Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

You (the "Merchant" or "Controller"), the entity that has installed the My Product Cares application from the Shopify App Store and uses it to collect and manage data from your end customers;

and

Vital Iteration, a UK-based company operating under the brand Varify ("Processor", "We", or "Us"), the developer and provider of the My Product Cares application.

1. Background

1.1 The Controller uses My Product Cares (the "App") to manage product registrations, warranty claims, and related customer interactions.

1.2 In providing the App, the Processor may process personal data on behalf of the Controller. This includes data submitted by the Controller's end customers through forms configured within the App.

1.3 This DPA sets out the terms under which the Processor will process personal data on the Controller's behalf, in compliance with the UK GDPR, the EU GDPR, and applicable data protection legislation (collectively, "Data Protection Law").

1.4 This DPA is incorporated into and forms part of the Terms and Conditions governing the Controller's use of the App. In case of conflict, this DPA prevails with respect to data processing matters.

2. Definitions

2.1 "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the App.

2.2 "Data Subject" means the identified or identifiable natural person to whom Personal Data relates (the Controller's end customers).

2.3 "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2.4 "Processing" has the meaning given in applicable Data Protection Law and includes collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction of Personal Data.

2.5 Other capitalised terms have the meanings given in the Terms and Conditions or in applicable Data Protection Law.

3. Roles

3.1 The Controller determines the purposes and means of processing Personal Data. The Controller is responsible for:

• Deciding what Personal Data to collect (through form design and field configuration)

• Establishing the lawful basis for processing

• Providing a privacy notice to Data Subjects

• Responding to Data Subject requests

  3.2 The Processor processes Personal Data solely on the Controller's documented instructions and for the purpose of providing the App. The Processor does not:

• Determine the purposes or means of processing

• Sell, share, or use Personal Data for its own purposes

• Use Personal Data for any purpose other than providing the App

4. Details of Processing

4.1 Subject matter: Provision of the My Product Cares application.

4.2 Purpose: Processing data submitted through the Controller's forms and making that data available to the Controller for management within the App.

4.3 Duration: For the term of the Controller's subscription to the App.

4.4 Data Subjects: The Controller's end customers who submit data through the App's forms.

4.5 Types of Personal Data: As determined by the Controller through form configuration. May include (but is not limited to) name, email address, phone number, postal address, product information, serial numbers, custom form field responses, and uploaded files. Email address is the only mandatory field required for product registrations and warranty claims to enable customer communication; all other fields are at the Controller's discretion.

5. Processor Obligations

The Processor shall:

5.1 Process Personal Data only on the Controller's documented instructions.

5.2 Ensure persons authorised to process Personal Data are committed to confidentiality.

5.3 Implement appropriate technical and organisational measures as described in Annex A.

5.4 Assist the Controller in responding to Data Subject requests. The App provides tools for the Controller to access, edit, export, and delete Personal Data.

5.5 Notify the Controller without undue delay upon becoming aware of a Personal Data breach.

5.6 Assist the Controller with data protection impact assessments where required.

5.7 Delete or return all Personal Data to the Controller after the end of the provision of services.

5.8 Make information available to demonstrate compliance with this DPA and contribute to audits.

6. Sub-Processors

6.1 The Controller provides general authorisation for the Processor to engage Sub-Processors. The current list is in Annex B.

6.2 The Processor shall impose equivalent data protection obligations on Sub-Processors and remain liable for their performance.

6.3 The Processor shall inform the Controller of changes to Sub-Processors at least 14 days in advance. The Controller may object on reasonable data protection grounds. If the objection cannot be resolved, the Controller may terminate the subscription without penalty.

7. International Data Transfers

7.1 Personal Data is processed in Canada (primary), the United States, and the European Union.

7.2 Where transfers involve a country without an adequacy decision, the Processor shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses. SCCs are available upon request.

8. Security

8.1 The Processor maintains technical and organisational measures as described in Annex A to protect Personal Data.

8.2 These measures are regularly reviewed and tested for effectiveness.

9. Data Breach Notification

9.1 The Processor shall notify the Controller without undue delay (within 48 hours) after becoming aware of a Personal Data breach.

9.2 The notification shall describe the nature of the breach, likely consequences, and measures taken or proposed.

9.3 The Processor shall cooperate with the Controller in meeting notification obligations to supervisory authorities and Data Subjects.

10. Data Retention, Deletion, and Return

10.1 Personal Data is retained for the duration of the Controller's subscription. The Controller owns all data collected through the App and may export it at any time using the built-in export feature in the App admin interface.

10.2 Upon app uninstallation, the Processor will anonymise shop and customer records and permanently delete all uploaded files.

10.3 Upon a valid Data Subject erasure request, the Processor will permanently delete the relevant data (via Shopify's GDPR compliance webhooks).

10.4 The Controller may also delete individual records at any time through the admin interface.

11. Audit Rights

11.1 The Controller may audit the Processor's compliance with this DPA up to once per calendar year, with at least 30 days' written notice, during normal business hours, and without unreasonable disruption.

11.2 The Controller may engage an independent auditor subject to confidentiality obligations.

11.3 The Controller bears the cost of audits unless a material breach is found.

11.4 As an alternative, the Processor may provide a security assessment summary or respond to a reasonable security questionnaire.

12. Liability

12.1 Each Party's liability under this DPA is subject to the limitations in the Terms and Conditions, except for liability that cannot be excluded or limited by law.

13. Term and Termination

13.1 This DPA commences when the Controller begins using the App and continues until all Personal Data is deleted or returned.

13.2 Clauses concerning confidentiality, breach notification, and audit rights survive termination.

14. Governing Law

14.1 This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

By installing and continuing to use My Product Cares, you acknowledge and agree to this Data Processing Agreement.

Annex A — Technical and Organisational Security Measures

Access Control

• Access to production systems is restricted to authorised personnel using secure key-based authentication

• Application-level access is scoped by store, ensuring data isolation between different Controllers

• Admin access is authenticated through Shopify OAuth, ensuring only authorised store administrators can access their store's data

Data Transmission

• All data is encrypted in transit using HTTPS/TLS

• Email delivery uses encrypted connections

• Internal service communication uses secure channels

Data Storage

• Databases use encryption at rest

• Cloud file storage uses server-side encryption

• Sensitive configuration data (API keys, tokens) is never stored in code repositories

Availability and Resilience

• Multiple application servers across different data centres and providers

• Automatic failover between servers

• Managed database with standby failover node (99.95% uptime)

• Automated daily database backups with 7-day point-in-time recovery

• Zero-downtime deployments

Data Integrity

• Database integrity is enforced through schema constraints

• Input validation is performed at the application layer

• Automated testing on every production deployment

Data Separation

• Each Controller's data is logically separated, ensuring no cross-Controller data access

Incident Response

• Real-time error monitoring with automated alerts

• Infrastructure monitoring and log aggregation

• Automated health checks on all services

Secure Development

• Code changes go through automated testing pipelines

• Dependencies are regularly reviewed and updated

• Rate limiting and input sanitisation at the application layer

Annex B — Sub-Processors

For questions about this DPA, contact: info@varify.xyz. Last updated: May 2026