OmniGen Labs Data Processing Agreement

Legal docs

Privacy Policy
Data Processing Agreement
Terms of Use
Merchant Agreement

This Data Processing Agreement (DPA) is considered a fundamental part of any contract that encompasses services rendered by APPSOLVE, representing a Shopify partner (referred to as the "Company").

Acting as a data processor, the Company, by virtue of client engagement with its services, ensures that the client agrees to adhere to the terms and conditions outlined in this DPA.

Whereas:

  • The Company operates as a Shopify Partner, and the Client, a Shopify Merchant utilizing OmniGen Labs Services, is recognized within this agreement.
  • In alignment with the Main Agreement, the Client agrees to purchase OmniGen Labs Services, wherein the Company offers access to its proprietary Shopify applications. Provision of these Services might require accessing Client's information and personal data ("Client Data").
  • The Client allows the Company to employ allied services via Platforms, which may include entities like Amazon, Google, and Facebook. These Platforms might handle the Client's data as per their standard agreements, necessitating Client adherence to particular Platform Agreements.

Definitions:

  • Applicable Law: This encompasses statutes, regulations, and all applicable judicial decisions or policies that govern the actions of the Client, the Company, and the Services.
  • Client Data: Pertains to personal data received or processed by the Company or its Sub-Processors for Service provision under the Main Agreement.
  • Data Path: Describes the intended use, processing, and transfer trajectories of Client Data.
  • Personal Data Protection Laws: Include GDPR within EU states and any synonymous national legislation applicable to the Services.
  • Losses Related to Data Processing: Encompasses liabilities, costs (including legal fees), settlements, damages, and fines due to data breaches, excluding indirect losses like profit diminution.
  • Data Subject Request: Formal requests made by data subjects to exercise rights under data protection laws.
  • GDPR: Stands for the General Data Protection Regulation (EU) 2016/679.
  • Confidentiality Statements: Legally acquired consents from data subjects authorizing their data processing by involved parties.
  • Processing Instructions: Detailed in clause 2.1.1.
  • Sub-Processor: An auxiliary processor engaged by the Company for managing Client Data on the Client’s behalf.
  • Supervisory Authority: Regulatory bodies overseeing adherence to data protection statutes.
  • Third-party: External entities involved in processing Client Data for Service provision, excluding the Client and the Company.
  • Data Processing Roles: Defined as per Personal Data Protection Laws.

Terms and Legal Provisions for Data Processing

1. Data Controller and Data Processor

1.1 The parties agree that the Client shall be deemed the Data Controller for the Client's data, while the Company shall act as the Data Processor. This includes instances where Client data originates from third parties, such as a Platform operator, which may serve as a joint controller with the Client regarding such data. The status of the parties is governed by applicable Personal Data Protection Laws, with the understanding that the Company will consistently operate as a Data Processor under this Agreement.

1.2 The Company will process the Client's data in accordance with:

  • 1.2.1 The obligations of the Data Processor as outlined in Personal Data Protection Laws and this Data Processing Agreement; and
  • 1.2.2 The terms specified within this Data Processing Agreement.

1.3 The Client agrees to comply with:

  • 1.3.1 All applicable Personal Data Protection Laws relating to the processing of Client Data, the Services, and the exercise and enforcement of Client rights under this Agreement and any relevant Platform Agreements, including the retention of records and compliance with relevant regulations; and
  • 1.3.2 The terms of this Data Processing Agreement and any applicable Platform Agreements.

1.4 The Client warrants that:

  • 1.4.1 All Client Data will comply with Personal Data Protection Laws in all respects, encompassing lawful collection, storage, and processing, including obtaining necessary consents from Data Subjects.
  • 1.4.2 Client Data can be lawfully processed by the Company and any third parties involved in delivering the Services.
  • 1.4.3 Regarding Client Data:
    • (a) When provided directly by the Client, the Client shall implement mechanisms to:
      • Ensure appropriate notifications and confidentiality statements are provided to and obtained from Data Subjects.
      • Allow Data Subjects to request modifications to their personal data or withdraw consent for its processing.
      • Ensure the database excludes data from subjects who opt out of processing, as outlined in item 1.4.3 (a)(point 3).
      • Prevent issuing Processing Instructions regarding subjects who have opted out, as described in item 1.4.3 (a)(point 3).
      • Maintain the accuracy and currency of Client Data and inform the Company of any changes.
    • (b) When Client Data is sourced from third-party providers, the Client confirms that those providers comply with Personal Data Protection Laws, ensuring the data is usable by the Company for Service provision.
  • 1.4.4 Client Data shall not include:
    • (a) Personal data belonging to underage Data Subjects, per applicable law;
    • (b) Special categories of personal data; or
    • (c) Location data, unless the Client has established a valid legal basis for processing such data in line with Personal Data Protection Laws as part of the Services.
  • 1.4.5 All instructions from the Client regarding personal data will comply with applicable Personal Data Protection Laws.

