This DPA forms part of the Terms between the merchant (“Controller”) and Specably (“Processor”) and applies to processing of personal data under applicable laws (incl. GDPR/UK GDPR and US state privacy laws).
- Scope & roles. Processor processes Controller’s data solely to provide the App. The App accesses product/catalog and store-content data and does not access Shopify Protected Customer Data (orders/customers). Any personal data processed is limited to what a shopper may voluntarily include in a submitted question (discouraged) and any personal data the Controller places in store content.
- Instructions. Processor processes data only on the Controller’s documented instructions (including via App settings) and as needed to provide the service.
- Confidentiality. Personnel are bound by confidentiality.
- Security. Processor implements appropriate technical and organizational measures (encryption in transit/at rest, access controls, logging).
- Sub-processors. Controller authorizes the sub-processors listed on our Sub-processors page; Processor remains responsible for them and will give notice of material changes.
- Data-subject requests. Processor will assist Controller in responding to data-subject requests, including via Shopify’s
customers/data_request,customers/redact, andshop/redactwebhooks. - International transfers. Where applicable, the parties rely on Standard Contractual Clauses or other valid mechanisms.
- Deletion. On uninstall/termination, Processor deletes Controller data within 30 days (subject to legal retention requirements).
- Breach notice. Processor will notify Controller without undue delay after becoming aware of a personal-data breach.
- Audits. Processor will make available information reasonably necessary to demonstrate compliance.