Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Terms of Service entered into between DigitalQuotient solutions LLC (“Helmsly”, “Processor”) and the Shopify merchant (“Merchant”, “Controller”) who installs and uses the Helmsly app (the “Service”). It governs the Processing of Personal Data carried out by Helmsly on behalf of the Merchant in connection with the Service.

This DPA is incorporated into the Terms of Service by reference and applies automatically to every Merchant from the moment the Helmsly app is installed. No signature is required for the DPA to be effective; installation of the Service constitutes acceptance.

Capitalised terms used and not otherwise defined in this DPA have the meanings given to them in the EU/UK General Data Protection Regulation (“GDPR”) or in the Terms of Service. In particular:

• Personal Data means any information relating to an identified or identifiable natural person, as defined under applicable data-protection law.
• Processing means any operation performed on Personal Data (collection, recording, storage, retrieval, use, disclosure, erasure, etc.).
• Controller and Processor have the meanings given to them in Article 4 of the GDPR.
• Data Subject means an identified or identifiable natural person whose Personal Data is Processed.
• Sub-processor means any third party engaged by Helmsly to Process Personal Data on Helmsly's behalf in connection with the Service.
• Standard Contractual Clauses (or “SCCs”) means the standard contractual clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as supplemented for transfers from the United Kingdom by the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.

With respect to the Personal Data of the Merchant's customers (end-shoppers) that flows through the Service, the Merchant is the Controller and Helmsly is the Processor. Helmsly Processes such Personal Data only on the documented instructions of the Merchant, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law (in which case Helmsly will inform the Merchant of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest).

For Personal Data relating to the Merchant's own account (e.g., the merchant's contact email, billing state), Helmsly acts as a Controller in its own right and the Privacy Policy at helmsly.io/privacy applies.

Helmsly will:

• Process Personal Data only on the documented instructions of the Merchant. The Terms of Service, this DPA, and the Merchant's use of the Service's configurable policies (refund caps, automation toggles, escalation email, etc.) collectively constitute the Merchant's documented instructions.
• Ensure that personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations.
• Implement and maintain the technical and organisational security measures described in Section 6 (consistent with Article 32 GDPR).
• Not engage any Sub-processor without prior general authorisation under Section 7.
• Taking into account the nature of the Processing, assist the Merchant by appropriate technical and organisational measures, insofar as possible, in fulfilling the Merchant's obligation to respond to Data Subject rights requests under Chapter III GDPR (see Section 9).
• Assist the Merchant in ensuring compliance with the Merchant's obligations under Articles 32 to 36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of Processing and the information available to Helmsly.
• At the Merchant's choice, return or delete all Personal Data after the end of the provision of the Service relating to Processing, and delete existing copies unless retention is required by applicable law (see Section 12).
• Make available to the Merchant all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits as set out in Section 10.

Helmsly implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption at rest: Shopify access tokens and refresh tokens are encrypted with AES-256-GCM before being written to the database; the encryption key is derived from a server-side secret and is not shared with any third party.
• Encryption in transit: all traffic to and from helmsly.io uses TLS 1.3; all traffic between Helmsly and Sub-processors uses TLS.
• Webhook integrity: every incoming Shopify webhook is verified via HMAC-SHA256 before any side-effect runs; replays are deduplicated through an idempotency table.
• Access control: access to production systems is restricted to authorised personnel via identity-based authentication; no shared credentials.
• Tenant isolation: every database query is scoped by Shop ID at the application layer, and each Sub-processor call passes only the requesting shop's data.
• Token rotation: Shopify offline access tokens have ~1-hour life with 90-day refresh, limiting blast radius of any single compromised credential.
• No payment data: Helmsly never sees payment cards or bank-account details; Shopify processes billing directly.
• Audit logs: a tamper-evident record of every state-changing action, retained for as long as needed for security investigation and dispute resolution and deleted with the rest of the shop's data on ashop/redact webhook.
• Backups: our database provider (Neon) maintains up to 24 hours of point-in-time history on the current plan, with the same encryption and access controls as production. Backup retention may extend as Helmsly upgrades to higher database tiers.
• Incident response: defined procedure for detecting, containing, notifying, and remediating security incidents.

Helmsly Processes Personal Data primarily in the United States. Where the Merchant or its customers are located in the European Economic Area, the United Kingdom, or Switzerland, Personal Data is transferred to the United States on the basis of the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and, for transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office. The parties incorporate the SCCs and the UK Addendum into this DPA by reference, with Helmsly as the data importer and the Merchant as the data exporter.

For transfers from the EEA, the parties agree that Module Two of the EU SCCs (transfer from controller to processor) applies. Clause 7 (docking) is deemed not selected. For Clause 11 (redress), the parties have not opted into the independent-dispute-resolution body option. For Clause 17 (governing law), the laws of Ireland apply. For Clause 18 (forum and jurisdiction), the courts of Ireland have jurisdiction.

