Data Processing Agreement

Auftragsverarbeitungsvertrag gemäß Art. 28 DSGVO

Last updated: 19 May 2026

Preamble

This Data Processing Agreement (the "DPA") forms part of and is incorporated into the Terms of Service between:

Processor: A.B. Digital Solutions UG (haftungsbeschränkt), Hartweg 39, 72793 Pfullingen, Germany, registered with Amtsgericht Stuttgart under HRB 805052, represented by Alexander Bossert (the "Processor");

Controller: the Shopify merchant entity that installs the Covex CRO application on its Shopify store (the "Controller").

By installing or continuing to use the App, the Controller accepts this DPA on its own behalf and on behalf of its affiliates whose personal data is processed via the App.

1. Definitions

Terms used but not defined herein have the meaning given to them in the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). "Processing" and "Personal Data" have the meaning given in Art. 4 GDPR. "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.

2. Subject matter, nature and purpose of processing

The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Covex CRO Shopify application as described in the Terms of Service. Details of the processing are set out in Annex 1.

3. Duration

This DPA applies for as long as the Processor processes Personal Data on behalf of the Controller, i.e. from installation of the App until full deletion of the Controller's data following Shopify's shop/redact webhook.

4. Controller's instructions

The Processor processes Personal Data only on documented instructions of the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Union or Member State law to which the Processor is subject. The configuration of the App by the Controller in the Shopify admin and the Controller's use of the App constitute documented instructions for the purposes of this DPA.

The Processor will immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.

5. Confidentiality

The Processor ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Technical and organisational measures (TOMs)

The Processor implements appropriate technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk. The measures are set out in Annex 2 and may be updated by the Processor at any time, provided the overall level of protection is not reduced.

7. Sub-processors

The Controller grants the Processor a general authorisation to engage sub-processors. The Processor maintains the current list of sub-processors in Annex 3.

The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the Controller the opportunity to object to such changes. Notification will be made by email to the address registered with the Controller's Shopify store and/or by updating this page. If the Controller objects on reasonable grounds related to data protection, the Controller may terminate the Terms with effect from the date the new sub-processor is engaged.

The Processor imposes on each sub-processor the same data protection obligations as set out in this DPA by way of a written contract.

8. International data transfers

Personal Data is processed within the European Union. Where a sub-processor is established in a third country (e.g. the corporate headquarters of Vercel Inc. and Supabase, Inc. in the United States), the transfer is governed by the Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 and/or other appropriate safeguards within the meaning of Art. 46 GDPR included in the relevant sub-processor agreement.

9. Assistance with data subject rights

Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR (Art. 15 to 22). The mandatory Shopify GDPR webhooks implemented by the App (customers/data_request, customers/redact, shop/redact) form the primary mechanism for such assistance.

10. Assistance with security, breach notification and DPIA

The Processor assists the Controller in complying with its obligations under Art. 32 to 36 GDPR (security, breach notification, data protection impact assessment, prior consultation), taking into account the nature of the processing and the information available to the Processor.

The Processor notifies the Controller without undue delay, and in any event within seventy-two (72) hours after becoming aware, of any Personal Data breach affecting the Controller's Personal Data. The notification will include, to the extent available: a description of the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

11. Deletion or return of Personal Data

Upon termination of the Terms, the Processor deletes all Personal Data processed on behalf of the Controller within thirty (30) days, in practice within 48 hours of receiving Shopify's shop/redact webhook, unless Union or Member State law requires storage of the Personal Data. The same applies in respect of test and waste material.

12. Audit rights

The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits will be conducted at the Controller's expense, no more than once per calendar year (save where required by a supervisory authority or in the event of a substantiated Personal Data breach) and upon thirty (30) days' prior written notice, during normal business hours and in a manner that does not unreasonably disrupt the Processor's operations. Where appropriate, third-party audit reports and certifications (e.g. SOC 2 of sub-processors) shall be deemed sufficient.

13. Liability

The liability of the parties under this DPA is governed by the limitation of liability set out in §11 of the Terms of Service, save where mandatory law (in particular Art. 82 GDPR) provides otherwise.

14. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with regard to matters of data protection. In the event of any conflict between this DPA and any Standard Contractual Clauses or other safeguards implemented in respect of international transfers, those clauses prevail to the extent of the conflict.

