MerchantWatch
Start free
Back to home
Legal

Data Processing Agreement

Last updated · 04 May 2026

Working draft DPA template (Auftragsverarbeitungsvertrag) under Art. 28 GDPR. Replace placeholders with actual entity details and have a lawyer review before signing with customers in production.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between [YOUR LEGAL ENTITY NAME] ("Processor", "MerchantWatch") and the customer ("Controller") and governs the processing of personal data on behalf of the Controller in connection with the use of the MerchantWatch Service.

1. Subject and duration

The Processor processes personal data on behalf of the Controller for the purpose of providing the MerchantWatch service as described in the Terms of Service and Privacy Policy. The DPA remains in force for as long as the Processor processes personal data on the Controller's behalf.

2. Nature and purpose of processing

The Processor processes personal data submitted by the Controller (e.g. account information, watchlist data, notes) and generated by the Controller's use of the Service (e.g. usage logs). The purpose is to deliver the Service contracted for: database access, saved searches, alerts, exports, and integrations.

3. Categories of data subjects and personal data

Data subjects:the Controller's authorised users (employees, contractors with login access).

Categories of personal data:

  • Identification data (name, email, organisation)
  • Authentication data (password hashes, session tokens)
  • Billing data (billing address, VAT-ID, payment metadata)
  • Usage data (IP, browser, actions taken in the Service)
  • Content data created by users (saved searches, notes, tags, watchlist composition)

Important:the Service's product database contains company data and public signals about Shopify storefronts — not personal data about identified or identifiable individuals. The Processor does not process decision-maker contact data on behalf of the Controller.

4. Obligations of the Processor

The Processor undertakes to:

  • Process personal data only on documented instructions from the Controller (Art. 28(3)(a) GDPR), including for transfers to third countries
  • Ensure that personnel authorised to process personal data are subject to confidentiality obligations
  • Implement appropriate technical and organisational measures to ensure data security (Art. 32 GDPR) — see Annex 1
  • Engage sub-processors only with the Controller's prior authorisation; current sub-processors are listed in Annex 2
  • Assist the Controller in responding to data-subject rights requests (Art. 12–22 GDPR)
  • Notify the Controller without undue delay of any personal data breach
  • On termination, delete or return all personal data, unless retention is required by Union or Member State law

5. Sub-processors

The Controller authorises the Processor to engage sub-processors listed in Annex 2. The Processor will notify the Controller of any intended changes (addition, replacement) at least 30 days in advance, and the Controller may object on reasonable grounds.

6. International transfers

Where personal data is transferred outside the European Economic Area, the Processor relies on Standard Contractual Clauses (SCCs) approved by the European Commission and applies supplementary measures as required by EU case law (Schrems II).

7. Audits

The Processor will make available to the Controller, upon reasonable request, all information necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g. SOC 2, ISO 27001) where applicable. On-site audits may be arranged at the Controller's reasonable expense and with reasonable notice.

8. Liability

Liability of the parties is governed by the Terms of Service and applicable law (in particular Art. 82 GDPR for damages caused by non-compliant processing).

9. Term and termination

This DPA is concluded for the duration of the Terms of Service and terminates automatically upon termination of the underlying contract.

10. Governing law

This DPA is governed by the laws of the Federal Republic of Germany. Place of jurisdiction is [CITY OF YOUR REGISTERED OFFICE], Germany.

Annex 1 — Technical and organisational measures (Art. 32 GDPR)

Confidentiality

  • Access control: SSO/MFA on all production systems
  • Role-based access with least-privilege principle
  • Encrypted communication (TLS 1.2+) and data at rest (AES-256)
  • Confidentiality obligations on all personnel

Integrity

  • Audit logging on all production systems
  • Code review on all production changes
  • Backup with point-in-time recovery

Availability and resilience

  • Production hosting on [HOSTING PROVIDER — Vercel + Supabase EU region] with redundancy
  • Monitoring and incident response procedures

Procedures for evaluation and review

  • Periodic review of access rights
  • Annual review of technical and organisational measures

Annex 2 — Sub-processors

The Processor uses the following sub-processors to deliver the Service. All are bound by Data Processing Agreements as required under Art. 28(4) GDPR.

  • Supabase, Inc. — auth, database, file storage (EU region)
  • Vercel, Inc. — web hosting (EU region where configured)
  • Stripe Payments Europe Ltd. — payment processing (Ireland / USA, SCCs)
  • [TRANSACTIONAL EMAIL — Postmark / Resend] — transactional email delivery
  • [ANALYTICS PROVIDER] — privacy-friendly product analytics

For an up-to-date list, contact privacy@merchantwatch.app.