Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other agreement between:

Processor:
Fifty Pixels Ltd, trading as MobiLoud
Company No. 07878352
209 High Road, London, England, N2 8AN
(“MobiLoud”, “Processor”, “we”, “us”)

Customer:
The entity that has agreed to MobiLoud’s Terms of Service or another agreement for the Services
(“Customer”, “you”)

This DPA applies only where MobiLoud processes Customer Personal Data on behalf of Customer as a Processor. It supplements and is incorporated into the Agreement. If there is a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Customer Personal Data.

1. Definitions

1.1 “Account Data” means Personal Data relating to Customer’s employees, contractors, representatives, administrators, or other business contacts who interact with MobiLoud or use the Services on Customer’s behalf. Account Data includes names, email addresses, phone numbers, company details, website URLs, billing details, dashboard usage, support messages, onboarding communications, app configuration information, app store credentials, website credentials, and similar business contact or account information.

1.2 “Applicable Data Protection Laws” means all laws and regulations relating to the processing of Personal Data that apply to MobiLoud’s performance of the Services, including the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU 2016/679), Swiss data protection law, US State Privacy Laws, and any national implementing legislation.

1.3 “Customer Personal Data” means End-User Personal Data that MobiLoud processes on behalf of Customer as a Processor in connection with a Product Schedule. Customer Personal Data excludes Account Data.

1.4 “Customer-Controlled Service” means a third-party service, account, platform, integration, website, backend, app store account, analytics account, push notification account, ecommerce account, or similar system that Customer owns, controls, configures, or selects for use with the Services. Customer-Controlled Services include Shopify, Customer’s OneSignal account, Customer’s Klaviyo account, Customer’s Firebase or analytics account, Customer’s website and ecommerce backend, and Customer’s Apple or Google developer accounts.

1.5 “End-User Personal Data” means Personal Data relating to an end-user, customer, visitor, buyer, subscriber, member, or other individual who interacts with Customer’s website, ecommerce store, mobile app, or other Customer property.

1.6 “Product Schedule” means a schedule to this DPA that describes a specific MobiLoud feature, product, app, plugin, or integration through which MobiLoud processes End-User Personal Data on behalf of Customer.

1.7 “Services” means the services provided by MobiLoud to Customer under the Agreement.

1.8 “Sub-processor” means a third party engaged by MobiLoud to process Customer Personal Data on MobiLoud’s behalf in connection with the Services. Customer-Controlled Services are not Sub-processors.

1.9 “UK GDPR” means the General Data Protection Regulation (EU 2016/679) as it forms part of domestic law in the United Kingdom by virtue of the European Union (Withdrawal) Act 2018, as amended.

1.10 “EU SCCs” means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914.

1.11 “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner.

1.12 “UK IDTA” means the International Data Transfer Agreement issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018.

1.13 “US State Privacy Laws” means US state privacy laws that apply to MobiLoud’s processing of Customer Personal Data as a service provider, processor, contractor, or similar role, including the California Consumer Privacy Act as amended by the California Privacy Rights Act.

1.14 “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Process”, and related terms have the meanings given to them in the UK GDPR, except where another Applicable Data Protection Law gives those terms a different mandatory meaning.

2. Scope and roles

2.1 Processor scope. This DPA applies only to Customer Personal Data. Most MobiLoud Services do not require MobiLoud to process End-User Personal Data on Customer’s behalf. MobiLoud processes End-User Personal Data as a Processor only where Customer enables a feature, app, plugin, or integration described in a Product Schedule.

2.2 Account Data. MobiLoud processes Account Data as an independent Controller. Account Data is governed by MobiLoud’s Privacy Policy, not by the processor obligations in this DPA, except where this DPA expressly states otherwise.

2.3 Customer role. Customer is the Controller of Customer Personal Data. If Customer processes Customer Personal Data on behalf of another Controller, Customer is responsible for ensuring that it has authority to instruct MobiLoud, and MobiLoud will act as Customer’s Sub-processor for that processing.

