Data Processing Addendum

Terms used in this DPA have the meanings given in UK GDPR and EU GDPR. "Customer Personal Data" means personal data that Supaforce processes on your behalf in connection with the Service. "Sub-processor" means a third party engaged by Supaforce to process Customer Personal Data.

You are the controller of Customer Personal Data (for example, your store's customer records and order data that flow into Supaforce through Shopify webhooks and the attribution Web Pixel). Supaforce acts as processor of that data.

Supaforce is the independent controller of personal data we collect about your account and contacts — for example, the name and email of the user who signs up. The handling of that data is described in our Privacy Policy.

The subject matter, nature, purpose, duration, types of personal data, and categories of data subjects are set out in Annex 1.

Supaforce will process Customer Personal Data only on your documented instructions, including those set out in the Service's configuration (for example, the connections you authorise and the features you enable). If Supaforce believes an instruction violates applicable law, we will notify you before complying.

Supaforce will ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and receive privacy and security training.

Supaforce will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purpose of processing. A description of the current measures is in Annex 2.

You authorise Supaforce to engage sub-processors to deliver the Service. The current list of sub-processors is in the "Sub-processors" section of our Privacy Policy and is kept up to date.

Where we appoint a new sub-processor or replace an existing one, we will update the list at least 14 days before the change takes effect. If you object on reasonable data protection grounds within that period, you may terminate the affected portion of the Service for convenience. Supaforce remains liable for the acts and omissions of its sub-processors as if they were its own.

Supaforce will assist you, by appropriate technical and organisational measures, to respond to requests from data subjects exercising their rights under data protection law (access, rectification, erasure, restriction, portability, objection). The Service includes tooling to fulfil most requests directly. For requests that require manual assistance from Supaforce, email privacy@supaforce.app.

Supaforce implements Shopify's mandatory privacy webhooks (customers/data_request, customers/redact, shop/redact) so that requests initiated through Shopify flow through automatically.

If Supaforce becomes aware of a personal data breach affecting Customer Personal Data, we will notify you without undue delay — and in any event in time for you to meet your own regulatory notification obligations. The notification will include the information set out in Article 33(3) UK/EU GDPR, to the extent known.

Supaforce is based in the United Kingdom. Where Customer Personal Data is transferred outside the UK or EEA to a country without an adequacy decision, the transfer is protected by the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses, as applicable) and equivalent EU Standard Contractual Clauses for EU-origin data. By entering into this DPA you accept the relevant clauses on our behalf and on the behalf of our sub-processors where required.

Supaforce will make available to you all information reasonably necessary to demonstrate compliance with this DPA, including documentation about our security measures, sub-processor list, and most recent independent assessments. If those documents are not sufficient, you (or an independent third-party auditor reasonably acceptable to both parties) may conduct an on-site audit no more than once every 12 months, on at least 30 days' notice, during business hours, and subject to confidentiality. You bear the cost of any on-site audit unless it reveals a material breach by Supaforce, in which case we bear reasonable costs.

Within 30 days of the end of your subscription, Supaforce will delete or, at your written request, return all Customer Personal Data and copies, except where retention is required by law. The Privacy Policy describes typical retention windows for different categories.

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

In the event of a conflict between this DPA and the main Terms, this DPA prevails with respect to data protection. Where the UK IDTA or EU SCCs apply and conflict with this DPA, the IDTA or SCCs prevail to that extent.