Data Processing Agreement (DPA)

Effective Date: [Date of Acceptance]
This DPA incorporates the EU Standard Contractual Clauses (SCCs) for international data transfers, ensuring GDPR compliance for transfers from the EEA to the United States.
This Data Processing Agreement (“DPA”) forms part of the agreement between: Data Controller: The merchant/customer using Glood.AI services (“Customer” or “Controller”) Data Processor: Glood.AI, operated by LoopClub Ltd (“Glood” or “Processor”) (each a “Party” and collectively the “Parties”)

1. Definitions

In this DPA, the following terms shall have the meanings set out below:
  • “Data Protection Laws”: All applicable data protection laws including GDPR (EU 2016/679), CCPA, and any other applicable privacy regulations
  • “Personal Data”: Any information relating to an identified or identifiable natural person as defined under Data Protection Laws
  • “Processing”: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion
  • “Data Subject”: The individual to whom Personal Data relates
  • “Sub-processor”: Any third party engaged by Processor to process Personal Data

2. Processing of Personal Data

2.1 Scope and Purpose

Purpose of Processing: Providing AI-powered personalization, product recommendations, and analytics services for e-commerce optimization on Shopify stores. Categories of Data Subjects:
  • Website visitors
  • Customers of the Controller
  • Prospective customers
Types of Personal Data Processed:
  • Identifiers (name, email, IP address)
  • Shopping behavior (browsing history, product views, cart data)
  • Transaction data (purchase history, order details)
  • Device information (browser type, device type, screen resolution)
  • Cookie identifiers (rk_uid, rk.uid)
Duration of Processing: For the duration of the service agreement plus any retention period required by law or as specified in Section 5.

2.2 Processor’s Obligations

The Processor shall: a) Process Personal Data only on documented instructions from the Controller, including transfers to third countries b) Ensure that persons authorized to process Personal Data have committed to confidentiality c) Implement appropriate technical and organizational measures to ensure security of processing d) Not engage sub-processors without prior written consent of the Controller e) Assist the Controller in responding to data subject requests f) Assist the Controller in ensuring compliance with security, breach notification, and assessment obligations g) Delete or return all Personal Data after the end of services, at the Controller’s choice h) Make available all information necessary to demonstrate compliance and allow for audits

3. Controller’s Obligations

The Controller shall: a) Ensure that it has all necessary lawful bases for the processing of Personal Data b) Provide clear instructions regarding the processing of Personal Data c) Ensure compliance with all applicable Data Protection Laws d) Inform the Processor immediately of any changes to Data Protection Laws affecting processing e) Handle all communications with data subjects and supervisory authorities unless otherwise agreed

4. Security Measures

4.1 Technical and Organizational Measures

The Processor implements and maintains the following security measures: Technical Measures:
  • Encryption at rest and in transit (TLS 1.2+ for transit, AES-256 for storage)
  • Access controls and authentication systems
  • Regular security updates and patches
  • Firewall and intrusion detection systems
  • Regular automated backups
Organizational Measures:
  • Role-based access control (RBAC)
  • Confidentiality agreements with all personnel
  • Regular security training for staff
  • Audit logs of all data access
  • Incident response procedures

4.2 Security Compliance

The Processor maintains compliance with:
  • Shopify Partner Agreement requirements
  • Industry standard security practices
  • Regular security assessments

5. Data Retention and Deletion

5.1 Retention Periods

  • Real-time event data: 365 days from collection
  • Order/transaction data: Duration of the service agreement
  • Cookie data with consent: 1 year
  • Cookie data without consent: 24 hours

5.2 Data Deletion

Upon termination of services or upon Controller’s request:
  • All Personal Data will be deleted within 2 days
  • Deletion confirmation will be provided to Controller
  • Exception: Data required to be retained by law

6. Data Subject Rights

6.1 Assistance with Requests

The Processor shall assist the Controller in fulfilling data subject requests for:
  • Access to Personal Data
  • Rectification of Personal Data
  • Erasure of Personal Data
  • Restriction of processing
  • Data portability
  • Objection to processing

6.2 Automated Processing via Shopify

The Processor has implemented Shopify’s mandatory compliance webhooks:
  • customers/data_request - for access requests
  • customers/redact - for deletion requests
  • shop/redact - for shop data deletion

7. Sub-processors

7.1 Current Sub-processors

Glood.AI does not currently engage any sub-processors for processing Personal Data. All processing occurs within Glood’s own infrastructure.

7.2 Addition of Sub-processors

The Processor shall:
  • Notify the Controller of any intended addition or replacement of sub-processors
  • Provide the Controller with 30 days to object to such changes
  • Ensure sub-processors are bound by equivalent data protection obligations

8. International Data Transfers

8.1 Standard Contractual Clauses

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, the Parties agree to be bound by the Standard Contractual Clauses (Module 2: Controller to Processor) pursuant to Commission Implementing Decision (EU) 2021/914 (“SCCs”).

