EUcomply
Home Privacy Terms Imprint Install on Shopify

Data Processing Agreement (DPA)

Version 1.0 • Last updated: 2026-05-08 • Effective: 2026-05-08

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", the Controller) and EUcomply UG (haftungsbeschränkt) ("EUcomply", the Processor) under which EUcomply provides the Service described in our Terms of Service. It governs the processing of Personal Data by EUcomply on behalf of the Customer in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR").

By installing, using or continuing to use the Service, the Customer enters into this DPA. The Customer is the Controller of the Personal Data processed in connection with the Service; EUcomply is the Processor. Where the Customer's end customers' data is processed, the Customer warrants it has obtained any necessary consent or established a lawful basis under Art. 6 GPDR.

1. Subject Matter and Duration

EUcomply processes Personal Data only on documented instructions from the Customer (this DPA, the Terms, and any reasonable in-product instructions submitted via the dashboard or email). The duration of the processing equals the duration of the underlying subscription, plus any retention obligations set out in our Privacy Policy.

2. Scope of Processing

The categories of data subjects, categories of Personal Data, nature and purpose of processing are defined in Annex I. EUcomply will not process Personal Data for any purpose other than performing the Service or complying with EU or member-state law (Art. 28(3)(a) GDPR); if compelled by law to process beyond Customer's instructions, EUcomply notifies Customer before processing unless that law prohibits notification.

3. Obligations of EUcomply (Processor)

  1. Documented instructions. Process Personal Data only on Customer's documented instructions, including transfers, unless required by EU or member-state law.
  2. Confidentiality. Ensure that personnel authorised to process Personal Data have committed to confidentiality or are under appropriate statutory confidentiality obligations.
  3. Security. Implement technical and organisational measures (TOMs) per Annex II to ensure a level of security appropriate to the risk under Art. 32 GDPR.
  4. Sub-processors. Engage sub-processors only under the conditions in Section 5 and impose equivalent data-protection obligations on each.
  5. Data-subject requests. Assist the Customer, taking into account the nature of the processing, in fulfilling its obligation to respond to requests under Chapter III GDPR (Art. 28(3)(e)).
  6. DPIA & consultations. Provide reasonable assistance with Data Protection Impact Assessments (Art. 35) and prior consultations with supervisory authorities (Art. 36).
  7. Breach notification. Notify Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach (Art. 33(2)). The notification will include the information required by Art. 33(3) to the extent known.
  8. Deletion / return. On termination, at the Customer's choice, delete or return all Personal Data and delete existing copies, unless EU or member-state law requires storage (Art. 28(3)(g)). Compliance and bookkeeping records retained under tax law are not deleted before the legal retention period expires.
  9. Audit and information. Make available to the Customer all information necessary to demonstrate compliance with Art. 28 and allow for audits (see Section 7).

4. Obligations of the Customer (Controller)

  • The Customer warrants that it has a lawful basis under Art. 6 GDPR (and where applicable Art. 9) for the processing instructed.
  • The Customer is responsible for the accuracy, quality and legality of the Personal Data uploaded.
  • The Customer must notify its end customers (data subjects) about the processing where required, including in its own privacy notice.
  • The Customer's instructions must remain within the functional scope of the Service. Instructions exceeding that scope require written agreement and may incur additional fees.

5. Sub-processors

The Customer grants EUcomply general written authorisation to engage sub-processors, subject to the following safeguards (Art. 28(2) and (4)):

  • Each sub-processor is bound by a written contract imposing data-protection obligations equivalent to those in this DPA.
  • EUcomply remains liable to the Customer for the performance of each sub-processor's obligations.
  • EUcomply notifies the Customer at least 30 days before adding or replacing a sub-processor (the change list is posted on this page; you can subscribe to notifications).
  • The Customer may object to a new sub-processor on reasonable data-protection grounds within 30 days. The parties will discuss the objection in good faith; if not resolved, the Customer may terminate the affected portion of the Service for convenience and obtain a pro-rata refund.

Current sub-processors

Sub-processor Service Location of processing Transfer mechanism Sub-processor list
Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Dublin, Ireland) Subscription billing, card processing, invoice generation Ireland (EU); onward to Stripe, Inc. (US) SCCs Module 3 + EU-US DPF stripe.com/legal/sub-processors
Sentry GmbH (Friedenstr. 91, 10249 Berlin, Germany) Error and exception monitoring Germany (EU); onward to Functional Software, Inc. (US) SCCs Module 3 sentry.io/legal/subprocessors
Shopify International Ltd. (2nd Floor, Victoria Buildings, 1-2 Haddington Road, Dublin 4, Ireland) OAuth handshake, source-of-record for product/order metadata Ireland (EU); onward to Shopify Inc. (Canada) EU adequacy (Canada PIPEDA) + SCCs as fallback shopify.com/legal/dpa
Resend, Inc. Transactional and lifecycle email delivery (welcome, onboarding, deadline reminder, payment failure, cancellation) EU region (Frankfurt); onward to US SCCs Module 3 + EU-US DPF resend.com/legal/sub-processors
Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) IaaS — primary hosting, database, object storage Germany (Falkenstein / Nuremberg) Intra-EEA — no transfer mechanism required hetzner.com/legal/privacy-policy

