Data Processing Agreement

1. Definitions

This Data Processing Agreement (“DPA”) is between PingLane (“Processor”) and you, the Customer (“Controller”). It forms part of the Terms and Conditions for using PingLane and applies whenever PingLane processes personal data on your behalf in delivering the Service. PingLane is available as an app on the Shopify App Store. By installing PingLane on your Shopify store, you agree to this DPA.

“Controller” means you, the Customer. You decide what personal data is collected and why.
“Processor” means PingLane. We process personal data on your behalf.
“Personal Data” means any information that identifies, or can reasonably identify, a living person, as defined under applicable Data Protection Laws.
“Data Protection Laws” means all privacy and data-protection laws that apply to the processing under this DPA, including as applicable: (a) the EU GDPR (Regulation (EU) 2016/679); (b) the UK GDPR as defined in the UK Data Protection Act 2018; (c) the Swiss Federal Act on Data Protection (revFADP); (d) the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA); and (e) any other national, state, or provincial privacy legislation in force from time to time.
“Processing” means any operation carried out on personal data, such as collecting, storing, using, sharing, or deleting it (consistent with GDPR Art. 4(2)).
“Sub-processor” means any third party engaged by PingLane to process Personal Data as part of the Service.
“Data Subject” means the individual whose personal data is processed. In PingLane’s case, this is primarily a push notification Subscriber.
“SCCs” means the Standard Contractual Clauses approved by European Commission Decision (EU) 2021/914 of 4 June 2021, as amended from time to time.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner’s Office and in force from 21 March 2022.
“Service” has the meaning given in the Terms and Conditions.
“Shopify Protected Customer Data” has the meaning given in the Shopify Partner Program Agreement and Shopify’s API Terms.

2. Scope and Roles

2.1 This DPA covers how PingLane processes Personal Data belonging to your website’s Subscribers in order to deliver the Service.

2.2 You are the Data Controller. PingLane is the Data Processor. PingLane only processes Personal Data based on your documented instructions, as set out in this DPA and the Terms and Conditions.

2.3 Where PingLane processes Personal Data for its own purposes (for example, account management, billing, product analytics, or fraud prevention), PingLane acts as an independent Controller. In those cases, the Privacy Policy applies.

2.4 Where you are yourself a Processor acting on behalf of a further Controller, the Module Three SCCs (Processor-to-Processor) apply, and you represent and warrant that you have the authority of the upstream Controller to engage PingLane as Sub-processor.

3. Details of Processing (SCC Annex I.B)

Element	Details
Subject matter	Provision of the Service (web push notification delivery and related analytics/automation).
Nature of processing	Collecting, storing, transmitting, displaying, segmenting, analysing, and deleting push subscription and behavioural data.
Purpose	Delivering web push notifications on your behalf; Subscriber segmentation; automation workflows; notification performance analytics.
Duration	The term of the Terms and Conditions and, as applicable, any deletion/return period described in Section 5.8.
Categories of Personal Data	Push subscription tokens; approximate location (country, state, city); device type; browser type; timezone; optional Customer identity values (email, phone, external ID); browsing and cart-session data; notification engagement metrics.
Categories of Data Subjects	End users (Subscribers) who have opted in to push notifications on the Customer’s website.
Special category data	None processed by PingLane. The Customer must not configure the Service to collect special category data (GDPR Art. 9) or sensitive personal information (CPRA §1798.140(ae)).
Frequency of the transfer	Continuous, as required by the Service.
Retention period	For the duration of the active Subscriber subscription, or as the Customer instructs (see Section 5.8).
Location of processing	United States (Virginia).

4. Your Instructions to Us

4.1 PingLane will process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. Configurations you make within the Service (automations, segments, templates, notification sends) constitute your documented instructions.

4.2 Out-of-band instructions (e.g., emails to support) become binding only when PingLane expressly accepts them in writing.

4.3 If PingLane is legally required to process data in a way that goes beyond your instructions, PingLane will inform you of that requirement before processing, unless that law prohibits notification on important grounds of public interest.