8.2 SCC Implementation

For purposes of the SCCs:
  • Data Exporter: The Controller (Merchant)
  • Data Importer: The Processor (Glood.AI)
  • Competent Supervisory Authority: The supervisory authority in the Data Exporter’s jurisdiction
  • Governing Law for SCCs: Laws of the Data Exporter’s jurisdiction

8.3 SCC Annexes

The following information supplements the SCCs: Annex I - Transfer Details
  • Categories of data subjects: As specified in Section 2.1 of this DPA
  • Categories of personal data: As specified in Section 2.1 of this DPA
  • Processing purposes: Providing AI-powered personalization and recommendations for e-commerce
  • Retention period: As specified in Section 5 of this DPA
Annex II - Technical and Organizational Measures
  • Encryption at rest (AES-256) and in transit (TLS 1.2 or higher)
  • Role-based access controls with multi-factor authentication
  • Regular security updates and vulnerability patches
  • Audit logging of all data access
  • Incident response procedures
  • Regular backups with encryption

8.4 Supplementary Measures

In addition to the SCCs, the Processor implements these supplementary measures to ensure adequate protection:
  • Encryption: All Personal Data is encrypted using industry-standard encryption both at rest and in transit
  • Access Controls: Strict access limitations with logging and monitoring
  • Legal Protections: Commitment to challenge any unlawful government data requests
  • Transparency: Notification to Controller if legally compelled to disclose data (where permitted by law)

8.5 Transfer Impact Assessment

The Processor has assessed the laws and practices of the United States and confirms that, with the supplementary measures in place, they do not impinge on the effectiveness of the SCCs. This assessment is available upon request.

9. Data Breach Management

9.1 Breach Notification

In the event of a Personal Data breach, the Processor shall:
  • Notify the Controller without undue delay and within 48 hours of becoming aware
  • Provide details of the nature, scope, and impact of the breach
  • Describe measures taken to address the breach
  • Cooperate with the Controller in notifying supervisory authorities and data subjects

9.2 Breach Records

The Processor maintains records of all Personal Data breaches, including:
  • Facts relating to the breach
  • Effects and consequences
  • Remedial action taken

10. Compliance Verification

10.1 Demonstration of Compliance

To satisfy GDPR Article 28(3)(h) requirements, the Processor shall: a) Provide Information: Make available to the Controller, upon reasonable written request:
  • Documentation of security measures and data protection practices
  • Confirmation of compliance with this DPA and applicable Data Protection Laws
  • Summary reports of data processing activities relevant to the Controller
b) Compliance Methods: The Controller may verify Processor’s compliance through:
  • Review of Processor’s security documentation and policies
  • Questionnaires or self-assessment forms provided by the Processor
  • Review of Shopify Partner Program compliance status
  • Third-party certifications or attestations obtained by the Processor (when available)

10.2 Limitations

  • Information requests shall be limited to once per twelve (12) month period unless required by Data Protection Laws
  • The Processor may redact confidential information not relevant to the Controller’s data processing
  • All information shared is subject to confidentiality obligations
  • The Controller shall provide at least 30 days written notice for any compliance verification request

10.3 Costs

  • The first annual compliance verification request shall be at no cost to the Controller
  • Additional requests may be subject to reasonable fees based on the Processor’s time and resources

11. Liability and Indemnification

11.1 Liability

Each Party’s liability under this DPA shall be subject to the limitations set forth in the main service agreement.

11.2 Indemnification

Each Party shall indemnify the other against losses arising from its breach of this DPA or applicable Data Protection Laws.

12. Term and Termination

12.1 Duration

This DPA shall remain in effect for the duration of the main service agreement.

12.2 Survival

Sections relating to confidentiality, data deletion, and liability shall survive termination.

13. Miscellaneous

13.1 Governing Law

This DPA shall be governed by the laws applicable to the main service agreement.

13.2 Amendments

Amendments to this DPA must be made in writing and agreed by both Parties.

13.3 Severability

If any provision is found invalid, the remaining provisions shall continue in effect.

13.4 Order of Precedence

In case of conflict between this DPA and the main agreement, this DPA shall prevail regarding data protection matters.

14. Contact Information

Data Processor Contact

Glood.AI - LoopClub Inc.
Data Protection Officer: Harshul Jain
Email: privacy@glood.ai
Support: support@glood.ai

Data Controller Contact

To be completed by the Customer: Company Name: _______________________
Contact Person: _______________________
Email: _______________________
Address: _______________________

Signature

By accepting Glood.AI’s services or clicking “Accept” in the application, the Controller agrees to the terms of this Data Processing Agreement. For Glood.AI (Data Processor) Harshul Jain
Founder & Data Protection Officer
LoopClub Inc. / Glood.AI For Customer (Data Controller) Name: _______________________
Title: _______________________
Date: _______________________
This DPA is designed to comply with GDPR Article 28 requirements. For specific legal advice regarding your data processing activities, please consult with a qualified data protection attorney.
Questions about this DPA?
Contact our Data Protection Officer at privacy@glood.ai or our support team at support@glood.ai