The Merchant is responsible for responding to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection). Helmsly will assist the Merchant by:

• Honouring the Shopify customers/data_request webhook by exporting all Personal Data Helmsly holds for the requested customer to the Merchant within 30 days.
• Honouring the Shopify customers/redact webhook by deleting all Personal Data Helmsly holds for the requested customer within 30 days.
• Responding to ad-hoc Merchant requests for export or deletion of customer data within reasonable timeframes.

If a Data Subject contacts Helmsly directly with a rights request, Helmsly will, unless prohibited by law, promptly forward the request to the Merchant and not respond substantively unless instructed by the Merchant.

Once per twelve-month period, the Merchant may submit a written request to Helmsly for information reasonably necessary to demonstrate Helmsly's compliance with this DPA (e.g., a security questionnaire, a description of Sub-processors, a copy of relevant policies). Helmsly will respond within thirty (30) days.

If the Merchant reasonably believes that the information provided is insufficient to demonstrate compliance, the Merchant may, on at least sixty (60) days' prior written notice and at the Merchant's expense, conduct or commission an audit of Helmsly's relevant policies and records, no more than once per twelve-month period. The audit is limited to documentary review and remote interviews with Helmsly personnel; on-site inspections require Helmsly's prior written consent and reasonable cause (such as a confirmed Personal Data Breach materially affecting the Merchant). Each audit must (a) be conducted during Helmsly's normal business hours, (b) not unreasonably disrupt Helmsly's operations, (c) respect the confidentiality of other Helmsly customers and any third parties, and (d) be performed by an independent third-party auditor who has executed a confidentiality agreement reasonably acceptable to Helmsly. Helmsly may object on reasonable grounds to a specific auditor (for example, where the proposed auditor is a direct competitor of Helmsly), in which case the Merchant will appoint another suitably qualified auditor. For-cause audits triggered by a confirmed Personal Data Breach materially affecting the Merchant do not count against the once-per-twelve-month limit.

Helmsly will notify the Merchant without undue delay after becoming aware of a Personal Data Breach affecting the Merchant's Personal Data, and will use commercially reasonable efforts to do so within seventy-two (72) hours of discovery. The notification will include, to the extent then known:

• the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach and mitigate its possible adverse effects;
• a contact point at Helmsly for further information.

Helmsly will provide updates as more information becomes available and will assist the Merchant in fulfilling its own breach-notification obligations to supervisory authorities and Data Subjects under Articles 33 and 34 GDPR.

In addition to the foregoing, Helmsly is contractually obligated under Section 9.14(2)(vi) of the Shopify Partner Program Agreement to notify Shopify of any actual or suspected breach of Merchant Data within twenty-four (24) hours of becoming aware of the occurrence. Helmsly will comply with this Shopify-specific notification timeline in addition to the Merchant-facing timeline above. The twenty-four-hour Shopify clock and the seventy-two-hour Merchant clock run in parallel from the same trigger.

• On uninstall: Shopify sends a shop/redact webhook 48 hours after the Merchant uninstalls the Helmsly app. Helmsly deletes all Personal Data associated with that shop within 30 days of receipt.
• On Merchant request: the Merchant may at any time request immediate deletion or export of Personal Data Helmsly Processes on the Merchant's behalf. Helmsly will comply within 30 days.
• Backups: deleted Personal Data ages out of our database provider's point-in-time history window (currently up to 24 hours) within that window of the original deletion.
• Statutory retention: Helmsly may retain Personal Data only to the extent and for the period required by applicable law, in which case it remains subject to the security and confidentiality obligations of this DPA.

The liability provisions in the Terms of Service apply to this DPA. To the extent the SCCs require a direct contractual right of action by Data Subjects against Helmsly, that right is not affected by these limitations.

This DPA takes effect when the Merchant installs the Helmsly app and continues for as long as Helmsly Processes Personal Data on the Merchant's behalf. The obligations in Sections 5 (confidentiality), 6 (security), 11 (breach notification), and 12 (return or deletion) survive termination as long as Helmsly retains any Personal Data of the Merchant.

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict on any matter relating to the Processing of Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

This DPA is governed by the laws of State of Texas, United States, except where the SCCs (which carry their own governing-law provisions) apply to a particular transfer.

Notwithstanding the foregoing, where applicable mandatory law (including but not limited to Article 79 GDPR) grants the Merchant or any Data Subject a non-waivable right to bring proceedings in the courts of their habitual residence, this Section 16 does not limit that right.

DigitalQuotient solutions LLC
5511 Parkcrest Dr. Suite 103, Austin, TX 78731
Privacy / DPA inquiries: privacy@helmsly.io
Support inquiries: support@helmsly.io
Legal inquiries: legal@helmsly.io