Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") supplements the eshopOS Terms of Service and Privacy Policy. eshopOS is operated by Osarian Solutions. This DPA applies when eshopOS processes personal data on your behalf as a data processor.

This DPA is incorporated by reference into your agreement with eshopOS and governs eshopOS's processing of personal data in connection with the services.

2. Roles and Responsibilities

Under applicable data protection laws:

• Data Controller: You determine the purposes and means of processing personal data
• Data Processor: eshopOS processes personal data only on your documented instructions
• Sub-processor: Third parties engaged by eshopOS to assist with data processing

This DPA governs eshopOS's role as data processor. You remain responsible for your compliance with data protection laws.

3. Data Processing Details

3.1 Subject Matter

Processing relates to your use of eshopOS e-commerce platform services.

3.2 Duration

Processing occurs during your subscription term and for data retention periods.

3.3 Nature and Purpose

Providing, maintaining, and improving e-commerce platform services as instructed.

When you connect an external commerce platform, eshopOS processes the connected data only for the authorized connection, migration, synchronization, reporting, and store-operation purposes shown in the product flow.

3.4 Types of Personal Data

• Customer contact information (names, emails, addresses, phone numbers)
• Order and transaction data
• Payment information (processed by third-party payment processors)
• Customer service communications
• Marketing preference data
• Connected-platform catalog, inventory, location, and media data authorized by the merchant

The first public Shopify connector release does not request Shopify customer data. If customer-data import is enabled later, it will require separate disclosure, merchant authorization, and applicable platform approval before use.

3.5 Categories of Data Subjects

• Your customers and prospects
• Individuals mentioned in customer communications

4. Data Subject Rights

eshopOS will:

• Timely notify you of data subject requests received by eshopOS
• Provide reasonable assistance to help you respond to requests
• Forward requests to you without undue delay where appropriate
• Maintain records of processing activities as required

You remain responsible for responding to data subject requests concerning your processing.

5. Security Measures

eshopOS implements appropriate technical and organizational measures:

• Encryption in transit between clients and platform endpoints
• Store-scoped access controls and permission checks
• Authenticator verification for sensitive key, webhook, and payout actions
• API key, OAuth app, and webhook secret rotation flows
• Audit logging for authenticator, webhook, and developer credential actions
• Webhook delivery records and test-event tooling for operational review

Security controls evolve as product capabilities and operating requirements change.

6. Sub-processors

eshopOS uses external service operators where needed to deliver platform functionality:

• List of current sub-processors available at Infrastructure Annex
• The annex includes core providers and optional integrations referenced by product code
• The annex is updated as integrations are added, removed, or materially changed
• Merchants should review the annex periodically for the current external-service footprint

eshopOS remains responsible for the external service relationships it configures as part of the platform.

7. Data Transfers

Data may be transferred to countries with adequate protection:

• Processing occurs in Kenya and cloud provider facilities globally
• Standard contractual clauses applied for international transfers
• Appropriate safeguards implemented for data protection
• Transfers only occur as necessary for service provision

8. Data Breach Notification

eshopOS will:

• Notify you without undue delay of personal data breaches
• Provide details of breach within 48 hours of discovery
• Include nature of data, categories of individuals affected
• Recommend mitigation measures to reduce adverse effects
• Document breaches for regulatory compliance purposes

9. Data Retention and Deletion

eshopOS will:

• Delete or return personal data upon request or account termination
• Retain data as required by law or legitimate business needs
• Provide certification of deletion when technically feasible
• Maintain backups for disaster recovery during retention period

You may request data deletion through your account settings or support.

10. Assistance with Compliance

eshopOS will provide reasonable assistance with:

• Data protection impact assessments
• Regulatory authority consultations
• Data subject rights fulfillment
• Security and compliance documentation

Assistance and any audits requested by the Merchant are provided at the Merchant's sole cost and expense.

11. Term and Termination

This DPA:

• Effective upon acceptance of eshopOS Terms of Service
• Continues for the duration of your subscription
• Survives termination for data retention periods
• Superseded by updated versions upon notice

12. Liability and Indemnification

Liability for data processing:

• Subject to the overall limitation of liability in the eshopOS Terms of Service
• eshopOS liable for sub-processor compliance failures
• Merchant agrees to indemnify eshopOS for any regulatory fines or legal costs arising from Merchant's breach of instructions or data protection laws
• Total aggregate liability under this DPA shall not exceed the fees paid by Merchant in the 12 months preceding the claim