Data Processing Agreement
Effective date: April 8, 2024 Last updated: April 7, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Merchant”, acting as the Data Controller under GDPR) and Tantou AI (“Processor”). It governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of tt-blocks (“the App”).
1. Definitions
Section titled “1. Definitions”Terms used here have the meanings set out in the EU General Data Protection Regulation 2016/679 (“GDPR”), including “personal data”, “processing”, “controller”, “processor”, “sub-processor”, and “data subject”.
2. Subject and duration
Section titled “2. Subject and duration”The Processor processes personal data on behalf of the Controller for the duration of the App installation, terminated upon Merchant uninstalling the App or written termination of the Terms of Service.
3. Nature and purpose of processing
Section titled “3. Nature and purpose of processing”| Aspect | Detail |
|---|---|
| Nature | Storing widget configuration; serving widget rendering; aggregating non-identifiable analytics |
| Purpose | Operating the App as described in the Privacy Policy |
| Processing operations | Collection, storage, retrieval, transmission, aggregation, and deletion |
| Duration | For the lifetime of the App installation; data is deleted within 30 days of uninstall (see §12) |
| Categories of personal data | See §4 |
4. Categories of data subjects and personal data
Section titled “4. Categories of data subjects and personal data”| Data subject | Personal data |
|---|---|
| Merchant staff (admin users) | Shopify shop domain, OAuth session token (Shopify-issued, not user PII) |
| Storefront visitors | Read at runtime in the visitor’s browser only — see Privacy Policy §2.2 |
The App does not store storefront-visitor PII server-side under normal operation.
5. Processor obligations
Section titled “5. Processor obligations”The Processor shall:
- Process personal data only on documented instructions from the Controller, including via the App’s UI
- Ensure persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see §9)
- Assist the Controller in fulfilling data subject rights requests (Articles 15–22 GDPR), including via Shopify’s mandatory privacy webhooks
- Notify the Controller of any personal data breach without undue delay (see §11)
6. Sub-processors
Section titled “6. Sub-processors”The Controller authorizes the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Region |
|---|---|---|
| Shopify Inc. | App authentication, metafield storage, billing | Global |
| Cloudflare, Inc. | Compute, storage, and analytics infrastructure | Global edge |
The Processor will notify the Controller before adding or replacing sub-processors. The Controller may object on reasonable grounds.
7. International transfers
Section titled “7. International transfers”Personal data may be transferred outside the EEA where sub-processors operate. Such transfers rely on the following safeguards:
| Sub-processor | Region | Transfer safeguard |
|---|---|---|
| Shopify Inc. | Global (primary: Canada, US) | EU Standard Contractual Clauses (SCCs); EU–U.S. Data Privacy Framework (where applicable); see Shopify’s DPA |
| Cloudflare, Inc. | Global edge network | EU Standard Contractual Clauses (SCCs); EU–U.S. Data Privacy Framework (where applicable); see Cloudflare’s DPA |
8. Data subject rights
Section titled “8. Data subject rights”The Processor will assist the Controller in responding to data subject access, rectification, erasure, restriction, portability, and objection requests, primarily via Shopify’s customers/data_request and customers/redact webhooks (see Privacy Policy §7).
9. Security measures
Section titled “9. Security measures”The Processor maintains the following measures:
- TLS in transit
- Encryption at rest via Cloudflare’s storage layer
- Access control to production infrastructure (least privilege)
- Periodic security review
10. Audit rights
Section titled “10. Audit rights”The Controller may exercise audit rights in the following ways:
- Annual security summary — request, no more than once per year, a summary of the Processor’s security and data handling practices
- Written questionnaire — submit a reasonable written questionnaire about specific processing activities; the Processor will respond within 30 days
- Third-party audit reports — rely on publicly available audit reports of sub-processors (e.g., Shopify’s SOC 2; Cloudflare’s ISO 27001, SOC 2)
Detailed on-site audits are not provided. The Controller bears any reasonable third-party costs incurred for additional audits beyond the above.
11. Data breach notification
Section titled “11. Data breach notification”The Processor will notify the Controller of any personal data breach affecting Controller data without undue delay, and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and the measures taken or proposed to address the breach.
12. Return or deletion of data
Section titled “12. Return or deletion of data”Upon termination of the App installation:
- Personal data is deleted within 30 days (in line with Shopify’s
shop/redactrequirement), except where retention is required by law - The Controller may export widget configuration before uninstalling the App
13. Liability
Section titled “13. Liability”Liability under this DPA is governed by the Terms of Service §9.
14. Contact
Section titled “14. Contact”For DPA matters and data subject requests: support@tantou.ai.