6. International Data Transfers

For transfers of Personal Data outside the EEA, EUcomply relies on:

  • The European Commission's Standard Contractual Clauses (SCCs) Module 2 (Controller–Processor) and Module 3 (Processor–Processor) under Decision (EU) 2021/914, populated by Annex III;
  • The EU-US Data Privacy Framework (Decision (EU) 2023/1795) where the recipient is certified;
  • Supplementary measures consistent with EDPB Recommendations 01/2020 (encryption in transit and at rest, key separation, audit logging, transparency reports).

The Customer instructs EUcomply to enter into the SCCs with sub-processors for the purposes described above on its behalf, and grants the necessary mandate to do so under the SCCs Docking Clause.

7. Audit Rights

EUcomply demonstrates compliance with this DPA primarily through:

  • Independent third-party reports (where available) and the published TOMs;
  • Written responses to data-protection questionnaires (e.g. CAIQ, VSAQ) within a reasonable timeframe;
  • An on-site or remote audit, no more than once per twelve-month period unless required by a supervisory authority or following a Personal Data Breach. The Customer bears its own costs and EUcomply's reasonable assistance costs at standard rates. Auditors must be independent, professionally bound to confidentiality, and not a competitor of EUcomply. Audits are scheduled at least 30 days in advance and conducted during business hours so as not to disrupt operations.

8. Liability and Indemnity

The liability provisions in the underlying Terms of Service apply to claims under or in connection with this DPA. Where a supervisory authority imposes an administrative fine under Art. 83 GDPR, each party bears the share attributable to its non-compliance. Joint liability is determined under Art. 82(4) GDPR.

9. Order of Precedence

In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters of personal-data protection. In case of conflict between this DPA and the SCCs entered into between the parties, the SCCs prevail.

10. Modifications

EUcomply may update this DPA from time to time to reflect changes in law, sub-processors or the Service. Material changes are notified at least 30 days in advance. If the Customer cannot accept a material change for documented data-protection reasons, the Customer may terminate the Service for convenience for the affected portion.

11. Contact

Data Protection Officer (DPO)
EUcomply UG (haftungsbeschränkt)
DPO, c/o Friedrichstr. 1, 10117 Berlin, Germany
Email: dpo@eucomply.app

Annex I — Description of the Processing

A. List of parties

  • Data Exporter (Controller): the Customer named in the Service subscription.
  • Data Importer (Processor): EUcomply UG (haftungsbeschränkt), Friedrichstr. 1, 10117 Berlin, Germany.
  • Contact for data protection: dpo@eucomply.app.
  • Activities relevant to the data transferred: Software-as-a-Service for EU compliance (GPSR documentation, customs duty calculation, IOSS VAT aggregation, lifecycle email).
  • Role: Processor (Customer = Controller); for sub-processor onward transfers, sub-processors act as Sub-Processors of the Importer.

B. Description of processing

CategoryDetail
Categories of data subjects(i) Customer's authenticated users (merchant staff). (ii) Customer's GPSR Responsible Persons (legal entity contacts; may include a natural person's name and contact). (iii) Customer's end customers, indirectly via order metadata (no buyer name, postal address, IP, or payment data).
Categories of Personal DataAccount email and login data; OAuth token (encrypted); Shopify shop domain and scopes; product / SKU metadata; HS codes; manufacturer name and address; Responsible Person name, address and contact; order ID, destination country, line item HS code and intrinsic value, currency, ordered-at timestamp; usage logs (truncated IP, User-Agent, timestamps); Stripe customer ID + last 4 of card.
Special categories of dataNone expected. EUcomply does not solicit or store data revealing racial origin, political opinions, religion, trade union membership, genetic, biometric, health or sexual orientation data.
Frequency of transferContinuous (API + webhook traffic during subscription).
Nature of processingStorage, structuring, retrieval, computation (duty / VAT calculations), document generation (PDF), aggregation (IOSS monthly CSV), email dispatch, error monitoring, audit logging.
Purpose of processingPerformance of the Service: GPSR safety documentation under Regulation (EU) 2023/988; customs duty calculation under EU customs rules effective 2026-07-01; IOSS VAT aggregation under Council Directive 2006/112/EC; secure operation, billing, support.
RetentionSee Privacy Policy § 7 — account & identity through subscription + 30 days; bookkeeping & compliance records 7 years; GPSR technical files 10 years; access logs 90 days.

C. Competent supervisory authority

For EUcomply as the Processor: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, Germany — datenschutz-berlin.de. For onward Sub-Processor transfers, the supervisory authority is the one indicated by the Customer or, in default, the lead authority under GDPR Art. 56.

