Data Processing Agreement

Last updated: March 3, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Beemlo ("Processor", "we") and the merchant installing PO Field ("Controller", "you"). This DPA governs the processing of Personal Data in connection with the Service.

1. Definitions

In this DPA, "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given in the GDPR (EU Regulation 2016/679), UK GDPR, Swiss FADP, CCPA/CPRA, and LGPD (Brazil) as applicable. "SCCs" means the Standard Contractual Clauses approved by EU Commission Implementing Decision (EU) 2021/914.

2. Scope of Processing

Purpose	Capturing, validating, and storing Purchase Order numbers on orders; providing order tracking dashboard and CSV export
Data subjects	Merchant's customers (name only, via order data), merchant and authorized personnel (store owner email)
Data categories	Customer names, order IDs, PO numbers, order totals, financial status, timestamps, store identifiers
Excluded data	Customer emails, phone numbers, addresses, payment information, product data
Duration	For the term of the agreement; deletion within 30 days after termination

Note: PO numbers are merchant-defined values. Merchants are responsible for determining if PO numbers or other note attributes contain Personal Data and for any applicable disclosures.

3. Processor Obligations

The Processor shall:

Process Personal Data only on the Controller's documented instructions
Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures (Section 5)
Not engage another processor without prior written authorization (Section 6)
Assist the Controller in responding to Data Subject rights requests
Assist the Controller with data protection impact assessments where required
Delete or return all Personal Data upon termination, at the Controller's choice
Make available all information necessary to demonstrate compliance and allow for audits (Section 7)

4. Controller Obligations

The Controller shall:

Ensure it has a lawful basis for transferring Personal Data to the Processor
Provide any required notices to Data Subjects regarding the use of PO Field
Ensure that instructions to the Processor comply with applicable data protection laws

5. Security Measures

Encryption in transit: TLS 1.2+ on all connections
Encryption at rest: Cloudflare D1 platform-level encryption
Access control: Authenticated Shopify session tokens for admin API access
Webhook integrity: HMAC-SHA256 signature verification on all incoming webhooks
Secrets management: API credentials stored as Worker secrets, never in source code
Data minimization: Only data necessary for Service operation is collected
Infrastructure security: Cloudflare enterprise edge with DDoS protection and WAF

6. Subprocessors

The Controller authorizes the use of the following subprocessors:

Subprocessor	Purpose	Location
Cloudflare, Inc.	Compute, storage (Workers, D1, KV), CDN	Global edge network

The Processor shall:

Impose substantially similar data protection obligations on each subprocessor
Remain fully liable for the performance of each subprocessor
Provide at least 30 days advance notice before adding a new subprocessor
Allow the Controller to object within 15 days of notice; if the objection is not resolved, the Controller may terminate with a prorated refund

7. Audits

The Processor shall make available information necessary to demonstrate compliance with this DPA. The Controller may conduct audits subject to the following:

Maximum one audit per 12-month period
At least 30 days advance written notice
During normal business hours
The Controller bears audit costs

The Processor may satisfy audit requests by providing relevant certifications, audit reports, or documentation in lieu of on-site inspections.

8. Data Subject Requests

The Processor shall promptly notify the Controller of any Data Subject request received directly. The Processor shall assist the Controller in fulfilling such requests within the timeframes required by applicable law.

9. Data Breach Notification

The Processor shall notify the Controller of any Personal Data breach without undue delay and in any event within 72 hours, providing:

The nature of the breach
Categories and approximate number of Data Subjects affected
Likely consequences of the breach
Measures taken or proposed to mitigate the breach

The Processor shall cooperate fully with the Controller's investigation and notification obligations.

10. International Data Transfers

For transfers of Personal Data from the EEA to countries without an adequacy decision, the parties agree to the SCCs (Module Two: Controller to Processor) with the following selections:

Clause 7: Optional docking clause included
Clause 9 (Option 2): General written authorization; 30-day notice for subprocessor changes
Clause 11: Independent dispute resolution body not included
Clause 17 (Option 1): Governed by the laws of Ireland
Clause 18(b): Disputes resolved before the courts of Ireland

UK Transfers

For transfers from the UK, the International Data Transfer Addendum (Version B1.0) issued by the UK ICO applies alongside the SCCs.

Swiss Transfers

For transfers from Switzerland, the SCCs apply with modifications as required by the Swiss Federal Act on Data Protection (FADP).

Supplementary Measures

TLS 1.2+ encryption on all data in transit
Platform-level encryption for data at rest
Access limited to authenticated Shopify sessions and HMAC-verified webhooks
Data minimization — only essential fields processed

11. Term and Termination

This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination:

The Processor shall delete all Personal Data within 30 days
Upon request, the Processor shall certify deletion in writing

12. Precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

13. Contact

Beemlo
Email: [email protected]
Data Protection: [email protected]