Data Processing Agreement (DPA)
Last updated: June 22, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between IronWeb ("Processor") and you ("Controller") and governs the processing of personal data through IronWeb Manager.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
- Processing: Any operation performed on Personal Data (collection, storage, use, disclosure, or deletion).
- Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope of Processing
The Processor processes Personal Data solely to provide the App's services as described in the Privacy Policy. Processing includes:
- Storing store authentication credentials
- Accessing customer data (names, emails, order history) through the Shopify API when requested by the Controller
- Transmitting task instructions and store catalog data to AI sub-processors
3. Controller Obligations
You are responsible for:
- Ensuring a lawful basis for processing under GDPR (e.g., legitimate interest, consent)
- Informing your customers about data processing through the App
- Responding to data subject requests (access, erasure, portability)
4. Processor Obligations
We commit to:
- Process Personal Data only on your documented instructions (i.e., through the App's chat interface)
- Ensure that personnel authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject requests
- Delete all Personal Data upon termination (uninstallation) of the App
- Notify you without undue delay of any Personal Data breach
5. Sub-processors
We use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic | AI language model processing | United States |
| OpenAI | Fallback AI processing | United States |
| Vercel Inc. | Application hosting | United States |
| Neon Inc. | Database hosting | United States |
We will notify you before adding or replacing sub-processors. You may object to a new sub-processor within 14 days of notification.
6. International Transfers
Personal Data may be transferred to the United States where our sub-processors operate. These transfers are protected by Standard Contractual Clauses (SCCs) and each provider's DPA.
7. Data Breach Notification
In the event of a Personal Data breach, we will notify you within 72 hours of becoming aware of the breach, including the nature of the breach, affected data, and remedial measures taken.
8. Audit Rights
You may request information about our data processing practices to verify compliance with this DPA. We will provide reasonable cooperation for audits or inspections.
9. Term and Termination
This DPA is effective as long as the App is installed. Upon uninstallation, we will delete all Personal Data within 30 days unless retention is required by law.
10. Contact
For DPA-related inquiries: asifdan1000@gmail.com
See also: Privacy Policy · Terms of Service · Acceptable Use Policy · Refund Policy