2.4 MobiLoud role. MobiLoud is the Processor of Customer Personal Data. MobiLoud will process Customer Personal Data only for the purposes described in this DPA, the Agreement, Customer’s documented instructions, and the applicable Product Schedule.

2.5 Customer-Controlled Services. Customer-Controlled Services are selected, owned, controlled, or configured by Customer. MobiLoud is not responsible for the privacy, security, or data processing practices of Customer-Controlled Services. Customer is responsible for its own agreements, permissions, notices, consents, and settings for Customer-Controlled Services.

2.6 Future product schedules. If MobiLoud adds another feature, app, plugin, or integration that requires MobiLoud to process End-User Personal Data as a Processor, MobiLoud may add a new Product Schedule or update an existing Product Schedule before that processing begins.

3. Customer obligations

Customer will:

3.1 Lawful basis and notices. Ensure that it has a lawful basis for sharing Customer Personal Data with MobiLoud and that any notices, consents, and permissions required by Applicable Data Protection Laws have been provided or obtained.

3.2 Instructions. Ensure that Customer’s instructions to MobiLoud comply with Applicable Data Protection Laws.

3.3 Push notification consent. Where Customer uses features involving push notifications, obtain and manage all notices, permissions, and consents required for those notifications.

3.4 Customer-Controlled Services. Configure and use Customer-Controlled Services in compliance with Applicable Data Protection Laws, including Shopify, OneSignal, Klaviyo, Firebase, analytics tools, app store accounts, reporting data sources, and Customer’s website or ecommerce backend.

3.5 Sensitive data. Not submit or configure the Services to process special category data, criminal offence data, children’s data, health data, prescription or pharmacy data, biometric data, precise geolocation data, government identifiers, payment card data, or other sensitive or regulated Personal Data unless MobiLoud has agreed in writing and the parties have agreed any additional safeguards required for that processing.

3.6 Support requests. Avoid including End-User Personal Data in support requests unless it is necessary for MobiLoud to provide the Services. Customer must not include sensitive or regulated Personal Data in support requests unless MobiLoud has agreed in writing.

4. MobiLoud’s processor obligations

MobiLoud will:

4.1 Instructions. Process Customer Personal Data only on Customer’s documented instructions, including as set out in the Agreement, this DPA, and the applicable Product Schedule, unless required to do so by law. If MobiLoud is required by law to process Customer Personal Data for another purpose, it will inform Customer of that requirement before processing unless the law prohibits notice.

4.2 Unlawful instructions. Inform Customer if MobiLoud becomes aware that Customer’s instructions infringe Applicable Data Protection Laws.

4.3 Confidentiality. Ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.

4.4 Security. Implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, including the measures described in Schedule 2.

4.5 Sub-processors. Comply with Section 9 before engaging Sub-processors.

4.6 Data subject requests. Promptly notify Customer if MobiLoud receives a request from a Data Subject to exercise rights under Applicable Data Protection Laws in relation to Customer Personal Data. MobiLoud will not respond to such requests directly unless authorised by Customer or required by law.

4.7 Assistance. Taking into account the nature of the processing and the information available to MobiLoud, provide reasonable assistance to Customer with:

  • requests from Data Subjects;
  • security obligations relating to Customer Personal Data;
  • notifications to supervisory authorities and Data Subjects;
  • data protection impact assessments, where required; and
  • consultations with supervisory authorities, where required.

4.8 Deletion and return. Comply with Section 12 for Customer Personal Data in MobiLoud’s possession or control.

4.9 Audit cooperation. Comply with Section 14.

5. Account Data and MobiLoud as Controller

5.1 Controller processing. MobiLoud processes Account Data as a Controller to operate its business and provide the Services, including account management, billing, support, onboarding, app configuration, app publication, service communications, analytics, security, fraud prevention, legal compliance, and customer relationship management.

5.2 Privacy Policy. Account Data is governed by MobiLoud’s Privacy Policy. The Privacy Policy describes the categories of Account Data MobiLoud collects, the purposes of processing, the legal bases for processing, retention, third-party services, international transfers, and rights available to individuals.

