This Data Processing Addendum ("DPA") forms part of the agreement between [Your Legal Entity Name] ("TagTier," "Processor") and the merchant entity that has accepted TagTier's Terms of Service ("Customer," "Controller") (together, the "Parties"), governing the processing of Personal Data by TagTier on behalf of Customer in connection with the TagTier Service.
This DPA is made to comply with EU General Data Protection Regulation 2016/679 ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws ("Data Protection Laws").
If there is a conflict between this DPA and the Terms of Service, this DPA controls for matters of personal data protection.
1. Definitions
Capitalized terms not defined here have the meaning given in the Data Protection Laws or the Terms of Service.
- "Customer Personal Data" — Personal Data contained within Customer Data that TagTier processes on Customer's behalf in connection with the Service.
- "Data Subject" — an identified or identifiable natural person to whom Customer Personal Data relates (typically Customer's end-shoppers, account holders, or staff).
- "Subprocessor" — any third party engaged by TagTier to process Customer Personal Data on behalf of the Customer.
- "Standard Contractual Clauses" / "SCCs" — the EU Commission's 2021 Standard Contractual Clauses for transfers of personal data to third countries, including the UK Addendum issued by the UK ICO.
2. Roles and scope
2.1 The Parties acknowledge that, with respect to Customer Personal Data:
- Customer is the Controller (or a Processor acting on behalf of a third-party Controller).
- TagTier is the Processor (or Sub-processor, as applicable).
2.2 This DPA applies for the duration of the Service and to the processing activities described in Annex I.
3. Processing instructions
3.1 TagTier will process Customer Personal Data only on Customer's documented instructions. The Terms of Service, this DPA, and Customer's use of the Service constitute Customer's complete and final instructions, unless otherwise agreed in writing.
3.2 If TagTier is required by law to process Customer Personal Data outside Customer's instructions, TagTier will notify Customer before processing (unless prohibited by law).
3.3 TagTier will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
4. TagTier's obligations
TagTier will:
- Process Customer Personal Data only as described in Annex I and per Customer's instructions;
- Ensure all personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations;
- Implement and maintain the technical and organizational security measures described in Annex II;
- Assist Customer in complying with Data Subject rights requests, breach notifications, and data protection impact assessments (DPIAs), to the extent reasonable;
- Make available information necessary to demonstrate compliance, and allow audits as set out in Section 9;
- Not "sell" or "share" Customer Personal Data within the meaning of the CCPA/CPRA, and not retain, use, or disclose it outside the direct business relationship.
5. Subprocessors
5.1 Customer grants TagTier general authorization to engage Subprocessors to process Customer Personal Data, subject to this Section.
5.2 TagTier maintains a current list of Subprocessors at https://tagtier.com/subprocessors.
5.3 TagTier will:
- Impose data protection obligations on Subprocessors that are no less protective than those in this DPA;
- Remain liable for Subprocessor performance;
- Provide Customer with at least 15 days' prior notice of any new or replacement Subprocessor (e.g., via the Subprocessor page or email).
5.4 Customer may object in writing within the notice period for legitimate reasons relating to the protection of Customer Personal Data. The Parties will work in good faith to resolve the objection. If they cannot, Customer may terminate the affected portion of the Service for convenience.
6. International transfers
6.1 To the extent TagTier transfers Customer Personal Data out of the EEA, UK, or Switzerland to a country not deemed to provide adequate protection, the transfer is governed by the Standard Contractual Clauses (Module 2: Controller-to-Processor, or Module 3: Processor-to-Processor, as applicable), incorporated by reference and deemed populated with this DPA's details. The UK International Data Transfer Addendum is similarly incorporated for UK transfers.
6.2 Customer authorizes TagTier and its Subprocessors to transfer Customer Personal Data to any country where it has implemented appropriate safeguards.
7. Data Subject rights
7.1 TagTier will, taking into account the nature of processing, assist Customer with appropriate technical and organizational measures, insofar as reasonable, to fulfill Customer's obligations to respond to Data Subjects exercising their rights under Data Protection Laws.
7.2 If TagTier receives a Data Subject request directly, it will, where it can identify the Customer, forward the request to the Customer without undue delay and not respond except as instructed by Customer.
8. Personal data breach
8.1 TagTier will notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data.
8.2 The notice will include the information reasonably available to TagTier at that time and will be updated as more information is gathered. TagTier will cooperate with Customer's reasonable investigation and remediation efforts.
9. Audits
9.1 TagTier will make available, on Customer's reasonable request and no more than once per year, the following information sufficient to demonstrate compliance with this DPA:
- Up-to-date security and compliance documentation (e.g., SOC 2, ISO 27001 reports, if available);
- Responses to a security questionnaire of reasonable length;
- A description of TagTier's security program and Subprocessor list.
