Last Updated: April 23, 2026 This Data Processing Agreement (“DPA”) forms part of, and is subject to, the Terms of Service (the “Terms”) between Stockful (“Processor”, “we”, “us”) and the merchant using the Stockful Shopify application (“Controller”, “you”). Capitalised terms not defined here have the meanings given in the Terms or in Regulation (EU) 2016/679 (the “GDPR”) and the UK GDPR. This DPA satisfies Article 28 of the GDPR and the equivalent provisions of the UK GDPR. For merchants established outside the EU/UK, it reflects the equivalent obligations we apply globally as a matter of policy.Documentation Index
Fetch the complete documentation index at: https://docs.stockful.app/llms.txt
Use this file to discover all available pages before exploring further.
1. Roles of the parties
- The Controller is the merchant operating the Shopify store. The Controller determines the purposes and means of processing Personal Data.
- The Processor is Stockful. The Processor processes Personal Data only on documented instructions from the Controller, as described in this DPA and the Terms.
2. Subject matter, duration, nature and purpose
- Subject matter: Processing of Personal Data accessible via the Controller’s Shopify store in order to deliver Stockful’s inventory monitoring, historical tracking, analytics, forecasting, and notification services as described in the Terms.
- Duration: For as long as Stockful is installed on the Controller’s store, plus the retention periods set out in the Privacy Policy (including the 48-hour post-uninstall retention window).
- Nature: Automated storage, structuring, aggregation, calculation, and transmission of data via cloud infrastructure.
- Purpose: Provision of the Stockful service to the Controller.
3. Categories of data and data subjects
Categories of Personal Data processed:- Merchant staff identifiers (names, email addresses, Shopify staff IDs) used to authenticate with and operate the app.
- Customer personal data contained within order records returned by Shopify’s API (names, email addresses, billing and shipping addresses). This data is processed only for aggregate velocity and forecasting and is not retained individually — the source customer fields are discarded after aggregation.
- Notification recipient email addresses and Slack channel identifiers provided by the Controller for alert delivery.
- The Controller’s staff members and other individuals with Shopify admin access.
- The Controller’s end customers, to the extent their personal data appears in the Controller’s order records.
- Recipients configured by the Controller for notifications (typically Controller staff).
4. Controller instructions
The Processor processes Personal Data only on documented instructions from the Controller, including as set out in the Terms, the Privacy Policy, and this DPA. The Controller’s use of the app (installation, configuration, and ongoing operation) constitutes documented instructions to the Processor. The Processor will notify the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.5. Processor obligations
The Processor will:- Process Personal Data only for the purposes set out in Section 2.
- Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organisational measures (see Section 6).
- Assist the Controller, at the Controller’s expense where the assistance is non-trivial, in:
- Responding to data subject rights requests.
- Meeting its obligations under Articles 32 to 36 of the GDPR (security, breach notification, impact assessments, and prior consultation).
- Make available to the Controller information necessary to demonstrate compliance with Article 28 of the GDPR.
6. Security measures
Stockful maintains the technical and organisational measures described in the Privacy Policy’s Data Security section, including encryption in transit (HTTPS/TLS), multi-tenant isolation, least-privilege API scopes, AES-256-GCM encryption of credentials at rest, and alignment with Shopify’s app security guidelines. Measures are reviewed periodically and updated to reflect evolving risks.7. Sub-processors
The Controller authorises the Processor to engage the sub-processors listed below for the stated purposes. Changes to this list will be reflected in an updated version of this DPA and the Privacy Policy; continued use of the app after such change constitutes authorisation of the new or replaced sub-processor.| Sub-processor | Location | Purpose |
|---|---|---|
| Cloudflare | Global | Application hosting, backend infrastructure, and file storage (Workers, Pages, R2) |
| Neon | EU / US | Primary PostgreSQL database |
| Shopify | Global | E-commerce platform integration |
| HeyMantle | US | Subscription billing and plan management |
| Resend | US | Transactional email delivery |
| Slack | US | Optional notification delivery |
| Sentry | EU (self-hosted option) / US | Error tracking and monitoring |
| Axiom | US | Operational analytics and event logging |
| Trigger.dev | US | Background job execution |
8. International data transfers
Where processing of Personal Data originating in the EU/EEA or UK involves a transfer to a third country that has not been the subject of an adequacy decision, the Processor relies on the European Commission’s Standard Contractual Clauses (and the UK Information Commissioner’s Office’s International Data Transfer Addendum, as applicable), which are incorporated into its agreements with relevant sub-processors.9. Assistance with data subject rights
Taking into account the nature of processing, the Processor will assist the Controller by appropriate technical and organisational measures, in responding to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, and objection). The Processor honours all Shopify GDPR compliance webhooks (customers/data_request, customers/redact, shop/redact).
10. Personal data breach notification
The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach affecting the Controller’s data. The notification will include, to the extent known at the time, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.11. Audit rights
The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits must be conducted with reasonable advance notice (at least 30 days), during business hours, no more than once per calendar year unless in response to a Personal Data breach, and subject to the auditor executing appropriate confidentiality undertakings. The Controller bears its own audit costs unless the audit reveals a material breach of this DPA.12. Deletion or return of personal data
At the Controller’s choice, the Processor will delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or member state law requires storage of the Personal Data. Absent an instruction from the Controller, the Processor will delete all Personal Data 48 hours after uninstallation of the app, in line with the retention policy set out in the Privacy Policy.13. Liability and indemnification
Liability arising under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party’s liability to data subjects or to supervisory authorities to the extent that such liability cannot be limited by applicable law.14. Order of precedence
In the event of a conflict between this DPA and the Terms of Service, the DPA prevails with respect to the processing of Personal Data.15. Governing law
This DPA is governed by the laws of England and Wales. Disputes arising from this DPA are subject to the jurisdiction clause in the Terms of Service.16. Contact and signing
EU/UK-based Controllers are deemed to have accepted this DPA upon installation of the app. A counter-signed copy is available on request.- Email: support@stockful.app