5.3 AI tools. MobiLoud may use AI tools for internal sales, support, onboarding, and operations as described in its Privacy Policy. MobiLoud does not use AI tools to process Customer Personal Data under this DPA unless the relevant AI provider is listed as a Sub-processor or Customer has otherwise instructed and authorised that processing in writing.

5.4 No training on Customer Personal Data. MobiLoud will not use Customer Personal Data to train, fine-tune, or improve general AI models unless Customer has expressly agreed in writing.

6. Security

6.1 Security measures. MobiLoud will maintain appropriate technical and organisational measures for Customer Personal Data as described in Schedule 2.

6.2 Updates. MobiLoud may update its security measures from time to time, provided that the update does not materially reduce the overall level of protection for Customer Personal Data during the subscription term.

6.3 Customer responsibilities. Customer is responsible for maintaining the security of Customer-Controlled Services, Customer credentials, Customer’s website and ecommerce backend, Customer’s app store accounts, and Customer’s own privacy and consent settings.

7. Personal Data Breach notification

7.1 Notice. MobiLoud will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

7.2 Contents. The notification will include, to the extent reasonably available:

  • a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected;
  • the name and contact details of MobiLoud’s point of contact for further information;
  • a description of the likely consequences of the breach; and
  • a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

7.3 Updates. Where it is not possible to provide all information at the same time, MobiLoud will provide information in phases without further undue delay as it becomes available.

7.4 No admission. Notification of a Personal Data Breach does not constitute an admission of fault or liability by MobiLoud.

8. Legal requests and third-party requests

8.1 Legal requests. If MobiLoud receives a subpoena, court order, law enforcement request, governmental request, or other legal process requiring disclosure of Customer Personal Data, MobiLoud will notify Customer before disclosure unless prohibited by law.

8.2 Limited disclosure. MobiLoud will disclose only the Customer Personal Data it reasonably believes is required by the legal request.

8.3 Third-party requests. If MobiLoud receives a request from a third party, regulator, or Data Subject relating to Customer Personal Data, MobiLoud will direct the request to Customer unless MobiLoud is required by law to respond.

9. Sub-processors

9.1 Authorisation. Customer authorises MobiLoud to engage the Sub-processors listed in Schedule 3 to process Customer Personal Data.

9.2 New Sub-processors. MobiLoud will keep the Sub-processor list up to date. Before a new or replacement Sub-processor processes Customer Personal Data, MobiLoud will update the Sub-processor list and provide at least 30 days’ notice by posting an update or, where Customer has requested notice by email, by emailing Customer.

9.3 Email notice. Customer may request email notice of Sub-processor changes by contacting privacy@mobiloud.com.

9.4 Objection rights. If Customer has a reasonable, data-protection-related objection to a new or replacement Sub-processor, Customer may notify MobiLoud in writing at privacy@mobiloud.com during the notice period. The parties will discuss the objection in good faith. If no resolution is reached within 30 days, Customer may terminate the affected Services by giving written notice.

9.5 Sub-processor obligations. MobiLoud will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA, as applicable to the nature of the processing. MobiLoud remains liable to Customer for each Sub-processor’s performance of its data protection obligations, subject to the limitations of liability in the Agreement.

9.6 Customer-Controlled Services. Customer-Controlled Services are not Sub-processors. For example, Shopify and Customer’s OneSignal, Klaviyo, Firebase, analytics, app store, or ecommerce accounts are controlled by Customer and are not MobiLoud Sub-processors.

10. International data transfers

10.1 Authorisation. Customer authorises MobiLoud to transfer Customer Personal Data outside the United Kingdom, European Economic Area, and Switzerland where necessary to provide the Services, provided that appropriate safeguards are in place as required by Applicable Data Protection Laws.

10.2 Transfer mechanisms. Where Customer Personal Data is transferred to a country that has not received an applicable adequacy decision, MobiLoud will rely on one or more lawful transfer mechanisms, including the EU SCCs, the UK Addendum, the UK IDTA, or another mechanism permitted by Applicable Data Protection Laws.