1.5 The Client agrees not to unreasonably withhold or delay consent for any changes requested by the Company to ensure compliance with Personal Data Protection Laws.

1.6 The Client acknowledges that:

  • (a) If the Company is required to obtain personal data directly from Data Subjects or secure consent for any use of such data, it is the Client's responsibility to provide appropriate forms and privacy notices relating to the lawful acquisition of Client Data for use by the Company in delivering Services, including disclosures related to third-party tools (such as cookies and tags).
  • (b) The Company, including any Sub-Processor, shall not be liable for any losses, delays, or damages incurred by the Client due to the Client’s failure to provide required notifications or confidentiality statements in a timely manner.

1.7 The Client further agrees that, when accessing Platforms provided by the Company using any authentication credentials, the Client must comply with this Agreement, Platform policies, and applicable law. The Client shall not misappropriate, modify, disassemble, decompile, or otherwise exploit any part of a Platform or its components.

1.8 The Client confirms and guarantees that:

  • 1.8.1 The personal data processing operations conducted by the Company and any Platforms, including any data paths, are suitable for the intended use of the Client's data.
  • 1.8.2 The Company and associated Platforms possess adequate guarantees, expertise, and resources to provide Services in compliance with Personal Data Protection Laws.

1.9 The Client acknowledges awareness and understanding of the Company's processing operations described in this Data Processing Agreement and any associated data paths.

2. Instructions and Details Regarding Data Processing

2.1 In instances where the Company processes the Client's data on behalf of the Client, the Company

  • 2.1.1 Shall process the Client's data solely in accordance with the Client's instructions as detailed in this clause 2 and Annex 1 (Data Processing Details), unless required to act otherwise by applicable law. The Company will ensure that all personnel acting under its authority comply with this directive.
  • 2.1.2 If applicable laws necessitate processing Client data in a manner not aligned with the Client's instructions, the Company will notify the Client of such requirements prior to proceeding with the processing unless the law prohibits such notification for reasons of significant public interest.
  • 2.1.3 The Company will inform the Client if it identifies a Processing Instruction that, in its opinion, contravenes Personal Data Protection Laws, noting that:
    • (a) The provisions of sections 1.3 and 1.4 are applicable;
    • (b) To the fullest extent permitted by law, the Company shall bear no liability—whether in contract, tort (including negligence), or otherwise—for any losses, costs, expenses, or liabilities (including those related to data protection) arising from processing conducted per the Client's Processing Instructions.
  • 2.1.4 The Company does not assume any responsibility for determining the purposes or methods of processing the Client's data beyond the scope of the Client's instructions.

3. Technical and Organizational Measures

3.1 The Company shall implement and maintain at its own cost and expense the necessary technical and organizational measures, which include:

  • 3.1.1 Those specified in Annex 2 (Technical and Organizational Measures) concerning the processing of Client Data;
  • 3.1.2 Measures designed to assist the Client in meeting its obligations to respond to requests from Data Subjects regarding their personal data.

3.2 Both the Client and the Company acknowledge that the "Technical and Organizational Measures" outlined in Annex 2 are intended to provide a level of security that is appropriate to the risks associated with the processing activities described in Annex 1 and the nature of the Client's data. Any additional technical and organizational measures required will be formalized through a separate written agreement between the Client and the Company, to be financed by the Client.

4. Use of Personnel and Sub-Processors

4.1 The Company shall not engage any Sub-Processor to perform activities related to the processing of the Client's data without prior authorization from the Client. Such authorization shall not be withheld, conditioned, or delayed. The Client hereby authorizes the Company to appoint:

  • (a) All Sub-Processors identified in the data path; and
  • (b) Any companies acting as Sub-Processors for the purpose of delivering the Services.

The Client acknowledges that a complete list of Sub-Processors, data providers, subcontractors, and website publishers utilized to deliver the Services may be available on the Company’s website or provided upon the Client's request.

