Auftragsverarbeitungsvertrag gemäß Art. 28 DSGVO
Last updated: 19 May 2026
This Data Processing Agreement (the "DPA") forms part of and is incorporated into the Terms of Service between:
Processor: A.B. Digital Solutions UG (haftungsbeschränkt), Hartweg 39, 72793 Pfullingen, Germany, registered with Amtsgericht Stuttgart under HRB 805052, represented by Alexander Bossert (the "Processor");
Controller: the Shopify merchant entity that installs the Covex CRO application on its Shopify store (the "Controller").
By installing or continuing to use the App, the Controller accepts this DPA on its own behalf and on behalf of its affiliates whose personal data is processed via the App.
Terms used but not defined herein have the meaning given to them in the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). "Processing" and "Personal Data" have the meaning given in Art. 4 GDPR. "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Covex CRO Shopify application as described in the Terms of Service. Details of the processing are set out in Annex 1.
This DPA applies for as long as the Processor processes Personal Data on behalf of the Controller, i.e. from installation of the App until full deletion of the Controller's data following Shopify's shop/redact webhook.
The Processor processes Personal Data only on documented instructions of the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Union or Member State law to which the Processor is subject. The configuration of the App by the Controller in the Shopify admin and the Controller's use of the App constitute documented instructions for the purposes of this DPA.
The Processor will immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.
The Processor ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Processor implements appropriate technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk. The measures are set out in Annex 2 and may be updated by the Processor at any time, provided the overall level of protection is not reduced.
The Controller grants the Processor a general authorisation to engage sub-processors. The Processor maintains the current list of sub-processors in Annex 3.
The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the Controller the opportunity to object to such changes. Notification will be made by email to the address registered with the Controller's Shopify store and/or by updating this page. If the Controller objects on reasonable grounds related to data protection, the Controller may terminate the Terms with effect from the date the new sub-processor is engaged.
The Processor imposes on each sub-processor the same data protection obligations as set out in this DPA by way of a written contract.
Personal Data is processed within the European Union. Where a sub-processor is established in a third country (e.g. the corporate headquarters of Vercel Inc. and Supabase, Inc. in the United States), the transfer is governed by the Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 and/or other appropriate safeguards within the meaning of Art. 46 GDPR included in the relevant sub-processor agreement.
Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR (Art. 15 to 22). The mandatory Shopify GDPR webhooks implemented by the App (customers/data_request, customers/redact, shop/redact) form the primary mechanism for such assistance.
The Processor assists the Controller in complying with its obligations under Art. 32 to 36 GDPR (security, breach notification, data protection impact assessment, prior consultation), taking into account the nature of the processing and the information available to the Processor.
The Processor notifies the Controller without undue delay, and in any event within seventy-two (72) hours after becoming aware, of any Personal Data breach affecting the Controller's Personal Data. The notification will include, to the extent available: a description of the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
Upon termination of the Terms, the Processor deletes all Personal Data processed on behalf of the Controller within thirty (30) days, in practice within 48 hours of receiving Shopify's shop/redact webhook, unless Union or Member State law requires storage of the Personal Data. The same applies in respect of test and waste material.
The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
Audits will be conducted at the Controller's expense, no more than once per calendar year (save where required by a supervisory authority or in the event of a substantiated Personal Data breach) and upon thirty (30) days' prior written notice, during normal business hours and in a manner that does not unreasonably disrupt the Processor's operations. Where appropriate, third-party audit reports and certifications (e.g. SOC 2 of sub-processors) shall be deemed sufficient.
The liability of the parties under this DPA is governed by the limitation of liability set out in §11 of the Terms of Service, save where mandatory law (in particular Art. 82 GDPR) provides otherwise.
In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with regard to matters of data protection. In the event of any conflict between this DPA and any Standard Contractual Clauses or other safeguards implemented in respect of international transfers, those clauses prevail to the extent of the conflict.
Subject matter of the processing
Provision of the Covex CRO Shopify application: storage of widget configuration, delivery of widget configuration to the Controller's Shopify storefront via Shopify-managed metafields, recording of pseudonymous widget interaction events and provision of merchant-facing analytics.
Duration
For the duration of the Controller's installation of the App, plus up to 48 hours thereafter (until Shopify's shop/redact webhook is delivered).
Nature and purpose
Storage, structured retrieval, transmission to the Controller's Shopify storefront, and aggregation for analytics — solely for the purpose of providing the App as agreed.
Types of Personal Data
Categories of Data Subjects
Confidentiality
dest claim and never from request headers.store_id; row-level security on the database tier where applicable.Integrity
SHOPIFY_API_SECRET.Availability and resilience
Procedures for regular review
Procedures relating to data subjects' rights
customers/data_request, customers/redact, shop/redact) with HMAC validation; requests are processed within thirty (30) days and, in practice, on receipt.As of the date set out at the top of this page, the following sub-processors are engaged:
| Sub-processor | Purpose | Location of processing | Transfer safeguard |
|---|---|---|---|
| Shopify International Ltd. (IE) / Shopify Inc. (CA) | Platform on which the App runs; delivery of widget configuration to merchant storefronts; webhook delivery. | EU / Canada (adequacy decision) | Adequacy decision for Canada (commercial activities) and SCCs as included in Shopify's DPA where applicable. |
| Vercel Inc. (US) | Hosting of the application backend, storefront tracking endpoint and admin UI. | EU (Frankfurt, fra1) — configured | Standard Contractual Clauses (EU 2021/914) within Vercel's DPA. |
| Supabase, Inc. (US) | Managed PostgreSQL database for merchant configuration and widget event data. | EU (eu-central-1, Frankfurt) — configured | Standard Contractual Clauses (EU 2021/914) within Supabase's DPA. |
The Processor will update this list and notify the Controller before engaging any new sub-processor in accordance with §7 of this DPA.
See also our Impressum, our Privacy Policy and our Terms of Service.