10.3 EU SCCs. For transfers governed by the EU GDPR, the EU SCCs are incorporated by reference as described in Schedule 4.

10.4 UK transfers. For transfers governed by the UK GDPR, the UK Addendum or UK IDTA applies as described in Schedule 4.

10.5 Swiss transfers. For transfers governed by Swiss data protection law, the EU SCCs apply with the Swiss modifications described in Schedule 4.

10.6 Supplementary measures. MobiLoud maintains appropriate technical and organisational measures to protect transferred Customer Personal Data, including encryption in transit, access controls, data minimisation, and logging controls.

11. US State Privacy Laws

11.1 Service provider and processor role. To the extent MobiLoud processes Customer Personal Data subject to US State Privacy Laws, MobiLoud acts as Customer’s service provider, processor, contractor, or equivalent role.

11.2 Limited purpose. MobiLoud will process Customer Personal Data only for the limited and specified purposes described in this DPA, the Agreement, Customer’s documented instructions, and the applicable Product Schedule.

11.3 Prohibited uses. MobiLoud will not:

  • sell or share Customer Personal Data;
  • use Customer Personal Data for targeted advertising or cross-context behavioural advertising;
  • retain, use, or disclose Customer Personal Data outside the direct business relationship between MobiLoud and Customer, except as permitted by US State Privacy Laws;
  • combine Customer Personal Data with Personal Data received from or on behalf of another person or collected from MobiLoud’s own interactions with a Data Subject, except as permitted by US State Privacy Laws; or
  • use Customer Personal Data for any commercial purpose other than providing the Services.

11.4 Compliance. MobiLoud will comply with applicable obligations under US State Privacy Laws for its role and will provide the same level of privacy protection required by those laws.

11.5 Notice and remediation. MobiLoud will notify Customer if MobiLoud determines that it can no longer meet its obligations under US State Privacy Laws. Customer may take reasonable and appropriate steps to stop and remediate unauthorised processing of Customer Personal Data.

11.6 De-identified data. If MobiLoud creates de-identified data from Customer Personal Data, MobiLoud will take reasonable measures to prevent the data from being used to identify a natural person, will not attempt to re-identify the data except to test the de-identification process, and will require any recipient to comply with the same restrictions.

12. Data deletion and return

12.1 Customer choice. Upon termination or expiration of the Agreement, or upon Customer’s written request, MobiLoud will, at Customer’s choice:

  • return Customer Personal Data in MobiLoud’s possession or control in a commonly used, machine-readable format, where return is technically feasible; or
  • delete Customer Personal Data in MobiLoud’s possession or control and confirm deletion in writing.

12.2 Timing. MobiLoud will complete the return or deletion within 30 days of receiving Customer’s instruction, unless Applicable Data Protection Laws require continued storage.

12.3 No instruction. Where Customer does not provide an instruction under Section 12.1 within 30 days of termination or expiration, MobiLoud will delete Customer Personal Data in MobiLoud’s possession or control, unless Applicable Data Protection Laws require continued storage.

12.4 Continued storage. Where continued storage is required by law, MobiLoud will inform Customer of the requirement unless prohibited by law, and will isolate and protect the stored data from further processing except as required by law.

12.5 No retained end-user database for Shopify App processing. For transient Shopify App processing described in Product Schedule 1, MobiLoud does not maintain a database of End-User Personal Data. Customer Personal Data is processed transiently and removed from job queues once processing completes. MobiLoud configures logs and error tracking tools to anonymise, strip, or replace Customer Personal Data before capture or transmission. If Customer Personal Data is inadvertently captured in internal logs despite those controls, those logs are automatically rotated and deleted within the period stated in the applicable Product Schedule. Where MobiLoud does not retain Customer Personal Data, return is not technically feasible and deletion will consist of confirming that no retained Customer Personal Data exists in MobiLoud’s possession or control.