4.4 PingLane will, without undue delay, inform the Controller if, in its opinion, an instruction infringes applicable Data Protection Laws.

4.5 By using PingLane, you represent and warrant that:

You have a lawful basis under applicable Data Protection Laws for collecting and processing your Subscribers’ Personal Data.
You have informed your Subscribers in your own privacy notice about push notifications and the data processed.
You have obtained valid opt-in consent from your Subscribers through the browser permission prompt and (where applicable) supplementary consent mechanisms.
You have an active Shopify store and meet Shopify’s minimum age requirement of 18 years old.
You will not use the Service to process special category or sensitive personal data.

5. What PingLane Commits To

5.1 Confidentiality. Any personnel authorised to process Personal Data are bound by written confidentiality obligations or appropriate statutory obligations of confidentiality.

5.2 Security. PingLane implements appropriate technical and organisational measures as described in Annex II of this DPA. These include: encryption in transit (TLS 1.2+) and at rest (AES-256); role-based access controls and least-privilege principles; logging, monitoring, and anomaly detection; secure software-development practices and regular vulnerability scanning; annual third-party penetration testing; documented incident response and business-continuity procedures; and personnel security training. These measures will be reviewed and updated periodically.

5.3 Sub-processors. PingLane engages Sub-processors only under written contracts imposing data-protection obligations substantially equivalent to those in this DPA (consistent with GDPR Art. 28(4)). Current Sub-processors are listed in Annex III. New or replacement Sub-processors follow the notice and objection process in Section 7.

5.4 Data Subject Rights. Taking into account the nature of the processing, PingLane will assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligation to respond to requests from Data Subjects under Chapter III of the GDPR and comparable rights under other Data Protection Laws. If PingLane receives a request directly from a Subscriber, PingLane will forward it to the Controller without undue delay and will not respond substantively unless the Controller authorises it. Subscribers can unsubscribe at any time through their browser settings, which is processed by PingLane promptly.

5.5 Data Breach Notification. PingLane will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a confirmed personal data breach affecting the Controller’s Personal Data, consistent with GDPR Art. 33(2). The notification will include, to the extent known: (a) the nature of the breach, categories and approximate number of Data Subjects and records affected; (b) the likely consequences of the breach; (c) measures taken or proposed to address the breach and mitigate adverse effects; and (d) the name and contact details of a point of contact. PingLane will cooperate reasonably with the Controller’s own breach-notification obligations to supervisory authorities and Data Subjects.

5.6 Privacy Impact Assessments. PingLane will provide reasonable assistance (at the Controller’s cost where the assistance is non-trivial) with Data Protection Impact Assessments and prior consultations under GDPR Arts. 35 and 36.

5.7 Audits. PingLane will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, consistent with GDPR Art. 28(3)(h). Once per calendar year, the Controller (or an independent auditor bound by confidentiality, mandated by the Controller, and reasonably acceptable to PingLane) may audit PingLane’s compliance, subject to at least 30 days’ prior written notice, during normal business hours, without disrupting PingLane’s operations, and at the Controller’s cost (unless the audit reveals a material breach, in which case PingLane bears its reasonable costs). PingLane may satisfy audit requests by providing current SOC 2 Type II, ISO 27001, or equivalent third-party audit reports where those reports reasonably address the scope of the Controller’s audit request.

5.8 Return or Deletion on Termination. Upon termination of the Service, or earlier upon the Controller’s written request, PingLane will, at the Controller’s choice, delete or return all Personal Data processed on the Controller’s behalf and delete all existing copies within 30 days, save that PingLane may retain Personal Data to the extent required by law (in which case the Personal Data will remain subject to the security and confidentiality obligations of this DPA). The Controller may export Subscriber data via the Service dashboard or API during the term and for 30 days after termination.

5.9 Records of Processing. PingLane maintains records of processing activities carried out on behalf of the Controller in accordance with GDPR Art. 30(2).

5.10 Shopify Protected Customer Data. PingLane complies with Shopify’s Protected Customer Data requirements, including Level 1 protection (and Level 2 where applicable), and has implemented the Shopify mandatory compliance webhooks (customers/data_request, customers/redact, shop/redact).

