OrderFlow by Mentilead Back to Home

Data Processing Agreement (DPA)

OrderFlow by Mentilead

1. Parties and Definitions

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller ("Controller", "Merchant", "you"): The Shopify merchant who installs and uses the OrderFlow application
  • Data Processor ("Processor", "we", "us", "Mentilead"): Mentilead, the company that develops and operates the OrderFlow application

Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined by GDPR Article 4(1)
  • "Processing" means any operation performed on personal data as defined by GDPR Article 4(2)
  • "Data Subject" means the identified or identifiable natural person whose personal data is processed
  • "Sub-Processor" means a third party engaged by the Processor to process personal data on behalf of the Controller
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council
  • "Services" means the OrderFlow application and related services provided by Mentilead
  • "Applicable Data Protection Law" means GDPR and any applicable national implementing legislation

This DPA supplements and forms part of the Terms of Service between the Controller and the Processor. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data.

2. Scope of Processing

The Processor shall process personal data on behalf of the Controller to provide the OrderFlow service. The details of processing are as follows:

Subject Matter and Purpose

Providing B2B quick ordering functionality for the Controller's Shopify store, including product search, order processing, saved lists, cart management, CSV/XLSX import, order history, and B2B company context.

Duration

Processing begins when the Controller installs OrderFlow and continues until the Controller uninstalls the application and all data retention periods have expired (see Section 9).

Nature of Processing

Collection, storage, retrieval, use, encryption, pseudonymization, and deletion of personal data as necessary to provide the Services.

Categories of Data Subjects

  • End customers of the Controller's Shopify store who use the quick order page
  • B2B company members associated with the Controller's Shopify Plus store

Types of Personal Data

  • Customer identifiers: name, email address (encrypted at rest), Shopify customer ID
  • Order data: line items, quantities, totals, timestamps, order source
  • Saved lists: list name, product selections, creation date
  • Cart sessions: cart contents, customer ID (7-day TTL)
  • B2B context: company name, company ID, location ID, catalog assignments, payment terms (24-hour TTL)

No special categories of personal data (as defined by GDPR Article 9) are processed.

3. Processor Obligations

The Processor shall:

  1. Process personal data only on documented instructions from the Controller, unless required by EU or Member State law. The documented instructions are defined by this DPA and the functionality of the OrderFlow application.
  2. Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 5.
  4. Not engage another processor (sub-processor) without prior written authorization from the Controller, subject to Section 6.
  5. Assist the Controller in fulfilling obligations to respond to data subject requests under GDPR Articles 15-22.
  6. Assist the Controller in ensuring compliance with GDPR Articles 32-36 (security, breach notification, impact assessments, prior consultation).
  7. At the choice of the Controller, delete or return all personal data after the end of the provision of Services, and delete existing copies unless EU or Member State law requires storage, subject to Section 9.
  8. Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations.
  9. Immediately inform the Controller if an instruction infringes the GDPR or other EU or Member State data protection provisions.

4. Controller Obligations

The Controller shall:

  1. Ensure that the processing of personal data through OrderFlow has a valid legal basis under GDPR Article 6.
  2. Provide appropriate privacy notices to data subjects informing them of the processing carried out through OrderFlow.
  3. Ensure that instructions given to the Processor comply with applicable data protection law.
  4. Be responsible for the accuracy, quality, and legality of personal data provided to the Processor.
  5. Respond to data subject requests and, where necessary, instruct the Processor to assist in fulfilling such requests.
  6. Maintain their own records of processing activities as required by GDPR Article 30.
  7. Notify the Processor promptly of any changes that may affect the Processor's obligations under this DPA.

5. Security Measures

The Processor implements the following technical and organizational measures in accordance with GDPR Article 32:

Encryption

  • Encryption at rest: All DynamoDB tables and S3 buckets use AWS-managed encryption (AES-256)
  • Encryption in transit: All communications use HTTPS/TLS 1.2+
  • Field-level encryption: Customer email addresses are encrypted at the application level before storage

Access Control

  • IAM least-privilege policies for all AWS service components
  • Tenant isolation: All database queries are scoped by shop domain (partition key)
  • S3 objects are private; access is via pre-signed URLs with time-limited expiry
  • OAuth tokens are stored securely and scoped per merchant

Data Minimization

  • Short-lived data uses DynamoDB TTL for automatic deletion (cart sessions: 7 days, product cache: 1 hour, B2B context: 24 hours)
  • Uploaded files are automatically deleted after 30 days via S3 lifecycle policies
  • PII is automatically redacted in server-side logs

Infrastructure Security

  • All infrastructure is hosted in AWS eu-central-1 (Frankfurt, Germany)
  • AWS shared responsibility model for physical security, network security, and hypervisor security
  • Daily automated backups retained for 90 days
  • Monitoring via AWS CloudWatch, AWS X-Ray, and CloudWatch Logs Insights
  • Audit logging of all write operations with actor, action, resource, and timestamp

Ongoing Assurance

  • Regular review and update of security measures
  • Dependency vulnerability scanning in CI/CD pipeline
  • Security events logged with automatic PII redaction

6. Sub-Processors

The Controller provides general written authorization for the Processor to engage sub-processors, subject to the following conditions:

  1. The Processor shall maintain an up-to-date list of sub-processors and make it available to the Controller.
  2. The Processor shall notify the Controller of any intended changes to the list of sub-processors, giving the Controller the opportunity to object within 30 days.
  3. The Processor shall impose the same data protection obligations as set out in this DPA on each sub-processor by way of a contract.
  4. The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

Current Sub-Processors

Sub-Processor Purpose Location Transfer Mechanism
Amazon Web Services (AWS) Infrastructure (compute, database, storage, queues) EU (Frankfurt) Data remains in EU
Shopify Inc. E-commerce platform, OAuth, API US/Canada Shopify DPA + SCCs
Resend Transactional email delivery US SCCs

Objection Process

If the Controller objects to a new sub-processor, the parties shall discuss the concerns in good faith. If the Controller's objection is not resolved within 30 days, the Controller may terminate the Services by uninstalling OrderFlow. In such case, the Processor shall process the Controller's data in accordance with Section 9.