12.6 Account Data. Deletion and return of Account Data are governed by MobiLoud’s Privacy Policy and applicable law, not this Section 12.

13. Product-specific processing

13.1 Product Schedules. The subject matter, purpose, nature, categories of Personal Data, categories of Data Subjects, duration, retention, and Sub-processors for Customer Personal Data are described in the applicable Product Schedule.

13.2 Current Product Schedule. As of this draft version, the current Product Schedule covers Shopify App processing.

13.3 No general end-user processing. Except as described in a Product Schedule, MobiLoud does not directly collect, store, or access End-User Personal Data as a Processor for Customer.

14. Audit and compliance

14.1 Information. MobiLoud will make available to Customer, on request, information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the UK GDPR or EU GDPR.

14.2 Audit conditions. MobiLoud will allow and contribute to audits, including inspections, conducted by Customer or a qualified third-party auditor mandated by Customer, subject to the following conditions:

  • Customer provides at least 30 days’ written notice of an audit request;
  • audits are conducted during normal business hours, no more than once per year, and in a manner that minimises disruption to MobiLoud’s operations;
  • Customer and its auditor enter into reasonable confidentiality obligations;
  • MobiLoud may restrict access to information where disclosure would compromise the security or confidentiality of other customers’ data or violate legal or contractual obligations; and
  • Customer bears the costs of any audit, including MobiLoud’s reasonable internal costs and any third-party costs incurred.

14.3 Documentation. MobiLoud may satisfy its audit obligations by providing relevant policies, written responses, security documentation, third-party security certifications, or audit reports where available and under appropriate confidentiality obligations. Where such materials are available, they will be the primary means of demonstrating compliance before any on-site audit.

15. Liability

15.1 Each party’s total liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

15.2 This Section 15 does not limit either party’s liability to Data Subjects under Applicable Data Protection Laws, nor does it limit liability for breaches of the EU SCCs, the UK IDTA, or the UK Addendum.

16. General

16.1 Governing law. This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising from this DPA, except where the EU SCCs, UK Addendum, UK IDTA, or Applicable Data Protection Laws require another governing law or forum.

16.2 Precedence. If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict with respect to the processing of Customer Personal Data. If there is a conflict between this DPA and the EU SCCs, UK Addendum, or UK IDTA, the applicable transfer terms prevail.

16.3 Amendments. MobiLoud may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or MobiLoud’s processing activities. Updates will be posted at mobiloud.com/dpa or another location notified to Customer. Continued use of the Services after an update constitutes acceptance of the updated DPA where permitted by applicable law.

16.4 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will continue in full force and effect.

16.5 Entire agreement. This DPA, together with the Agreement and MobiLoud’s Privacy Policy, constitutes the entire agreement between the parties regarding the processing of Customer Personal Data.

Contact

For questions about this DPA, contact:

Fifty Pixels Ltd (trading as MobiLoud)
209 High Road, London, England, N2 8AN
Email: privacy@mobiloud.com

Product Schedule 1: Shopify App processing

1. When this schedule applies

This Schedule applies only when Customer has installed the MobiLoud Shopify App and has enabled one or more of the following optional features:

  • order or customer tagging for orders originating from Customer’s mobile app; or
  • order status push notifications using Customer’s OneSignal account.

If Customer installs the Shopify App but does not enable these features, MobiLoud does not process End-User Personal Data under this Schedule.

2. Subject matter and purpose

MobiLoud processes Customer Personal Data to:

  • receive order and customer data from Customer’s Shopify store;
  • identify orders and customers that originate from Customer’s mobile app;
  • write order or customer tags back to Customer’s Shopify store through the Shopify API; and
  • deliver order status push notifications through Customer’s OneSignal account.

3. Nature of processing

When a relevant Shopify event occurs, Shopify sends a webhook to MobiLoud. MobiLoud processes the webhook and, depending on Customer’s enabled features, either writes app attribution tags back to Shopify through the Shopify API or sends notification data to Customer’s OneSignal account for push notification delivery.