6. What You Commit To

As the Controller, you agree to:

Use the Service in line with all applicable Data Protection Laws.
Provide valid notice and, where required, obtain valid consent from Subscribers before their Personal Data is collected.
Not instruct PingLane to process Personal Data in a way that would violate Data Protection Laws.
Notify PingLane promptly if you believe any instruction is unlawful.
Not upload or process special category data or sensitive personal information through the Service.
Be solely responsible for the legal basis of any transfer of Subscriber Personal Data from the EEA/UK/Switzerland to the United States by virtue of your use of the Service.

7. Sub-processors

7.1 The Controller grants PingLane a general written authorisation to engage Sub-processors, subject to this Section.

7.2 PingLane’s current Sub-processors are listed in Annex III.

7.3 PingLane will notify the Controller of any intended addition or replacement of Sub-processors with at least 30 days’ prior written notice (by email or in-dashboard notice). The Controller may object in writing on reasonable data-protection grounds within the notice period. If the parties cannot resolve the objection in good faith, the Controller may terminate the affected part of the Service with pro-rata refund of any prepaid, unused fees.

7.4 PingLane remains liable to the Controller for the acts and omissions of its Sub-processors in relation to the processing of Personal Data.

8. International Data Transfers

8.1 PingLane stores and processes all data in the United States (Virginia), for every Customer and every Subscriber, regardless of location. PingLane does not offer data-residency options.

8.2 If you or any of your Subscribers are located in the EEA, United Kingdom, or Switzerland, Personal Data will be transferred to and stored in the United States. You are responsible for ensuring a valid legal basis for that transfer.

8.3 To support lawful transfers, the parties agree the following transfer mechanisms, which are incorporated into this DPA by reference:

EEA transfers: The SCCs (EU Commission Decision (EU) 2021/914), Module Two (Controller-to-Processor) where PingLane receives Personal Data from a Controller; Module Three (Processor-to-Processor) where the Customer is itself a Processor. The optional clauses are selected as follows: Clause 7 (docking) - included; Clause 9(a) option 2 (general authorisation) - selected, with 30-day notice; Clause 11(a) independent dispute resolution - not selected; Clause 17 governing law - law of Ireland; Clause 18 forum and jurisdiction - courts of Ireland. Annexes I, II, and III are as set out in this DPA.
UK transfers: The UK Addendum is incorporated and completed with Table 1 (parties) from Annex I.A; Table 2 selecting “the Approved EU SCCs … Modules in operation” as selected above; Table 3 mirroring Annexes I, II, and III; and Table 4 with neither party permitted to end the Addendum as set out in Section 19.
Swiss transfers: The SCCs apply with the Swiss FDPIC’s amendments: references to “GDPR” include the revFADP; “supervisory authority” includes the FDPIC; “EU Member State” is not interpreted to exclude Data Subjects from invoking their rights in Switzerland.

8.4 Transfer Impact Assessment. PingLane will provide the Controller, on request, with information reasonably required to assess the risks associated with the transfer and the adequacy of supplementary measures, in line with the EDPB’s Recommendations 01/2020.

8.5 By accepting this DPA, the parties enter into the applicable SCCs (and, as appropriate, the UK Addendum and Swiss amendments) to the extent needed to legitimise any cross-border transfer. In the event of any conflict between the body of this DPA and the SCCs/UK Addendum, the SCCs/UK Addendum prevail.

Where the GDPR or UK GDPR applies:

PingLane acts as a “Processor” under Article 4(8).
The Customer acts as a “Controller” under Article 4(7).
PingLane processes Personal Data only on documented instructions, unless otherwise required by law.
PingLane maintains records of processing activities under Article 30(2).
PingLane will make available a point of contact for data-protection matters at [email protected].
Direct Contact. For all data-protection matters, including inquiries under Article 27 of the GDPR/UK GDPR, PingLane can be contacted directly at [email protected].