4.2 If the Client wishes to object to the appointment of any Sub-Processor, the Client must notify the Company within one working day. In the absence of such notification, the Company may proceed with the appointment. If the Parties cannot agree on the proposed Sub-Processor, the Company reserves the right to unilaterally terminate the Main Agreement immediately, as it pertains to the services requiring that Sub-Processor.

4.3 The Company appoints Sub-Processors under agreements that impose similar obligations as specified in clauses 1 through 11 of this Agreement. However, in instances where the Client acknowledges that specific operators, agents, or sub-agents, including many Platforms and certain multinational service providers, operate under non-negotiable terms (collectively referred to as "Providers"), the conditions of such Providers, established in their published agreements or general terms of data processing ("Provider Terms"), shall apply. In this context:

  • 4.3.1 The Company will inform the Client about these Providers;
  • 4.3.2 In the absence of any objections from the Client, these Providers may be utilized to deliver Services;
  • 4.3.3 Providers and their Provider Terms will be considered selected, approved, and authorized by the Client. The Client, as Data Controller, is responsible for understanding and complying with the Provider Terms; and
  • 4.3.4 The Company will make reasonable efforts to assist the Client in understanding the Provider Terms.

4.4 Without prejudice to clause 10.2, the Company shall not be liable for any loss or damage resulting from personal data processing conducted in accordance with Provider Terms, particularly those arising from the actions, omissions, or violations (direct or indirect) of such Providers, which exceed any liability limits established under the respective Provider's terms and conditions.

4.5 The Client acknowledges that Providers may appoint their own processors and Sub-Processors for Service delivery according to their Provider Terms, without notice to the Client, and under obligations that may differ substantially from those outlined in this Agreement. The Company will not assume any responsibility to the Client regarding such appointments made by Providers.

4.6 The Company ensures that all personnel authorized to process the Client's data are bound by contractual obligations to maintain confidentiality. Disclosure may occur only if required by applicable law; in such cases, the Company will, if possible, notify the Client prior to any disclosure, unless prohibited by law.

5. Assistance with Compliance Obligations

5.1 The Company shall forward to the Client all requests received from Data Subjects within three working days of receipt.

5.2 The Company agrees to assist the Client as reasonably requested, considering the nature of the processing and the information available to the Company, to facilitate the Client's compliance with obligations under Personal Data Protection Laws, specifically concerning:

  • 5.2.1 Data processing security;
  • 5.2.2 Data protection impact assessments (as defined in applicable Data Protection legislation);
  • 5.2.3 Consultation with supervisory authorities regarding high-risk processing activities;
  • 5.2.4 Notifications to the supervisory authority and communications to Data Subjects in the event of a data breach.

The Company reserves the right to charge a reasonable fee for assistance that materially exceeds what would ordinarily be considered part of the services provided under the Main Agreement.

6. International Data Transfers

6.1 The Client acknowledges and agrees that the Company may transfer Client Data to countries outside the European Economic Area (EEA) or to international organizations (collectively referred to as "International Recipients"). All such transfers will be conducted in compliance with applicable Personal Data Protection Laws and will be accompanied by appropriate security measures. The provisions of this Data Processing Agreement serve as the Client's instructions regarding such transfers, as specified in clause 2.1.

7. Records, Information, and Auditing

7.1 The Company will maintain written records of all categories of processing activities conducted on behalf of the Client in compliance with applicable Personal Data Protection Laws.

7.2 To demonstrate compliance with its obligations as a data processor, the Company will provide the Client with the information it reasonably deems necessary. This will allow the Client, or any auditor designated by the Client, to participate in audits (limited to once per year, and subject to the Company’s confidentiality obligations). The Client agrees to the following terms:

  • 7.2.1 Provide advance notification to the Company regarding any requests for information, audits, or inspections;
  • 7.2.2 Ensure that all information obtained or generated by the Client or its auditors in relation to such requests, inspections, and audits remains strictly confidential, except where disclosure is mandated by a Supervisory Authority or relevant law;
  • 7.2.3 Conduct audits or inspections during normal business hours to minimize disruption to the Company’s operations, Sub-Processors, and other clients; and
  • 7.2.4 Compensate the Company for any reasonable costs incurred in providing information and facilitating audits.

8. Notifications in Case of Data Breaches

8.1 In the event of any security breach related to the processing of the Client's personal data, the Company will act promptly to:

  • 8.1.1 Notify the Client of the data breach concerning the processing of personal data;
  • 8.1.2 Provide the Client with detailed information regarding the nature and specifics of the data breach.