Annex II — Technical and Organisational Measures (TOMs)

The following measures are implemented under Art. 32 GDPR. They are reviewed at least annually and after any material change to the Service.

1. Pseudonymisation and encryption

  • TLS 1.2+ enforced for all external traffic; HSTS preload eligible.
  • AES-256 disk encryption on database and backup volumes.
  • Shopify access tokens encrypted with envelope encryption; data-encryption keys rotated every 90 days.
  • Stripe-tokenised payment data — full PAN never enters our systems.
  • JWT session cookies signed with HS256; 1-hour TTL; constant-time signature comparison.

2. Confidentiality

  • Role-based access control with least-privilege defaults; access reviewed quarterly.
  • Multi-factor authentication required for all administrative interfaces and code-repository access.
  • Personnel under written confidentiality obligations; data-protection awareness training on onboarding and annually thereafter.
  • Per-tenant isolation enforced at every authenticated route by tenant guard middleware (shopId derived from JWT/API key).

3. Integrity

  • HMAC-SHA256 verification on every Shopify and Stripe webhook with constant-time comparison.
  • Append-only audit log (7-year retention) for security-relevant actions.
  • Idempotent webhook handling via atomic INSERT OR IGNORE on event ID.
  • Foreign-key constraints and parameterised SQL throughout (no dynamic concatenation).

4. Availability and resilience

  • Daily automated database snapshots, retained 30 days; weekly off-site copy retained 1 year.
  • Quarterly restore drill into a staging environment.
  • Health and readiness endpoints (/health, /ready) for orchestrator-driven self-healing.
  • Per-IP rate limiting on auth and webhook endpoints; structured error responses.

5. Procedures for testing and assessing effectiveness

  • Continuous integration runs the full test suite on every change (unit, contract, integration, end-to-end).
  • Static-analysis and type-check gating (tsc --noEmit, eslint) on every pull request.
  • Annual third-party penetration test of the public attack surface; remediation tracked to closure.
  • Quarterly review of supplier sub-processor changes and Transfer Impact Assessments.

6. User identification and authorisation

  • Authentication via Shopify OAuth (merchant) or scoped API key (machine-to-machine on Scale plan).
  • API keys are stored hashed (SHA-256); only a prefix + last_used_at are visible to the merchant.
  • Tenant guard middleware rejects any request whose authenticated shopId does not match the resource's shop_id.

7. Protection of data during transmission and storage

  • TLS termination at the edge; private inter-service traffic on a VPC.
  • Backups encrypted with separate KMS keys and verified by checksum on restore.
  • Secrets stored in environment variables sourced from a managed secret store; never committed to source.

8. Physical security

  • Hetzner data centres in Falkenstein / Nuremberg, Germany — ISO 27001 certified, 24/7 surveillance, biometric access control.
  • No on-premise servers; merchant data never resides on personnel devices.

9. Personnel security

  • Background checks proportionate to the role and applicable law.
  • Termination workflow revokes access within 24 hours.

10. Data minimisation

  • OAuth scopes limited to read_products and read_orders by default.
  • Order webhook payloads are projected to the minimum fields needed for duty / IOSS computation; buyer name, address and IP are not stored.
  • Sentry runs with sendDefaultPii: false; logs truncate IP addresses and avoid free-text user content.

11. Incident response

  • On-call rotation with documented runbook (RUNBOOK.md).
  • Personal Data Breach: Customer notified within 72 hours of detection (Art. 33(2)); supervisory authority notification handled by the Controller with Processor support.
  • Post-incident review documented and shared with affected Customers.

Annex III — SCCs (where the Customer is established outside the EEA)

Where the Customer (Controller) is established outside the EEA and EUcomply (Processor) is in the EEA, or where Personal Data is otherwise transferred outside the EEA, the parties incorporate the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914):

  • Module 2 for Controller-to-Processor transfers (Customer outside EEA, EUcomply in EEA acting as importer-Processor).
  • Module 3 for Processor-to-Processor transfers (EUcomply onward to a Sub-Processor outside the EEA).
  • Optional Docking Clause (Clause 7) is selected.
  • Optional Clause 11(a) (independent dispute resolution): the parties opt out of the optional independent dispute body.
  • Clause 17 (governing law): the law of Germany.
  • Clause 18 (forum and jurisdiction): the courts of Berlin, Germany.

Annex I to the SCCs: populated by Annex I of this DPA.

Annex II to the SCCs (TOMs): populated by Annex II of this DPA.

Annex III to the SCCs (List of Sub-Processors): the table in Section 5 of this DPA.

The full SCC text is published by the European Commission at commission.europa.eu — Standard Contractual Clauses. By using the Service, the Customer accepts the SCCs as completed by these Annexes.

© 2026 EUcomply. All rights reserved. • Privacy • Terms • DPA • Imprint • Status • Changelog • Trust