspending, and closing of user accounts.

In the specific case of Shopify end customers’ data, GDPR compliance is honored as enabled by virtue of the implementation of Shopify’s data protection mechanisms.

The business should define and implement a problem management and escalation procedures system to ensure that all operational events which are not part of the standard operation (incidents, problems, and errors) are recorded, analysed, and resolved in a timely manner.

Physical and network security and related controls should contribute to security maintenance and availability of systems and applications.

Start your Free Trial Now

Get free insights for your shopify store.