9.2 If, after reviewing the above, Customer reasonably believes a more in-depth audit is needed, the Parties will agree on the scope, timing, and cost. On-site audits are limited to once per year unless required by a regulator.
10. Return or deletion of data
10.1 On termination of the Service or upon Customer's written request, TagTier will delete or return Customer Personal Data per the schedule in our Privacy Policy — operational data within 30 days, backups within 90 days — unless retention is required by law.
10.2 Aggregated, de-identified data that no longer identifies any Data Subject may be retained.
11. Liability
The liability provisions of the Terms of Service apply to claims arising under this DPA. To the extent permissible under applicable law, the Parties' aggregate liability under this DPA is included in (and not in addition to) the limits set out in the Terms of Service.
12. Governing law
This DPA is governed by the law specified in the Terms of Service, except that processing of Customer Personal Data of EU/UK Data Subjects is also governed by the laws and supervisory-authority jurisdiction applicable to the Data Subjects.
13. Changes
TagTier may update this DPA from time to time to reflect changes in Data Protection Laws or our processing activities. Material changes will be communicated by email or in-app at least 30 days before they take effect.
Annex I — Description of processing
Subject matter
Provision of the TagTier Shopify application — tag-based pricing rules, hidden child-variant sync to Shopify, audit logs, and integrations with third-party Shopify apps (e.g., Recharge).
Duration
For the term of Customer's subscription, plus the retention period set out in Section 7 of the Privacy Policy.
Nature and purpose of processing
- Reading customer tags to determine which pricing tier applies
- Syncing hidden child variants to the merchant's Shopify catalog
- Logging changes for audit and rollback
- Recording transactional events for analytics and support
Categories of Data Subjects
- Customer's end-shoppers (customers of the Customer's Shopify store)
- Customer's staff users of the App
- Customer's wholesale account holders, subscribers, VIP and ambassador segments
Categories of Personal Data
- Customer (end-shopper) ID, email, customer tags
- Order line item data (price, quantity, product/variant ID)
- Merchant staff name, email, role
- Technical data (IP address, browser, device identifiers, log data)
Special categories of data
None intended. Customer must not configure tags or rules that result in TagTier processing special categories of personal data (Article 9 GDPR).
Frequency of transfer
Continuous, while the App is installed.
Retention
See Privacy Policy, Section 7.
Annex II — Technical and organizational measures
TagTier implements and maintains the following measures, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.
Access control
- Role-based access controls within TagTier systems
- Multi-factor authentication required for staff access to production systems
- Least-privilege model; access reviewed quarterly
- Single sign-on (SSO) for internal systems
Data security
- TLS 1.2 or higher for data in transit
- Encryption at rest using industry-standard algorithms (AES-256 or equivalent)
- Secrets and credentials managed via a secrets manager
- Production data segregated from development and staging environments
Network security
- Hardened cloud infrastructure on IONOS Cloud (US region) — see Annex III for details
- HTTPS-only with managed certificates, HSTS enabled
- Reverse-proxy nginx with explicit upstream routing (only
/auth,/api,/webhooks,/proxy,/shopify,/healthreach the backend) - Regular vulnerability scans and dependency monitoring
Logging, monitoring, incident response
- Centralized application and infrastructure logs aggregated to a self-hosted Grafana instance running on the same IONOS VPS as the application (no third-party log processor)
- Alerting on anomalous activity and error-rate thresholds
- Documented incident response runbook
- Post-incident reviews with root-cause analysis
Personnel
- Background checks where permitted by law
- Mandatory security and privacy training at hire and annually
- Confidentiality obligations in employment agreements
Vendor management
- Subprocessor due diligence prior to engagement
- Written data processing terms with all Subprocessors
Business continuity
- Automated backups with documented restore procedures
- Disaster recovery plan reviewed at least annually
Audits
- Internal audit of access and configuration changes at least quarterly
- External security review (penetration test) at least annually for paid plans, once Customer base supports it
Annex III — Approved Subprocessors (current)
A current list is published at https://tagtier.com/subprocessors. As of the date of this DPA, the principal Subprocessors include:
| Subprocessor | Service provided | Location |
|---|---|---|
| Shopify Inc. | App platform, Admin API, App Proxy, Billing API | Canada / global |
| IONOS Cloud | VPS hosting for backend, frontend, and database | United States |
| Google LLC (Google Tag Manager + Google Analytics 4) | Tag manager + aggregate marketing-site analytics (container GTM-NXX7J3NV) — opt-in only via cookie banner; Consent Mode v2 gates tags; not used in the in-app admin | United States / global |
| Microsoft Corporation (Clarity) | Aggregate marketing-site session recording and heatmaps — opt-in only; sensitive form fields masked at capture; not used in the in-app admin | United States / global |
| [Email provider — TBD] | Transactional email (install confirmations, billing receipts, security notices) | [TBD] |