Data Processing Addendum (DPA) — CRO Audit Pro
This Data Processing Addendum ("DPA") forms part of the Terms of Service between NeuroConversions LLC ("Processor", "we", "us") and the Shopify merchant who installs CRO Audit Pro ("Controller", "Merchant", "you"). It governs the processing of Personal Data on behalf of the Merchant. This DPA is deemed accepted on app installation and supersedes any prior data processing terms between the parties.
Legal notice: This is a template. Have it reviewed by a lawyer qualified in your jurisdiction before publishing. The template reflects the app's actual data handling and is suitable for a small app with minimal PII, but jurisdictional variations may require additional clauses.
1. Definitions
Terms used here have the meanings given in the GDPR unless otherwise specified.
- Applicable Data Protection Laws means the EU GDPR (Regulation 2016/679), the UK GDPR, the California Consumer Privacy Act (CCPA), and any other data protection law applicable to the Controller's processing.
- Personal Data means any information relating to an identified or identifiable natural person processed by us on behalf of you under this DPA.
- Data Subject means the individual to whom Personal Data relates — typically your customers or storefront visitors.
- Sub-processor means a third party we engage to process Personal Data on our behalf.
2. Roles
You are the Controller of Personal Data relating to your customers and storefront visitors. We are the Processor of that data. We process Personal Data solely on your documented instructions (as reflected in the app's functionality and this DPA) and for no other purpose.
3. Scope and subject-matter of processing
| Attribute | Description |
|---|---|
| Purpose of processing | Running conversion-rate-optimization experiments on your storefront, measuring the revenue lift they produce, and surfacing analytics to you. |
| Duration |
For the lifetime of the app installation, plus any statutory retention period
thereafter. Deletion occurs within 48 hours of the shop/redact
Shopify webhook firing.
|
| Nature of processing | Automated analysis of aggregate session counts, order totals, and experiment exposures. No manual inspection of individual records. |
| Personal Data categories | Aggregate session analytics (visit counts per landing page); order totals per experiment variant; anonymous visitor identifiers stored in the shopper's browser cookie; device category (mobile / desktop). We do not process names, email addresses, phone numbers, postal addresses, payment data, Shopify customer IDs, or order line-item detail. |
| Data-subject categories | Your customers and storefront visitors. |
4. Our obligations as Processor
We will:
- Process only on your instructions — the app's documented functionality constitutes your instructions. If we receive an instruction we believe breaches Applicable Data Protection Laws, we will notify you.
- Keep Personal Data confidential — access is restricted to staff who need it for their role and who are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures — see §6.
- Assist you with data-subject requests — within 30 days of you forwarding a request.
- Assist you with DPIAs and regulator consultations — if your processing would require them under Applicable Data Protection Laws.
- Notify you of personal-data breaches — without undue delay and in any case within 72 hours of becoming aware, per our Incident Response Policy.
-
Delete or return Personal Data at end of service — on your written
request, or automatically within 48 hours of
shop/redactfiring.
5. Your obligations as Controller
You will:
- Have a valid legal basis for each purpose for which you direct us to process Personal Data (consent, contract, legitimate interest, etc.).
- Provide notice to your data subjects — typically via your own privacy policy, which should mention that you use CRO Audit Pro and the categories of data we process on your behalf.
-
Obtain shopper consent where required — via a cookie banner or
equivalent. Our web pixel and storefront engine respect
Shopify.customerPrivacy.analyticsProcessingAllowed(), so consent you capture on the storefront flows through to our processing automatically. - Respond to data subject requests directed to you — we will assist within 30 days.
- Not instruct us to process special-category data — processing of racial, political, health, sexual-orientation, or genetic data is out of scope of this DPA. CRO Audit Pro does not access such data.
6. Security measures
We implement the following measures:
- TLS 1.2+ on all data-in-transit.
- Encryption at rest for the production database and its backups (managed Postgres).
- Environment separation between development, staging, and production.
- Role-based access control with least-privilege principles for staff.
- Strong password + multi-factor authentication on all admin interfaces (cloud console, GitHub, Shopify Partner Dashboard).
- Automated dependency vulnerability scanning.
- Documented incident response procedure.
These measures are kept under review and updated as the app and team evolve. We do not currently hold third-party security certifications (SOC 2, ISO 27001) and do not represent that we do.
7. Sub-processors
We engage sub-processors to help deliver the service. Current sub-processors:
| Sub-processor | Purpose | Data location |
|---|---|---|
| Google Cloud Run + Cloud SQL | Application hosting, database | Region finalized at production launch |
| Sentry | Error and performance monitoring | Region finalized at production launch |
| Resend | Transactional email to merchants | Region finalized at production launch |
| Shopify | Source of Merchant and shopper data; payout processor | As per Shopify's DPA |
We will:
- Contractually bind each sub-processor to data protection obligations substantially equivalent to this DPA.
- Remain liable for each sub-processor's performance.
- Update this list when sub-processors change, with at least 14 days' notice to you. You may object to a sub-processor change by written notice; unresolved objections may result in termination of the service.
8. International transfers
Transfers of Personal Data out of the EEA, UK, or Switzerland are protected by:
- Standard Contractual Clauses (2021 EU SCCs) for EEA transfers.
- UK International Data Transfer Addendum (IDTA) for UK transfers.
- Swiss Federal DPA amendments for Swiss transfers.
These clauses are incorporated by reference into this DPA. Our production hosting region is finalized at production launch and documented in the privacy policy; please refer to the live version for the current region.
9. Data-subject rights
We maintain the technical means to help you respond to data-subject requests:
- Access — on your request, we will export the Personal Data we hold for a named data subject within 30 days. Given our schema, this export will normally be empty or near-empty because we do not persist customer-keyed records.
-
Erasure — we respect Shopify's
customers/redactwebhook. We also honor direct requests from you within 72 hours. - Portability — same as access; data is exported in a machine-readable format (JSON).
- Restriction / Objection — on your written instruction, we will suspend processing for a named data subject.
10. Audits
You may, on reasonable notice and no more than once per year (unless an incident has occurred), request:
- A copy of this DPA and our current sub-processor list.
- A summary of our security measures.
- Responses to a reasonable security questionnaire.
In-person or intrusive audits are outside scope for small apps. We will cooperate in good faith with regulator-mandated audits.
11. Liability and indemnification
Liability under this DPA is subject to the limitations set out in the main Terms of Service. In any case, each party's liability for breach of Applicable Data Protection Laws is limited to direct damages and capped at the amount paid by the Merchant to the app developer in the 12 months preceding the claim, except in cases of gross negligence or wilful misconduct.
12. Term and termination
This DPA is effective as of the Effective Date and remains in force for as long as we
process Personal Data on your behalf. On termination, we will delete all Personal Data within
48 hours of shop/redact firing, except where retention is required by law.
13. Governing law
This DPA is governed by the laws of the State of Wyoming, United States, and any dispute is subject to the exclusive jurisdiction of the state and federal courts located in Wyoming, United States. Mandatory data protection laws of the Merchant's home jurisdiction (including the GDPR and UK GDPR where applicable) continue to apply notwithstanding this clause.
14. Changes to this DPA
We may amend this DPA as Applicable Data Protection Laws evolve. Material changes will be announced to merchants via:
- In-app notification on next login
- Email to the registered Shopify contact
- An update to the version number and Effective Date at the top of this document