9. Deletion or Return of Client Data and Copies

9.1 The Company shall:

  • 9.1.1 Upon the Client's written request, return all original Client Data or provide a copy in the requested format;
  • 9.1.2 Delete all copies of the Client Data, unless retention is required by applicable law. In such cases, the Company will inform the Client of the retention obligations. The Company is not required to delete copies held in backup systems dedicated exclusively to disaster recovery, acknowledging the complexity of such deletion processes. Deletion will occur within a reasonable timeframe, specifically:
    • 9.1.2.1 After completion of the relevant services related to the processing; or
    • 9.1.2.2 Once the Company's processing of any Client Data is no longer necessary to fulfill obligations under this Data Processing Agreement, the Main Agreement, or applicable laws.

10. Liability, Indemnities, and Claims

10.1 The Company shall be liable to indemnify the Client for losses arising from breaches of provisions related to the processing of Client Data under this Data Processing Agreement. Such liability is limited to:

  • 10.1.1 Losses directly caused by the Company's breach of clauses 1 through 11 of this Agreement; and
  • 10.1.2 The Company shall not be liable for any losses arising from breaches of this Agreement if such losses result from the Client's breach

10.2 The Company makes no representations or guarantees regarding its suppliers or providers, nor concerning the Personal Data processing activities carried out by these suppliers. The Company shall not compensate the Client for any data processing activities conducted by suppliers.

10.3 The Client shall be liable and indemnify the Company for all losses arising from breaches related to the processing of personal data suffered by the Company or any Sub-Processor in relation to:

  • 10.3.1 Non-compliance by the Client with Personal Data Protection Laws or the Terms and Conditions of the Providers;
  • 10.3.2 Processing conducted by the Company or a Sub-Processor in accordance with any Processing Instruction that violates Personal Data Protection Laws;
  • 10.3.3 Any violation of Personal Data Protection Laws or contractual obligations by an Operator or third-party authorized by the Client for Service delivery; and
  • 10.3.4 Breaches by the Client of its obligations as outlined in clauses 1 through 11, unless the Company is liable under clause 10.1.

10.4 If either party receives an indemnification claim from an individual concerning the processing of Client Data, that party must promptly provide the other party with full notice and details of the claim. The party responding to the claim shall:

  • 10.4.1 Not admit liability or accept any settlement without prior written consent from the other party (consent shall not be unreasonably withheld); and
  • 10.4.2 Consult with the other party regarding the action, but settlement terms shall be determined solely by the party responsible for the indemnification.

10.5 The parties agree that the Client shall not seek compensation from the Company for any damages that the Client is obligated to indemnify under clause 10.2.

10.6 This clause establishes mutual liability for losses arising from non-compliance with data processing provisions, including compensation to Data Subjects, while remaining consistent with applicable Personal Data Protection Laws. This liability is subject to:

  • 10.6.1 Any limitations imposed by applicable law (including Personal Data Protection Laws); and
  • 10.6.2 The fact that this clause does not affect the liability of either party to Data Subjects.

11. Survival of Personal Data Protection Provisions

11.1 Clauses 1 through 11 (inclusive) shall survive the termination or expiration of this Data Processing Agreement for any reason, and will continue as follows:

  • 11.1.1 Indefinitely for clauses 9 through 11 (inclusive); and
  • 11.1.2 For up to 12 months following the date of termination or expiration of this

Agreement for clauses 1 through 8 (inclusive), provided that termination or expiration of these clauses shall not affect either party's rights and remedies existing at the time of termination or expiration.

11.2 In the event of any conflict between the terms of this Data Processing Agreement and the Main Agreement or any other agreements governing the relationship between the parties, the terms of this Data Processing Agreement shall take precedence.

12. Term and Termination of Services

12.1 This Data Processing Agreement shall expire upon the occurrence of the earliest of the following events:

  • 12.1.1 Termination or expiration of the Main Agreement; or
  • 12.1.2 Cessation of any processing of Client Data by the Company on behalf of the Client in connection with the provision of Services.

12.2 Both the Client and the Company reserve the right to suspend and/or terminate this Data Processing Agreement at any time by providing three months' written notice to the other party.

13. Applicable Law

13.1 This Data Processing Agreement, along with any disputes or claims arising from or related to it—whether contractual or non-contractual—shall be governed by and construed in accordance with the choice of law specified in the Main Agreement.

13.2 The parties hereby irrevocably agree that the courts specified in the Main Agreement shall have exclusive jurisdiction to resolve any disputes or claims arising from or related to this Data Processing Agreement, including non-contractual disputes or claims.

