Skip to content
SOptimSOptim

Legal

Data Processing Agreement (DPA)

Last updated: 2026-05-17 · Effective: 2026-05-17

Plain-English summary

When SOptim handles your customers' personal data on your behalf, you're the Data Controller and we're the Data Processor. We follow GDPR Article 28 obligations: process only on your instructions, notify you within 72h of any breach, and let you audit our security posture once per year. Sub-processors listed below.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Merchant," "Controller") and SOptim ("SOptim," "Processor") when SOptim processes personal data on behalf of the Merchant.

This DPA reflects requirements of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the UK GDPR, and applicable analogous laws (CCPA / CPRA, LGPD).

1. Definitions

  • "Controller," "Processor," "Data Subject," "Personal Data," "Processing," "Sub-processor": as defined in GDPR Article 4.
  • "Merchant": the Shopify merchant using the SOptim Service.
  • "Customer Data": personal data of the Merchant's customers processed by SOptim on the Merchant's behalf.
  • "Service": the SOptim Shopify app and related services.

2. Relationship of the parties

2.1 The Merchant is the Controller of Customer Data.

2.2 SOptim is the Processor, processing Customer Data on the Merchant's documented instructions.

2.3 For SOptim's own collection of Merchant account data (e.g. shop domain, billing), SOptim acts as Controller; that processing is governed by the Privacy Policy.

3. Scope and purpose of processing

3.1 Subject matter: provision of the SOptim Service to the Merchant.

3.2 Duration: for as long as the Merchant has the SOptim app installed, plus retention periods specified in Section 8.

3.3 Nature and purpose of processing:

  • Storing and analyzing storefront traffic to detect bots and fraud
  • Generating audit reports for the Merchant's store
  • Blocking suspicious traffic or customer accounts as configured by the Merchant
  • Aggregating anonymous patterns for cross-shop intelligence (Scale, Max plans)
  • Providing the dispute evidence pack feature (Max plan)

3.4 Categories of Data Subjects: the Merchant's customers and prospective customers, visitors to the Merchant's Shopify storefront.

3.5 Categories of Personal Data:

  • IP addresses (hashed)
  • User agent strings
  • Browser fingerprint hashes
  • Behavioral signals (screen size, plugins, mouse patterns)
  • Customer IDs and email addresses (only for blocking actions configured by Merchant)
  • Order metadata for fraud analysis (Max plan only)

3.6 Special categories of data: SOptim does NOT intentionally process special categories of personal data (Article 9 GDPR — race, health, religion, etc.). The Merchant is responsible for not configuring SOptim to process such data.

3.7 Aggregate benchmarking (additional processing purpose):

SOptim processes shop performance data for an additional secondary purpose: producing aggregate anonymized benchmarks and industry research published as content for the Shopify ecosystem.

This processing:

  • Operates on aggregated data only (minimum cohort size: 10 shops)
  • Removes all identifying elements before aggregation
  • Cannot be reverse-engineered to identify individual stores
  • May be opted out by Controller via app Settings
  • Legal basis: legitimate interest (GDPR Article 6(1)(f)) + statutory exemption for statistical purposes (GDPR Article 89)

Processing categories for aggregate purpose:

  • Storefront performance scores (Lighthouse data)
  • Theme usage patterns (which themes used by what segment of merchants)
  • App adoption patterns (which apps used by what segment)
  • Cost patterns (anonymized spending statistics by industry segment)
  • Bot signal patterns (cross-shop intelligence, anonymized)

Aggregate processing does NOT include personal data of Customer Data subjects (Section 3.4 categories). Only shop-level operational metadata is aggregated.

4. Processor's obligations

SOptim shall:

4.1 Process Customer Data only on documented instructions from the Merchant, including with regard to transfers to third countries, unless required by applicable law (in which case SOptim shall inform the Merchant before processing, unless prohibited by law).

4.2 Ensure persons authorized to process Customer Data are under appropriate confidentiality obligations.

4.3 Implement appropriate technical and organizational measures as specified in Annex A.

4.4 Respect conditions for engaging Sub-processors per Section 7.

4.5 Taking into account the nature of processing, assist the Merchant in fulfilling its obligations to respond to Data Subject requests (Articles 12–23 GDPR), particularly access, rectification, erasure, restriction, portability, and objection.

4.6 Assist the Merchant in ensuring compliance with security obligations (Article 32), data breach notifications (Articles 33, 34), data protection impact assessments (Article 35), and prior consultations (Article 36).

4.7 At the Merchant's choice, delete or return all Customer Data after end of provision of Service, and delete existing copies (unless EU law requires storage).

4.8 Make available to the Merchant all information necessary to demonstrate compliance with this DPA, and allow audits per Section 9.

5. Controller's obligations

The Merchant shall:

5.1 Have a lawful basis for processing Customer Data through SOptim (consent, legitimate interest, contract, etc.).

5.2 Provide privacy notices to Data Subjects (typically in the Merchant's own privacy policy) disclosing use of SOptim and similar processors.

5.3 Ensure rules-based blocking configurations comply with anti-discrimination laws.

5.4 Notify SOptim promptly of any Data Subject request relating to Customer Data, where the Merchant requires SOptim's assistance.

