Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by AskOrigin on behalf of the Data Controller.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.
• "Sub-processor" means any third party engaged by AskOrigin to process Personal Data on behalf of the Data Controller.

2. Scope and Purpose of Processing

AskOrigin processes Personal Data solely to provide marketing attribution services to the Data Controller. The categories of data processed and purposes are described in our Privacy Policy, sections 3 and 4.

Processing includes:

• Collecting click and page view data from the merchant's storefront
• Receiving order data via Shopify webhooks
• Hashing customer identifiers (email, phone) using SHA-256
• Computing marketing attribution and customer journey analytics
• Storing and presenting aggregated reports to the merchant

3. Obligations of the Data Processor

AskOrigin shall:

• Process Personal Data only on documented instructions from the Data Controller and only for the purposes described in this DPA
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption at rest and in transit, access controls, and audit logging
• Not engage a Sub-processor without prior written authorization from the Data Controller. Current sub-processors are listed in section 8 of this DPA
• Assist the Data Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
• Assist the Data Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation
• At the choice of the Data Controller, delete or return all Personal Data upon termination of the service, and delete existing copies unless applicable law requires storage
• Make available all information necessary to demonstrate compliance with these obligations and allow for audits

4. Obligations of the Data Controller

The Data Controller shall:

• Ensure that it has a lawful basis for processing Personal Data and for instructing AskOrigin to process it
• Ensure that data subjects are informed about the processing through appropriate privacy notices on the merchant's store
• Implement appropriate consent mechanisms where required (e.g., cookie consent banners for visitors in GDPR jurisdictions)
• Notify AskOrigin promptly of any data subject requests that AskOrigin needs to assist with

5. Data Retention

Personal Data is retained for the duration of the merchant relationship. Upon termination (app uninstall or shop erasure request), all Personal Data associated with the Data Controller's store is permanently deleted from our systems. Individual customer data is deleted upon receipt of a customer erasure request via Shopify's GDPR webhooks.

6. Security Measures

AskOrigin implements the following technical and organizational security measures:

• Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database backups are encrypted.
• Access control: Database access is restricted via service-role credentials managed through environment variables. PostgreSQL Row-Level Security ensures tenant isolation. Staff access to personal data is limited to authorized personnel on a need-to-know basis.
• Authentication: Strong password policies and multi-factor authentication are enforced for all infrastructure access.
• Logging: Access to personal data is logged with timestamps and request metadata.
• Environment separation: Production and development environments use separate databases, credentials, and infrastructure.
• Data minimization: Email addresses and phone numbers are stored exclusively as irreversible SHA-256 hashes.
• Data loss prevention: Automated database backups, point-in-time recovery, and infrastructure redundancy.

7. Data Breach Notification

In the event of a Personal Data breach, AskOrigin shall notify the Data Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

8. Sub-processors

AskOrigin currently uses the following sub-processors:

We will notify the Data Controller of any intended changes to sub-processors, giving the Data Controller the opportunity to object.

9. International Data Transfers

Personal Data may be transferred to and processed in the United States, where our sub-processors are located. Where such transfers occur, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the European Commission, to protect Personal Data in accordance with GDPR requirements.

10. Term and Termination

This DPA is effective from the date the Data Controller installs AskOrigin and remains in effect for the duration of the service. Upon termination, AskOrigin will delete all Personal Data within 30 days unless applicable law requires continued storage. The Data Controller may also trigger immediate deletion by uninstalling the app, which initiates Shopify's shop erasure webhook.

11. Governing Law

This DPA shall be governed by the same laws that govern the agreement between the Data Controller and AskOrigin. For Data Controllers established in the European Economic Area, this DPA shall be governed by the laws of the Data Controller's jurisdiction to the extent required by GDPR.

12. Contact

For questions regarding this DPA or to exercise your rights, contact us at:

Email: [email protected]
Website: https://askorigin.com