7. Audit Rights

In accordance with GDPR Article 28(3)(h), the Processor shall:

  1. Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations.
  2. Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit Conditions

  • The Controller shall provide at least 30 days' written notice before an audit.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
  • The Controller shall bear the costs of any audit it initiates.
  • The auditor must sign a confidentiality agreement acceptable to the Processor.
  • Audit frequency is limited to once per calendar year, unless a data breach or regulatory investigation requires an additional audit.
  • The Processor may satisfy the audit requirement by providing relevant certifications, audit reports, or compliance documentation (e.g., SOC 2 reports from AWS).

8. Data Breach Notification

In the event of a personal data breach affecting data processed under this DPA, the Processor shall:

  1. Notify the Controller without undue delay and within 72 hours of becoming aware of the breach.
  2. Provide the Controller with the following information:
    • A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
    • The name and contact details of the Processor's privacy contact
    • A description of the likely consequences of the breach
    • A description of the measures taken or proposed to address the breach and mitigate its effects
  3. Assist the Controller in fulfilling its own breach notification obligations to supervisory authorities (GDPR Article 33) and data subjects (GDPR Article 34).
  4. Document the breach in internal records, including facts, effects, and remedial actions taken.
  5. Take immediate steps to contain and remediate the breach.

Breach notifications shall be sent to the Controller's registered email address on file with OrderFlow. The Controller is responsible for ensuring this email address is current.

9. Data Return and Deletion

Upon termination of the Services (uninstallation of OrderFlow):

Data Export

Before uninstalling, the Controller may export all data via Settings > Danger Zone > Export Data. The export includes orders, saved lists, and audit logs in XLSX format. Export download links are valid for 14 days.

Immediate Deletion

The Controller may request immediate deletion of all data via Settings > Danger Zone > Delete All Data before uninstalling. This permanently deletes all DynamoDB items and S3 objects for the shop.

Default Retention After Uninstall

  • OAuth sessions are deleted immediately upon uninstall.
  • All remaining data is retained for 12 months to allow the Controller to reinstall and resume use.
  • After 12 months, Shopify's shop/redact webhook triggers permanent deletion of all data.

Regulatory Retention

Order records and audit logs are subject to 7-year retention for tax and accounting compliance, even after other data is deleted. During this period, customer PII in order records is redacted (email addresses replaced with a hash) while order totals and metadata are preserved.

10. International Data Transfers

The Processor's primary infrastructure is located in the EU (AWS eu-central-1, Frankfurt, Germany). Personal data is stored and processed within the EU.

Where personal data is transferred to sub-processors outside the European Economic Area (see Section 6), the Processor ensures that appropriate safeguards are in place in accordance with GDPR Chapter V:

  • Standard Contractual Clauses (SCCs): Approved by the European Commission, incorporated into contracts with relevant sub-processors
  • Transfer impact assessments: Conducted where required to evaluate the level of data protection in the recipient country
  • Supplementary measures: Technical measures (encryption, pseudonymization) applied where necessary to supplement SCCs

The Processor shall not transfer personal data to any country or international organization without ensuring an adequate level of protection as required by GDPR.

UK Data Transfers: For personal data of individuals in the United Kingdom, the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses applies in addition to the safeguards described above, ensuring an adequate level of protection for UK-EU and UK-international transfers in accordance with UK GDPR.

11. Liability

Each party shall be liable for damage caused by processing that infringes the GDPR, in accordance with GDPR Article 82:

  • The Controller is liable for damage caused by processing that does not comply with the GDPR.
  • The Processor is liable for damage caused by processing where it has not complied with its obligations under GDPR specifically directed at processors, or where it has acted outside or contrary to the Controller's lawful instructions.
  • A party shall be exempt from liability if it proves that it is not responsible for the event giving rise to the damage.

The aggregate liability of the Processor under this DPA shall not exceed the total fees paid by the Controller to the Processor in the 12 months preceding the event giving rise to the claim, except in cases of willful misconduct or gross negligence.

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Denmark, without regard to its conflict of law provisions.

Any disputes arising from or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Denmark.

This choice of governing law does not affect the rights of data subjects under GDPR, which shall apply regardless of the governing law chosen.

13. Contact Information

For questions or requests related to this DPA:

The Processor shall respond to DPA-related inquiries within 5 business days.

14. Amendments and Updates

This DPA may be updated by the Processor from time to time to reflect changes in data processing practices, legal requirements, or sub-processor arrangements. When material changes are made:

  • The Processor will notify the Controller via email and/or in-app notification at least 30 days before the changes take effect.
  • Continued use of OrderFlow after the notice period constitutes acceptance of the updated DPA.
  • If the Controller does not agree to the updated DPA, the Controller may terminate by uninstalling OrderFlow, and data will be handled in accordance with Section 9.

Non-material changes (e.g., formatting, clarifications that do not change the substance of obligations) may be made without prior notice.

15. Effective Date and Incorporation

This DPA is effective as of the date the Controller installs the OrderFlow application and accepts the Terms of Service.

This DPA is incorporated into and forms part of the Terms of Service. By installing OrderFlow, the Controller agrees to be bound by the terms of this DPA.

This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller, including any data retention periods that extend beyond uninstallation.

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be replaced by a valid provision that most closely achieves the intended purpose.

For details on data categories and retention, see also the Privacy Policy.