Annex 1 — Description of the processing

Subject matter of the processing

Provision of the Covex CRO Shopify application: storage of widget configuration, delivery of widget configuration to the Controller's Shopify storefront via Shopify-managed metafields, recording of pseudonymous widget interaction events and provision of merchant-facing analytics.

Duration

For the duration of the Controller's installation of the App, plus up to 48 hours thereafter (until Shopify's shop/redact webhook is delivered).

Nature and purpose

Storage, structured retrieval, transmission to the Controller's Shopify storefront, and aggregation for analytics — solely for the purpose of providing the App as agreed.

Types of Personal Data

  • Controller account data: shop domain; encrypted Shopify Admin API access token; plan / billing status; contact email (where provided directly).
  • Storefront event data: pseudonymous session ID; widget event type; widget ID; URL of the page on which the event occurred; transient IP address used for rate-limiting only.
  • Widget configuration: may contain text, images and product references that the Controller chooses to display on its storefront and that may, depending on the Controller's choices, contain Personal Data (e.g. names in customer testimonials).

Categories of Data Subjects

  • Controller's staff and authorised representatives who use the App.
  • Visitors of the Controller's Shopify storefront (only as pseudonymous Data Subjects).
  • Any natural persons whose data the Controller chooses to include in widget content.

Annex 2 — Technical and organisational measures (Art. 32 GDPR)

Confidentiality

  • Access control: managed cloud infrastructure with provider-side physical access control (Vercel data centres, Supabase data centres); the Processor itself maintains no on-premise hardware.
  • Logical access control: administrator access protected by strong passwords, two-factor authentication and least-privilege IAM roles on all provider consoles (Shopify Partner Dashboard, Vercel, Supabase, source repository, email).
  • Authentication of merchants: Shopify App Bridge session-token (JWT) verification on every authenticated request; the shop is derived from the verified JWT's dest claim and never from request headers.
  • Encryption at rest: Shopify Admin API access tokens are encrypted using AES-256-GCM before being stored in the database; the database is encrypted at rest by the infrastructure provider.
  • Encryption in transit: TLS 1.2 or higher for all communication, including App Bridge, webhooks and the storefront tracking endpoint.
  • Separation: per-shop logical isolation by store_id; row-level security on the database tier where applicable.

Integrity

  • HMAC validation on all incoming Shopify webhooks, including the mandatory GDPR webhooks, using SHOPIFY_API_SECRET.
  • Origin / Referer validation and IP-based rate-limiting on the public storefront tracking endpoint.
  • Source-controlled deployment with peer review of code changes; no manual production-only changes.

Availability and resilience

  • Highly available managed hosting (Vercel) with automatic horizontal scaling.
  • Managed PostgreSQL on Supabase with point-in-time recovery backups retained per the provider's plan defaults.
  • Deployment pipeline allows rapid rollback to the previous release.

Procedures for regular review

  • Periodic review of access permissions and sub-processor contracts.
  • Dependency updates and security advisories monitored on an ongoing basis.
  • Documentation of processing activities maintained pursuant to Art. 30 GDPR.

Procedures relating to data subjects' rights

  • Implementation of the three mandatory Shopify privacy webhooks (customers/data_request, customers/redact, shop/redact) with HMAC validation; requests are processed within thirty (30) days and, in practice, on receipt.

Annex 3 — Approved sub-processors

As of the date set out at the top of this page, the following sub-processors are engaged:

Sub-processorPurposeLocation of processingTransfer safeguard
Shopify International Ltd. (IE) / Shopify Inc. (CA)Platform on which the App runs; delivery of widget configuration to merchant storefronts; webhook delivery.EU / Canada (adequacy decision)Adequacy decision for Canada (commercial activities) and SCCs as included in Shopify's DPA where applicable.
Vercel Inc. (US)Hosting of the application backend, storefront tracking endpoint and admin UI.EU (Frankfurt, fra1) — configuredStandard Contractual Clauses (EU 2021/914) within Vercel's DPA.
Supabase, Inc. (US)Managed PostgreSQL database for merchant configuration and widget event data.EU (eu-central-1, Frankfurt) — configuredStandard Contractual Clauses (EU 2021/914) within Supabase's DPA.

The Processor will update this list and notify the Controller before engaging any new sub-processor in accordance with §7 of this DPA.

See also our Impressum, our Privacy Policy and our Terms of Service.