Data Processing Agreement.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer (the merchant using the Services, the "Controller") and Clevyre, Inc. (the "Processor"). It governs the Processing of Personal Data by Processor on behalf of Controller in connection with the Clevyre EU Withdrawal Button App and the Clevyre Accessibility Widget App, and is intended to satisfy the requirements of Article 28 of Regulation (EU) 2016/679 ("GDPR").
1. Definitions
Capitalised terms not otherwise defined here have the meaning assigned under the GDPR. For the purposes of this DPA:
- Controller means the Customer.
- Processor means Clevyre, Inc.
- Personal Data means any information relating to an identified or identifiable natural person.
- Processing means any operation performed on Personal Data, whether or not by automated means.
- Data Subject means an identified or identifiable natural person.
- Subprocessor means any third party engaged by Processor to process Personal Data on behalf of Controller.
- Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
2. Scope and duration
This DPA applies whenever Processor Processes Personal Data on behalf of Controller in connection with the Services. It remains effective for the duration of the Services and for as long as Processor Processes Personal Data on behalf of Controller.
3. Nature and purpose of Processing
Processor shall Process Personal Data solely for the purpose of providing the Services.
3.1 Clevyre EU Withdrawal Button App
- Receiving withdrawal requests submitted by consumers.
- Storing withdrawal requests and related information.
- Forwarding withdrawal requests to merchants.
- Managing withdrawal workflows.
- Providing customer support.
- Maintaining service functionality and security.
3.2 Clevyre Accessibility Widget App
- Delivering accessibility functionality.
- Maintaining widget settings and configurations.
- Monitoring service performance.
- Providing customer support.
- Ensuring security and operational reliability.
Processor shall not sell Personal Data and shall not use Personal Data for advertising or marketing purposes.
4. Categories of Personal Data
Depending on how Controller uses the Services, Processor may Process:
- Consumer data — first and last name, email address, telephone number, postal address, withdrawal request content, order number, and order information.
- Merchant data — merchant name, store information, billing information, and contact information.
- Technical data — IP address, browser information, device information, log data, usage information, and timestamps.
5. Categories of Data Subjects
- Customers of Controller
- Consumers submitting withdrawal requests
- Website visitors
- Merchant representatives
- Merchant employees
6. Controller responsibilities
Controller represents and warrants that it:
- has a lawful basis for the Processing of Personal Data;
- has provided all required privacy notices;
- has obtained any necessary consents; and
- complies with all applicable Data Protection Laws.
Controller remains solely responsible for determining the purposes and means of Processing Personal Data.
7. Processor obligations
7.1 Processing instructions
Processor shall Process Personal Data only on documented instructions from Controller unless otherwise required by applicable law.
7.2 Confidentiality
Processor shall ensure that persons authorised to Process Personal Data are bound by confidentiality obligations.
7.3 Security measures
Processor shall implement appropriate technical and organisational measures, including:
- Encryption of data in transit using TLS.
- Access controls and authentication mechanisms.
- Least-privilege access management.
- Security monitoring and logging.
- Backup and disaster recovery procedures.
- Incident response procedures.
- Infrastructure security controls.
8. Subprocessors
Controller authorises Processor to engage the following Subprocessors:
| Subprocessor | Purpose |
|---|---|
| Amazon Web Services (AWS) | Cloud hosting and infrastructure |
| PlanetScale | Database hosting and storage |
| Cloudflare | CDN, security, and network services |
| Resend | Transactional email delivery |
The current, detailed list — including each Subprocessor's processing location and transfer safeguards — is published at clevyre.com/subprocessors.
Processor may engage additional Subprocessors provided that appropriate data-protection obligations are imposed on them, and Processor remains responsible for their performance. Processor will give Controller at least 30 days' prior notice by email (and by updating the Subprocessor List) of the addition or replacement of a Subprocessor. Controller may reasonably object to a new Subprocessor on data-protection grounds within that period; if the parties cannot resolve the objection, Controller may terminate the affected Service.
9. International data transfers
Processor hosts the Services' core infrastructure and databases in the European Union (Ireland region), within the European Economic Area (EEA).
Where Personal Data is transferred outside the EEA — for example to a Subprocessor providing email or analytics services — Processor shall ensure such transfers are subject to appropriate safeguards, including adequacy decisions approved by the European Commission, the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or other legally recognised transfer mechanisms.
10. Assistance with Data Subject requests
Taking into account the nature of the Processing, Processor shall provide reasonable assistance to Controller in responding to requests from Data Subjects concerning the right of access, rectification, erasure, restriction of processing, data portability, and the right to object.
11. Personal Data Breach notification
Processor shall notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Controller Personal Data. Such notification shall include, where available:
- the nature of the breach;
- the categories of affected Personal Data;
- the likely consequences of the breach; and
- the measures taken or proposed to address it.
12. Audits and compliance information
Processor shall make available information reasonably necessary to demonstrate compliance with this DPA. Where required by applicable law, Controller may conduct an audit no more than once annually upon reasonable prior written notice and subject to appropriate confidentiality obligations.
13. Data retention and deletion
Processor shall retain Personal Data only for as long as necessary to provide the Services and comply with applicable legal obligations. In practice, merchant account and configuration data is deleted within 48 hours of uninstallation (Shopify shop/redact); consumer and withdrawal-request data is deleted on a verified request or via Shopify customers/redact (within 30 days), and withdrawal records may be kept up to 12 months to resolve disputes and meet record-keeping obligations; technical and log data is retained up to 12 months.
Upon termination of the Services and upon Controller's request, Processor shall delete or return Personal Data to Controller. Processor may retain backup copies until overwritten in accordance with standard retention schedules.
14. Liability
Each party's liability arising under this DPA shall be subject to the limitations of liability set forth in the applicable Terms of Service, unless prohibited by applicable law.
15. Governing law
This DPA is governed by the laws of India, and the parties submit to the competent courts of Bengaluru, Karnataka, consistent with the governing law of the applicable Terms of Service, unless your local consumer-protection or data-protection laws give you a non-waivable right to another forum.
Annex I — Processing description
Subject matter
Provision of the Clevyre EU Withdrawal Button App and the Clevyre Accessibility Widget App.
Duration
For the duration of the merchant's use of the Services.
Nature of Processing
Collection, storage, organisation, retrieval, transmission, deletion, and management of Personal Data.
Purpose of Processing
Providing app functionality, customer support, security, and service operations.
Categories of Data Subjects
Consumers, customers, website visitors, and merchant personnel.
Categories of Personal Data
Identity information, contact information, order information, technical information, and service usage data.
Annex II — Technical and organisational measures (TOMs)
Clevyre maintains appropriate technical and organisational measures, including:
Organisational measures
- Confidentiality obligations for personnel.
- Internal access control procedures.
- Security awareness and training practices.
- Incident response procedures.
Technical measures
- HTTPS/TLS encryption.
- Secure cloud infrastructure hosted on AWS (EU / Ireland region).
- Managed database security through PlanetScale.
- DDoS protection and network security via Cloudflare.
- Authentication and authorisation controls.
- Security logging and monitoring.
- Backup and recovery capabilities.
- Regular software updates and vulnerability management.