10. CCPA / CPRA Specific Points

Where the CCPA/CPRA applies:

PingLane is a “Service Provider” as defined under §1798.140(ag) of the CCPA.
PingLane will not: (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information outside the direct business relationship between the parties; (c) retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services; or (d) combine Personal Information received from the Customer with Personal Information from other sources, except as permitted by §1798.140(ag)(1)(D).
PingLane will notify the Customer if it determines it can no longer meet its obligations under the CCPA/CPRA.
The Customer may take reasonable and appropriate steps to stop and remediate unauthorised use of Personal Information.

11. Liability

11.1 Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms and Conditions.

11.2 Nothing in this Section limits either party’s statutory liability to Data Subjects under GDPR Art. 82, UK GDPR Art. 82, or equivalent law.

12. Term and Termination

This DPA remains in force for as long as PingLane processes Personal Data on behalf of the Controller. It terminates automatically when the Terms and Conditions terminate, save that any clauses which by their nature should survive termination (including Sections 5.1, 5.5, 5.8, 11 and this Section 12) will continue to apply.

13. Order of Precedence

If there is any conflict between this DPA and the Terms and Conditions, this DPA takes priority for anything related to data protection. If there is any conflict between this DPA and the SCCs / UK Addendum, the SCCs / UK Addendum take priority.

14. Contact

For data-protection questions or to exercise any rights under this DPA, please contact:

PingLane Email: [email protected] Support: [email protected]

Annex I - Description of Processing and Parties

I.A - List of Parties

Data Exporter (Controller): The Customer as identified in the Shopify App Store installation (business name, address, contact per Shopify Partner record).
Data Importer (Processor): PingLane (full legal entity name and address to be inserted on execution).

I.B - Description of Processing

See Section 3 of this DPA.

I.C - Competent Supervisory Authority

For EEA transfers: the supervisory authority of Ireland (the Data Protection Commission).
For UK transfers: the UK Information Commissioner’s Office.
For Swiss transfers: the Federal Data Protection and Information Commissioner (FDPIC).

Annex II - Technical and Organisational Measures

Including as appropriate to the nature, scope, context, and purposes of the processing, and the risks to Data Subjects:

Encryption. TLS 1.2+ for data in transit; AES-256 (or equivalent) for data at rest; key management through a managed cloud KMS.
Access Controls. Role-based access with least-privilege defaults; MFA on all administrative access; quarterly access reviews; rapid de-provisioning on role change or termination.
Network Security. Segmented VPC; restrictive security groups; bastion/jump-host access; DDoS protection at the cloud-provider edge; web application firewall.
Application Security. Secure SDLC; code review; dependency scanning; static and dynamic analysis; annual third-party penetration test; bug-bounty or responsible-disclosure programme.
Monitoring and Logging. Centralised logging; anomaly and intrusion detection; on-call incident response; tabletop exercises.
Backup and Resilience. Encrypted, geo-redundant backups within the United States; tested restore procedures; documented RTO/RPO.
Personnel. Background checks where permitted by law; confidentiality agreements; annual security and privacy training.
Vendor Management. Due-diligence on Sub-processors; contractual data-protection commitments; periodic re-assessment.
Pseudonymisation/Minimisation. Push tokens are opaque identifiers; raw IP addresses are not stored; geolocation is coarsened at the point of collection.
Governance. Documented information-security policy; designated security owner; incident-response runbooks; annual policy review.

Annex III - Sub-processors

Sub-processor	Purpose	Location	Transfer Mechanism
Cloud infrastructure provider (to be identified by name on request)	Database, compute, and application hosting	United States (Virginia)	US processor; SCCs apply for EEA/UK/Swiss transfers
Shopify Billing (Shopify Inc.)	Payment processing for subscription fees	Canada	UK/EEA adequacy (Canada - PIPEDA partial adequacy for commercial data)
Email delivery provider (to be identified by name on request)	Transactional emails (account notifications)	United States	SCCs apply for EEA/UK/Swiss transfers

The list of current Sub-processors is available to the Customer upon request. PingLane will notify Customers of any changes to Sub-processors as set out in Section 7.

End of DPA.