Data Processing Agreement
Standard contractual terms governing our processing of personal data on behalf of customers.
Subject matter and duration
Shopthru.ai (“Processor”) processes Personal Data on behalf of the customer (“Controller”) solely to provide the Service described in the order form. Processing lasts for the term of the subscription plus any wind-down period required for return or deletion of data.
Nature and purpose of processing
Storage, retrieval, analysis, and transformation of merchant and user data to generate visibility audits, agent outputs, recommendations, and operational reporting.
Categories of data
- Account identifiers (name, work email, role).
- Merchant catalog and content (products, pages, reviews).
- Connected-platform metadata (Shopify, GSC, analytics).
- Operational logs and agent execution traces.
We do not knowingly process special categories of data (Article 9 GDPR) and customers must not upload them.
Categories of data subjects
- Customer employees and authorized users.
- Merchant end-customers, only to the extent reflected in catalog content, reviews, or analytics aggregates.
Processor obligations
We will: process Personal Data only on documented instructions from the Controller; ensure persons authorized to process are bound by confidentiality; implement appropriate technical and organizational measures; and assist the Controller in meeting its own obligations under applicable law.
Sub-processors
The Controller authorizes the use of sub-processors listed in our current sub-processor register (available on request). We will provide notice of additions and bind each sub-processor to terms no less protective than those in this DPA.
Security
We maintain encryption in transit and at rest, role-based access controls, least-privilege production access, audit logging, and a documented incident response process. See the Security overview for current controls.
Audit rights
We will make available information necessary to demonstrate compliance with this DPA and, on reasonable notice and no more than once per year, allow audits conducted by the Controller or a mutually agreed independent auditor, subject to reasonable confidentiality and security constraints.
Data subject requests
Taking into account the nature of processing, we will assist the Controller by appropriate technical and organizational measures in responding to data subject requests. Requests received directly will be forwarded to the Controller.
Breach notification
We will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach, and will provide information reasonably required for the Controller to meet its own notification obligations.
Return or deletion
On termination, at the Controller’s election, we will return or delete Personal Data within a reasonable period, unless retention is required by law.