Customer Personal Data is processed transiently. It is not written to MobiLoud’s end-user database. Data exists temporarily in job queues during processing and is removed once the operation completes.

Production logging is configured at error level only, so Customer Personal Data is not logged during normal operations. MobiLoud configures logs and error tracking tools, including Laravel Nightwatch, to anonymise, strip, or replace Customer Personal Data before capture or transmission. If Customer Personal Data is inadvertently captured in internal logs despite those controls, those logs are automatically rotated and deleted within 24 hours.

4. Categories of Customer Personal Data

Depending on Customer’s Shopify configuration and enabled features, Customer Personal Data may include:

  • order identifiers, including order number and order ID;
  • customer identifiers, including name, email address, Shopify customer ID, and shipping or billing address associated with an order;
  • order data, including order value, products purchased, order date, order time, fulfilment status, and order status;
  • device, session, attribution, or app-origin identifiers used to identify orders originating from the mobile app;
  • technical identifiers, such as IP address, browser, or operating system where included in relevant payloads; and
  • OneSignal recipient identifiers or push notification identifiers where used for order status notifications.

MobiLoud does not intentionally process payment card data or full payment credentials through this Schedule.

5. Categories of Data Subjects

Data Subjects are end-users of Customer’s mobile app or Shopify store whose order, customer, device, or notification data is processed when Customer enables the features described in this Schedule.

6. Frequency and duration

Transfers occur when relevant Shopify events are sent to MobiLoud and the enabled feature requires processing. Processing continues for the duration of Customer’s active MobiLoud subscription and use of the enabled Shopify App features.

7. Retention

Customer Personal Data processed under this Schedule is transient. It is removed from job queues once processing completes. Logs and error tracking data are configured to anonymise, strip, or replace Customer Personal Data. If Customer Personal Data is inadvertently captured in internal logs despite those controls, those logs are automatically rotated and deleted within 24 hours.

MobiLoud may retain merchant-level configuration data, including encrypted OneSignal API credentials, notification templates, feature flags, Shopify store domain, and Shopify access tokens. That configuration data is Account Data or Customer configuration data and is handled under MobiLoud’s Privacy Policy and security practices, except to the extent it contains Customer Personal Data.

8. Customer-Controlled Services

Shopify and Customer’s OneSignal account are Customer-Controlled Services. MobiLoud reads from or writes to those services on Customer’s instructions, but they are not MobiLoud Sub-processors.

Customer is responsible for:

  • its Shopify account, permissions, API settings, and privacy notices;
  • its OneSignal account, notification settings, and user permissions;
  • end-user consents and device permissions for push notifications;
  • the content of push notification templates and messages; and
  • its own agreements with Shopify, OneSignal, and any other Customer-Controlled Service.

9. Sensitive data restriction

Customer must not enable the Shopify App features described in this Schedule for stores, products, orders, or workflows involving special category data, health data, prescription or pharmacy data, children’s data, criminal offence data, biometric data, government identifiers, precise geolocation data, payment card data, or other sensitive or regulated Personal Data unless MobiLoud has agreed in writing and the parties have agreed any additional safeguards required for that processing.

10. Shopify privacy webhooks

MobiLoud’s Shopify App is configured to receive Shopify’s mandatory privacy webhook requests, including shop redaction, customer redaction, and customer data request webhooks. Because MobiLoud does not permanently store End-User Personal Data under this Schedule, there is generally no retained End-User Personal Data to export or delete in response to these webhooks. Where transient or associated records exist in MobiLoud’s possession or control, they are removed.

Schedule 2: Technical and organisational measures

MobiLoud maintains the following technical and organisational measures for Customer Personal Data, taking into account the nature, scope, context, and purposes of processing under this DPA.

1. Access controls

  • Access to systems processing Customer Personal Data is limited to authorised personnel with a business need for access.
  • Administrative access is limited and reviewed periodically.
  • Personnel use individual accounts where technically supported.
  • Multi-factor authentication is used where supported for key administrative systems.
  • Access is removed or updated when personnel leave MobiLoud or no longer need access.