6. Data breach notification

6.1 SOptim shall notify the Merchant without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data Breach.

6.2 Notification shall include:

  • Nature of the breach
  • Categories and approximate number of Data Subjects and records affected
  • Likely consequences
  • Measures taken or proposed
  • Contact point for further information

6.3 SOptim shall cooperate with the Merchant's investigation and remediation efforts, including providing information necessary for the Merchant to notify supervisory authorities and Data Subjects.

7. Sub-processors

7.1 The Merchant grants SOptim general written authorization to engage Sub-processors, subject to this DPA.

7.2 Current list of Sub-processors:

Sub-processor Purpose Location
Shopify Inc.App platform integrationUSA / Canada
DigitalOcean Inc.Infrastructure hostingUSA (NYC)
Cloudflare Inc.CDN, WAF, DDoS protectionGlobal (entry: USA)
Resend Inc.Transactional emailUSA
SentryError monitoringUSA
PostHogProduct analytics (anonymized)USA / EU
Better StackUptime monitoringEU (Czech Republic)
Anthropic PBCAI-powered translations (no Customer Data sent)USA

7.3 SOptim shall:

  • Impose written terms with each Sub-processor providing at least the same data protection obligations as in this DPA
  • Remain liable for Sub-processor acts and omissions
  • Notify the Merchant of any intended changes to Sub-processors at least 30 days in advance via email or in-app notice

7.4 If the Merchant has reasonable objections to a new Sub-processor on data protection grounds, the parties will work in good faith. If unresolved, the Merchant may terminate the Service.

8. Data retention and deletion

  • Active shop data: retained during app installation
  • Bot Shield events: 30 days (Free tier: 7 days)
  • Audit data: 90 days
  • Upon app uninstall: shop data is soft-deleted within 48 hours and permanently purged within 30 days
  • Upon Merchant's explicit deletion request: data deleted within 30 days
  • Customer redact webhook (Shopify): customer-specific data deleted within 30 days
  • Backups: cleared within 90 days of deletion

9. Audits

9.1 SOptim shall make available to the Merchant information necessary to demonstrate compliance with this DPA.

9.2 The Merchant may request, no more than once per 12 months, a summary of SOptim's security and compliance posture (e.g. SOC 2 status, penetration test summary).

9.3 On-site audits by the Merchant or its auditors are not provided by default. If required by applicable law, the parties will negotiate audit terms in good faith, including reasonable notice (minimum 30 days), scope limitations, confidentiality, and reimbursement of SOptim's reasonable costs.

10. International data transfers

10.1 Personal Data may be transferred to and processed in the United States and other countries where Sub-processors operate.

10.2 For transfers from the EU / EEA / UK / Switzerland to third countries lacking an adequacy decision, the parties shall rely on:

  • EU Standard Contractual Clauses (EU Commission Decision 2021/914) — incorporated by reference into this DPA
  • UK International Data Transfer Addendum where applicable
  • Swiss data protection law where applicable

10.3 SOptim represents that no Sub-processor is currently subject to laws that would prevent it from complying with the SCCs.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service, except where prohibited by applicable law (e.g. GDPR Article 82 fines on Processors).

12. Term and termination

This DPA is effective upon installation of the SOptim app and continues until the Service is terminated. Provisions relating to data deletion, audit, and liability survive termination as needed.

13. Conflicts

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

14. Governing law

This DPA is governed by the same law as the Terms of Service (Singapore), except that mandatory provisions of GDPR or other applicable data protection law shall prevail where they grant Data Subjects greater protection.

15. Contact

Data Protection contact at SOptim:

Email: [email protected]
Mail: SOptim, Singapore

Annex A — Technical and organizational measures

SOptim implements the following measures to ensure security of Customer Data:

1. Encryption

  • TLS 1.3 for all data in transit
  • AES-256 for sensitive data at rest
  • IP addresses hashed with SHA-256 + rotating salt (never stored plaintext)

2. Access control

  • Role-based access control (RBAC) for admin functions
  • Two-factor authentication for all infrastructure access
  • Principle of least privilege
  • Audit logging of admin actions

3. Network security

  • Cloudflare WAF + DDoS protection
  • HTTPS-only with HSTS
  • Rate limiting and bot detection on API endpoints
  • Firewall rules restricting database access to application servers only

4. Application security

  • HMAC verification for all Shopify webhooks
  • Bearer token authentication for inter-service calls
  • Input validation and sanitization
  • Parameterized database queries (no SQL injection)
  • Content Security Policy and security headers

5. Operational security

  • Quarterly security reviews
  • Regular dependency updates and vulnerability scanning
  • Encrypted backups (daily, retained 30 days)
  • Incident response plan with 72-hour breach notification commitment
  • Logging and monitoring (Sentry for errors, Better Stack for uptime)

6. Personnel

  • Confidentiality obligations on all personnel with data access
  • Security training
  • Background checks for personnel with elevated access

7. Sub-processor management

  • Written DPAs with all Sub-processors
  • Annual review of Sub-processor compliance
  • Notification to Controller of Sub-processor changes

8. Data subject rights tooling

  • Automated GDPR webhook handlers (data_request, customers/redact, shop/redact)
  • Manual data export available on request via [email protected]
  • 30-day SLA for data subject requests

Version history

  • v1.1 (2026-05-17): Added section 3.7 — aggregate benchmarking as additional processing purpose (GDPR Art. 6(1)(f) + Art. 89).
  • v1.0 (Initial release)