Data Processing Agreement

For the purposes of this DPA, the following terms shall have the meanings set out below:

"Controller"

The entity (you, the merchant) that determines the purposes and means of processing personal data through the Tracehub Service.

"Processor"

Tracehub, which processes personal data on behalf of the Controller.

"Personal Data"

Any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.

"Processing"

Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

"Sub-processor"

Any third party engaged by Tracehub to process Personal Data on behalf of the Controller.

"Data Subject"

An identified or identifiable natural person whose Personal Data is processed.

"DPP Data"

Data contained within Digital Product Passports created through the Service, including product information, ESPR Annex III data, and related metadata.

2.1 Subject matter

This DPA applies to the processing of Personal Data by Tracehub in connection with providing the Digital Product Passport service, including:

• Product data synchronization from Shopify stores
• AI-powered data analysis and completion
• Digital Product Passport creation and management
• ESPR compliance reporting and tracking
• Data storage and backup services

2.2 Duration

This DPA shall remain in effect for the duration of your subscription to the Tracehub Service, plus the period required for data retention as specified in Section 11.

2.3 Nature and purpose

Processing is carried out for the purpose of:

• Providing the Tracehub Digital Product Passport service
• Ensuring EU ESPR compliance for your products
• Generating compliance reports and analytics
• Maintaining service continuity and data integrity

2.4 Categories of data

The following categories of Personal Data may be processed:

2.5 Categories of data subjects

• Shopify store owners and administrators
• Economic operators (manufacturers, importers, distributors)
• End consumers viewing Digital Product Passports

As the Controller, you are responsible for:

• Ensuring you have a lawful basis for processing Personal Data through the Service
• Providing appropriate privacy notices to data subjects
• Ensuring the accuracy of Personal Data provided to Tracehub
• Obtaining any necessary consents from data subjects
• Responding to data subject requests (with our assistance as outlined in Section 7)
• Complying with applicable data protection laws

Tracehub, as the Processor, commits to:

4.1 Processing instructions

Process Personal Data only on documented instructions from the Controller, including transfers to third countries or international organizations, unless required by applicable law. In such cases, we will inform you of the legal requirement before processing unless prohibited by law.

4.2 Confidentiality

Ensure that all persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 6.

4.4 Sub-processing

Not engage another processor without prior specific or general written authorization from the Controller, as detailed in Section 5.

4.5 Assistance

Assist the Controller in fulfilling its obligations to respond to data subject requests and in ensuring compliance with Articles 32-36 of the GDPR.

4.6 Data deletion

At the Controller's choice, delete or return all Personal Data after the end of the provision of services, subject to ESPR retention requirements and applicable law.

4.7 Audit support

Make available all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits.

5.1 Authorization

By entering into this DPA, you provide general written authorization for Tracehub to engage sub-processors to assist in providing the Service, subject to the requirements below.

5.2 Current sub-processors

The following sub-processors are currently engaged:

5.3 Changes to sub-processors

We will notify you of any intended changes to sub-processors at least 30 days before the change. You may object to such changes within 14 days of notification. If you object and we cannot address your concerns, you may terminate the affected services.

5.4 Sub-processor agreements

We ensure that all sub-processors are bound by contractual obligations that provide an equivalent level of data protection to this DPA.

Tracehub implements the following technical and organizational measures to protect Personal Data:

6.1 Technical measures

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Secure authentication mechanisms including OAuth 2.0
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems
• Automated vulnerability scanning
• Secure software development lifecycle (SSDLC)
• Network segmentation and firewall protection

6.2 Organizational measures

• Access control policies based on least privilege principle
• Employee confidentiality agreements
• Regular security awareness training
• Incident response procedures
• Business continuity and disaster recovery plans
• Regular backup testing and verification

6.3 Data integrity

• Checksums and integrity verification for all backups
• Audit logging of all data access and modifications
• Version control for DPP data changes

Tracehub will assist you in responding to data subject requests under GDPR Articles 15-22:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

If we receive a data subject request directly, we will promptly notify you and will not respond to the request without your authorization, unless legally required to do so.

We will provide reasonable assistance in responding to requests within 10 business days of your request. For complex requests requiring significant resources, we may charge a reasonable fee based on administrative costs.

Tracehub primarily stores and processes data within the European Economic Area (EEA). Where transfers outside the EEA are necessary, we ensure appropriate safeguards:

8.1 Transfer mechanisms

• Adequacy decisions: Transfers to countries with EU adequacy decisions
• Standard Contractual Clauses (SCCs): EU-approved SCCs for transfers to other countries
• Data Privacy Framework: For transfers to US companies certified under the EU-US DPF

8.2 OpenAI data processing

When AI features are used, limited data may be processed by OpenAI in the United States. This transfer is covered by:

• OpenAI's Data Processing Agreement
• EU-approved Standard Contractual Clauses
• Data Privacy Framework certification

You can opt out of AI features if you do not wish for data to be processed outside the EEA.

9.1 Notification timeline

We will notify you without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting your data.

9.2 Notification content

Our notification will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of records affected
• Name and contact details of our data protection contact
• Description of likely consequences
• Description of measures taken or proposed to address the breach

9.3 Cooperation

We will cooperate with you in investigating the breach and in any notifications to supervisory authorities or data subjects that you are required to make.

10.1 Information access

We will make available to you all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and this DPA.

10.2 Audit procedures

You may conduct audits or inspections of our data processing activities, subject to the following conditions:

• Providing at least 30 days written notice
• Conducting audits during normal business hours
• Ensuring auditors are bound by confidentiality obligations
• Not unreasonably interfering with our operations
• Bearing the costs of the audit

10.3 Third-party audits

We may satisfy audit requests by providing copies of relevant third-party audit reports (such as SOC 2) or certifications, where available.

11.1 Data return

Upon termination of the Service, and at your request, we will:

• Return all Personal Data to you in a commonly used, machine-readable format
• Provide data exports in JSON, CSV, and XML formats
• Certify in writing that all copies have been deleted (except as required by law or ESPR)

11.2 ESPR retention requirements

Notwithstanding the above, we will retain DPP data for 10 years as required by ESPR to ensure continued public access to Digital Product Passports. This data will be maintained in a restricted, read-only state.

11.3 Deletion timeline

Unless ESPR retention applies, we will delete or anonymize Personal Data within 90 days of termination, unless you request an earlier deletion.

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. However, neither party's liability for breaches of data protection law will be limited where such limitation is prohibited by law.

Each party shall be liable for its own breaches of this DPA and for the actions of its employees, agents, and sub-processors.