2. Confidentiality and personnel controls

  • Personnel authorised to process Customer Personal Data are subject to confidentiality obligations.
  • MobiLoud limits internal access to Customer Personal Data based on role and operational need.
  • Personnel are instructed to handle Customer data in accordance with MobiLoud policies and customer confidentiality obligations.

3. Encryption and transmission security

  • Data is encrypted in transit using industry-standard transport security where supported.
  • Credentials and access tokens stored by MobiLoud are protected using encryption or equivalent safeguards appropriate to the system.
  • MobiLoud uses reputable infrastructure providers for hosting, routing, and application infrastructure.

4. Logging and data minimisation

  • Production logging for Shopify App processing is configured at error level only.
  • Customer Personal Data is not logged during normal Shopify App operations.
  • Logs and error tracking tools are configured to anonymise, strip, or replace Customer Personal Data before capture or transmission.
  • If Customer Personal Data is inadvertently captured in internal logs despite those controls, those logs are automatically rotated and deleted within 24 hours.
  • Laravel Nightwatch receives anonymised, stripped, or non-identifying operational data for application performance monitoring. End-user personal data such as customer email, customer ID, order ID, full notification payloads, and OneSignal API credentials is anonymised or replaced with non-identifying metadata before transmission to Nightwatch.

5. Application security and change control

  • MobiLoud applies security updates and patches to relevant systems on a risk-based basis.
  • MobiLoud reviews and updates security practices periodically.
  • Production changes are limited to authorised personnel.
  • MobiLoud uses monitoring and operational tooling to identify and investigate application errors and availability issues.

6. Availability, backup, and recovery

  • MobiLoud uses reputable infrastructure providers designed to provide reliable hosting and routing.
  • MobiLoud maintains operational procedures intended to restore service availability after technical incidents.
  • Where backups are used, access is limited and backups are retained only as needed for operational or legal purposes.

7. Vendor management

  • MobiLoud reviews Sub-processors before use and enters into written agreements requiring appropriate data protection obligations.
  • MobiLoud limits Sub-processor access to Customer Personal Data to what is needed for the relevant processing activity.

8. Incident response

  • MobiLoud maintains procedures for investigating suspected security incidents.
  • MobiLoud takes steps to contain, investigate, and remediate confirmed incidents affecting Customer Personal Data.
  • MobiLoud notifies Customer of Personal Data Breaches affecting Customer Personal Data in accordance with Section 7.

Schedule 3: Sub-processors

The following Sub-processors are authorised for Customer Personal Data processed under Product Schedule 1:

Sub-processorProcessing activityLocationDigitalOcean LLCCloud hosting and application servers for processing under Product Schedule 1United StatesCloudflare, Inc.Content delivery network, traffic routing, security, and configuration file hosting for processing under Product Schedule 1United States and global network

For transparency, MobiLoud also uses Laravel Nightwatch, operated by Laravel Holdings Inc., for application performance monitoring and error logging. Customer Personal Data is anonymised or stripped before transmission to Nightwatch, and Nightwatch is not intended to process Customer Personal Data under this DPA.

Customer-Controlled Services, including Shopify, Customer’s OneSignal account, Customer’s analytics accounts, Customer’s app store accounts, and Customer’s reporting data sources, are not MobiLoud Sub-processors.

Schedule 4: International transfer terms

1. EU SCCs

Where Customer Personal Data protected by the EU GDPR is transferred to a country that has not received an adequacy decision from the European Commission, the EU SCCs are incorporated into this DPA as follows:

  • Customer is the data exporter and MobiLoud is the data importer.
  • Module Two applies where Customer is a Controller and MobiLoud is a Processor.
  • Module Three applies where Customer is a Processor and MobiLoud is a Sub-processor.
  • Clause 7, optional docking clause, does not apply.
  • Clause 9, Option 2, general written authorisation, applies. The notice period for new Sub-processors is stated in Section 9.
  • Clause 11 optional language does not apply.
  • Clause 17, Option 1, applies. The EU SCCs are governed by the laws of Ireland.
  • Clause 18(b) disputes will be resolved before the courts of Ireland.
  • Annex I(A) is completed with the party information in this DPA and the Agreement.
  • Annex I(B) is completed with the processing details in the applicable Product Schedule.
  • Annex I(C) competent supervisory authority will be determined in accordance with the EU GDPR. Where no other supervisory authority is clearly competent, the Irish Data Protection Commission will be the competent supervisory authority.
  • Annex II is completed with the measures in Schedule 2.
  • Annex III is completed with the Sub-processors in Schedule 3.

2. UK Addendum and UK IDTA

Where Customer Personal Data protected by the UK GDPR is transferred to a country that has not received an adequacy decision from the UK Secretary of State, the UK Addendum or UK IDTA applies as follows:

  • For the UK Addendum, Table 1 is completed with the party information in this DPA and the Agreement.
  • Table 2 is completed with the EU SCCs selections stated in Section 1 of this Schedule.
  • Table 3 is completed with the processing details in the applicable Product Schedule, the technical and organisational measures in Schedule 2, and the Sub-processors in Schedule 3.
  • Table 4 is completed so that either party may end the UK Addendum as set out in the UK Addendum.
  • Where the UK IDTA applies instead of the UK Addendum, the information required by the UK IDTA is completed with the equivalent information in this DPA, the Agreement, and the applicable Product Schedule.

3. Swiss transfers

Where Customer Personal Data protected by Swiss data protection law is transferred to a country that has not received an applicable adequacy decision, the EU SCCs apply with the following modifications:

  • references to the GDPR are interpreted as references to Swiss data protection law;
  • references to EU Member States are interpreted to include Switzerland where required;
  • the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner;
  • the governing law for the EU SCCs is Swiss law; and
  • disputes will be resolved before the courts of Switzerland, unless Applicable Data Protection Laws require another forum.

4. Transfer details

As of this draft version, the Sub-processors listed in Schedule 3 are located in or operate from the United States or a global network. Where a Sub-processor is certified under the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, or the UK Extension to the EU-US Data Privacy Framework, that certification may serve as an additional safeguard alongside the transfer mechanisms referenced in this Schedule.

Schedule 5: US state privacy terms

This Schedule applies where US State Privacy Laws apply to MobiLoud’s processing of Customer Personal Data.

1. Role

MobiLoud acts as Customer’s service provider, processor, contractor, or equivalent role for Customer Personal Data.

2. Processing restrictions

MobiLoud will process Customer Personal Data only for the limited and specified purposes described in this DPA, the Agreement, Customer’s documented instructions, and the applicable Product Schedule.

MobiLoud will not:

  • sell or share Customer Personal Data;
  • use Customer Personal Data for targeted advertising or cross-context behavioural advertising;
  • retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer, except as permitted by US State Privacy Laws;
  • combine Customer Personal Data with Personal Data from other sources except as permitted by US State Privacy Laws; or
  • use Customer Personal Data for a commercial purpose other than providing the Services.

3. Assistance and compliance

MobiLoud will provide the same level of privacy protection required by applicable US State Privacy Laws for MobiLoud’s role. MobiLoud will provide reasonable assistance to Customer for consumer rights requests relating to Customer Personal Data, taking into account the nature of the processing and the information available to MobiLoud.

4. Notice and remediation

MobiLoud will notify Customer if MobiLoud determines that it can no longer meet its obligations under applicable US State Privacy Laws. Customer may take reasonable and appropriate steps to stop and remediate unauthorised processing of Customer Personal Data.

5. De-identified data

If MobiLoud creates de-identified data from Customer Personal Data, MobiLoud will take reasonable measures to prevent the data from being used to identify a natural person, will publicly commit or contractually commit to maintain and use the data only in de-identified form, will not attempt to re-identify the data except to test the de-identification process, and will require any recipient to comply with equivalent restrictions.