This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Terms of Service between Dmytro Popov (“Provider”, “Processor”) and the Shopify merchant that installs or uses the Swishy application (“Merchant”, “Controller”). It governs the Processing of Personal Data carried out by the Provider on behalf of the Merchant in connection with the Application. Where there is a conflict between this DPA and the Terms of Service in respect of the Processing of Personal Data, this DPA prevails.
This DPA applies automatically from the date the Merchant installs or uses the Application. By installing or continuing to use the Application, the Merchant accepts this DPA on behalf of itself and, where applicable, its affiliates.
1. Definitions
“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach”, and “Supervisory Authority” have the meanings given to them in the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and, where applicable, the UK GDPR and the Data Protection Act 2018. “Applicable Data Protection Law” means all laws and regulations relating to the Processing of Personal Data that apply to the parties, including the GDPR, the UK GDPR, and the California Consumer Privacy Act as amended (“CCPA”). “Customer Personal Data” means Personal Data relating to the Merchant’s customers, prospective customers, and store visitors that the Provider Processes on the Merchant’s behalf through the Application.
2. Roles of the Parties
In respect of Customer Personal Data, the Merchant is the Controller and the Provider is the Processor. The Provider Processes Customer Personal Data only on the documented instructions of the Merchant, including the instructions embodied in the Application’s configuration and the Terms of Service, unless required to do otherwise by law (in which case the Provider will inform the Merchant of that legal requirement before Processing, unless prohibited from doing so). For the purposes of the CCPA, the Provider acts as a “service provider” and does not “sell” or “share” Customer Personal Data, and does not retain, use, or disclose it for any purpose other than performing the services.
3. Subject Matter, Duration, Nature, and Purpose of Processing
The subject matter of the Processing is the provision of the Application to the Merchant. The Processing continues for the duration of the Merchant’s use of the Application and for any period thereafter required to comply with legal obligations or to complete deletion. The nature and purpose of the Processing is to provide the Application’s functionality, including AI-assisted storefront responses and, where enabled by the Merchant, customer-support functionality such as order tracking, order status, cancellations, refunds, and returns initiated at the request of the relevant end user.
4. Categories of Data Subjects and Types of Personal Data
Categories of Data Subjects: the Merchant’s customers, prospective customers, and store visitors who interact with the Application.
Types of Personal Data: session and device identifiers; technical storefront event data; messages voluntarily submitted by end users to the AI agent; and, where the support functionality is enabled, order-related data and the customer email address associated with an order, together with a non-reversible hash of a one-time verification code. The Application does not require or request special categories of Personal Data within the meaning of Article 9 GDPR.
5. Obligations of the Provider
The Provider shall:
- Process Customer Personal Data only on the Merchant’s documented instructions, including with regard to international transfers, unless required otherwise by law;
- ensure that persons authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations;
- implement and maintain the technical and organisational security measures described in Annex A;
- respect the conditions in Section 6 for engaging Sub-processors;
- taking into account the nature of the Processing, assist the Merchant by appropriate technical and organisational measures, insofar as possible, in fulfilling the Merchant’s obligation to respond to Data Subject requests (Section 7);
- assist the Merchant in ensuring compliance with its obligations relating to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of Processing and the information available to the Provider;
- at the Merchant’s choice, delete or return Customer Personal Data in accordance with Section 11; and
- make available to the Merchant information necessary to demonstrate compliance with this DPA and allow for and contribute to audits in accordance with Section 10.
6. Sub-processors
The Merchant grants the Provider general authorisation to engage Sub-processors to support the provision of the Application. The Provider imposes data protection obligations on each Sub-processor that are no less protective than those set out in this DPA, and remains liable to the Merchant for the performance of each Sub-processor’s obligations. A current list of Sub-processors is set out in Annex B. The Provider will inform the Merchant of any intended addition or replacement of a Sub-processor with a reasonable opportunity to object on reasonable data-protection grounds.
7. Data Subject Rights
Taking into account the nature of the Processing, the Provider shall assist the Merchant by appropriate technical and organisational measures, insofar as this is possible, in responding to requests by Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection. Where the Provider receives a request directly from a Data Subject, it will, unless legally required to respond, refer the request to the Merchant.
8. Personal Data Breach Notification
The Provider shall notify the Merchant without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall, to the extent available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. The Provider maintains a documented security incident response policy governing detection, escalation, and remediation.
9. International Data Transfers
Where the Provider transfers Customer Personal Data outside the European Economic Area or the United Kingdom to a country that is not subject to an adequacy decision, the transfer is governed by an appropriate transfer mechanism, including the European Commission’s Standard Contractual Clauses or the UK International Data Transfer Agreement (or Addendum), which are incorporated into this DPA by reference and completed in accordance with the parties’ roles set out in Section 2.
10. Audits
The Provider shall make available to the Merchant information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice, and no more than once per year unless required by a Supervisory Authority or following a Personal Data Breach, the Merchant may audit the Provider’s compliance, subject to reasonable confidentiality and security restrictions. The Provider may satisfy an audit request by providing relevant third-party certifications or reports where available.
11. Deletion or Return of Data
On termination of the Merchant’s use of the Application, or earlier at the Merchant’s written request, the Provider shall delete or return all Customer Personal Data and delete existing copies, unless retention is required by law. The Provider applies purpose-bound retention periods during the term, including the deletion of verification records shortly after the verification flow completes and the removal of customer email addresses from support records once the related support interaction has been closed for a defined period.
12. Liability and Governing Law
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA is governed by the same law and subject to the same jurisdiction as the Terms of Service, except where Applicable Data Protection Law requires otherwise.
Annex A — Technical and Organisational Security Measures
- Encryption: Customer Personal Data is encrypted in transit using TLS and encrypted at rest by the Provider’s managed database and cloud infrastructure providers. Backups are encrypted by those providers.
- Pseudonymisation and minimisation: the Application is designed to Process the minimum Personal Data required; verification codes are stored only as non-reversible hashes; analytics data is processed without direct identifiers.
- Access control: access to production systems and Customer Personal Data is restricted to authorised personnel, authenticated through individual accounts with strong password requirements, and granted on a least-privilege basis.
- Environment separation: test and production data are maintained in separate environments and databases.
- Logging and monitoring: access to systems Processing Customer Personal Data is logged, and the Provider operates error and security monitoring.
- Resilience and recovery: the Provider relies on managed, redundant cloud infrastructure with automated backups to support availability and restoration.
- Incident response: the Provider maintains a documented security incident response policy with defined severity levels, roles, and escalation paths.
Annex B — Sub-processors
The Provider engages the following categories of Sub-processors to provide the Application: managed cloud infrastructure and serverless compute (including for hosting, storage, and content delivery); managed database services; artificial intelligence and large-language-model providers used to generate responses; and observability, error-monitoring, and product-analytics services. A current, itemised list of Sub-processors, including entity names and the country in which each Processes data, is available to Merchants on request.
For questions about this DPA or to exercise any right described above, please contact the Provider through the support channel listed in the Application or on this website.