Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") is an integral part of the agreement between PNRC Ltd (Vervaunt) ("Processor") and the user ("Customer") of our Shopify app, Census (the "App"). By installing and using the App, the Customer agrees to the terms of this DPA.

1. Introduction

This DPA outlines the terms under which PNRC Ltd (Vervaunt) will process Customer Data in the course of providing services through the App. It is designed to comply with relevant data protection laws and regulations.

2. Data Processing

2.1. Data Collection

The Processor collects and processes the following types of Customer Data:

Order Data: Total amount paid, currency, order ID, and Shopify market.

Customer Data: Customer ID.

Customer Feedback: Answers to defined customer experience questions

2.2. Purpose of Data Processing

The Processor processes Customer Data solely for the purpose of providing services through the App, including but not limited to order management and analysis.

2.3. Data Storage

The Customer Data is securely stored on Amazon Web Services ("AWS") servers, which are located in the UK. Data will be retained only as long as necessary to fulfil the purposes of processing or as required by applicable laws.

3. Sub-Processors

3.1. Authorised Sub-Processor

The Processor utilises AWS as the sole sub-processor to store the database containing Customer Data. AWS is a widely recognized cloud service provider with robust security measures in place.

3.2. Sub-Processor Obligations

The Processor ensures that AWS, as a sub-processor, is bound by data protection obligations that provide at least the same level of protection for Customer Data as this DPA.

4. Data Security

4.1. Security Measures

The Processor implements the following security measures to protect Customer Data:

Access Control: Access to Customer Data is restricted to authorised personnel only, with access controlled via Secure Shell (SSH) and Two-Factor Authentication (2FA).

Data Encryption: All Customer Data stored on AWS is encrypted both in transit and at rest.

Monitoring and Audits: The Processor conducts regular audits and monitoring to ensure compliance with security protocols.

5. Data Deletion

Upon request from the Customer, the Processor will delete all Customer Data related to the Customer. Data deletion will be confirmed in writing and will be completed within 30 days of the request.

6. Customer Responsibilities

The Customer agrees to:

Use the App in compliance with applicable laws and regulations, including data protection laws.

Obtain any necessary consents from individuals whose data is processed through the App.

7. Amendments and Updates

The Processor reserves the right to update or modify this DPA as necessary to comply with changes in applicable laws, regulations, or business practices. Any significant changes will be communicated to the Customer through appropriate channels.

8. Governing Law

This DPA is governed by and construed in accordance with the laws of the UK. Any disputes arising out of or in connection with this DPA will be subject to the exclusive jurisdiction of the courts of the UK.

9. Acceptance

By installing and using the App, the Customer acknowledges and agrees to the terms of this DPA.

For any questions or concerns regarding this DPA, please contact us at labs@vervaunt.com