Annexes: Instructions for Data Processing and Technical Measures

ANNEX 1. INSTRUCTIONS FOR DATA PROCESSING

APPSOLVE will process Client Data as a Data Processor for the purpose of providing the Services, in accordance with the following documented instructions from the Client:

Scope of Processing Categories of Data Subjects Categories of Personal Data Processing Operations
Render services and provide products related to the Client's Shopify store Customers and/or potential customers of the Client in relation to the Client's Shopify store Personal data related to Customers and/or potential customers, including but not limited to name, surname, email address, location/postal address, IP address, order details, invoice and shipping information, and data processed through cookies and local storage on the Client's store Any operation or set of operations performed on personal data, whether automated or not, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

Duration

The Company will process the data for the duration of the Services, the Main Agreement, and in compliance with applicable laws.

As the Client determines how its customers' personal information will be utilized, the Client must ensure that its customers understand the collection and processing of their personal information. At a minimum, this includes posting a privacy policy on the Client's store that outlines:

  • The information collected by the merchant.
  • The purpose of the data usage.
  • Any third parties with whom the data may be shared, including details regarding cookies.

The Client’s written requests should be submitted through Shopify tools such as the Privacy Portal. In situations concerning Shopify end customers' data, compliance with GDPR is facilitated through the implementation of Shopify's data protection mechanisms.

ANNEX 2. TECHNICAL AND ORGANISATIONAL MEASURES

1. Information Security Policy

The Company shall establish and maintain a comprehensive, documented Information Security Policy that aligns with best practices and international security standards (e.g., ISO 27001, NIST). This policy will articulate management's commitment to and support for information security and will be reviewed and updated annually.

2. Security of Personnel

The Company will implement the following measures to ensure the security of personnel:

  • All employees and contractors will enter into contractual agreements that specify their responsibilities regarding information security.
  • Employees, contractors, and third-party users will agree to terms reflecting the organization’s information security policies, including confidentiality and non-disclosure agreements.
  • Management will cultivate a culture of security awareness, requiring and encouraging all personnel to adhere to established security policies and procedures.
  • Regular security awareness training will be provided to all personnel, tailored to their specific roles and functions within the organization.
  • A process will be established to ensure that all employees and external users return organizational assets upon termination of their employment, contract, or agreement.

3. Access Controls

The Company will ensure that access to information, operational applications, Services, and information systems is limited to identified, authenticated, and authorized users. Key provisions include:

  • Timely removal of obsolete access rights to prevent unauthorized access and misuse.
  • Application of the 'least privilege' and 'need-to-know' principles, along with appropriate segregation of duties.
  • Implementation of two-factor authentication for all user accounts, where supported by the platform.
  • Restriction of infrastructure access to specialized employees, with read-only access granted via VPN connections and two-factor authentication.
  • Risk assessment and justification for all exceptions, including service and functional accounts, reviewed periodically.
  • Adoption of strong authentication techniques for applications processing sensitive data, applicable to all personnel, including technical support staff, regardless of access mode (local or remote).
  • Development of an Access Control Policy grounded in need-to-know, role-based access, and segregation of duties principles.
  • Formal approval by an appointed Responsible Manager for all access to Information Systems, including verification of identity and compliance with sensitive access requirements before granting access.
  • Logging of all user access-related requests for merchant operations, following defined user access management processes for assessment, approval, and implementation, with strict control of privileged access rights.
  • Regular reviews of user access rights by asset owners, with immediate removal of access rights for individuals upon termination of their employment, contract, or agreement, or adjustment based on role changes.

4. Operational Security

The Company shall implement the following operational security measures:

  • Data Backup: Regular backups of data will be conducted, ensuring protection from unauthorized access or modification during storage. Backups will be readily available for timely recovery in the event of an incident or disaster.
  • Data Protection: All data at rest shall be safeguarded using appropriate security mechanisms, including cryptographic methods and access controls.
  • Vulnerability Management: Information about technical vulnerabilities within information systems will be obtained promptly, and exposure to such vulnerabilities will be evaluated daily. The Company will take appropriate actions to mitigate associated risks.
  • Segregation of Duties: Proper segregation of duties will be enforced to mitigate the risk of fraud. This will include regular reviews of the effectiveness of segregation of duty controls.
  • Logging: Comprehensive logs will be maintained for all systems accessing or storing Client assets. These logs will include records of:
    • User actions on the Services infrastructure
    • Administrator and operator activities
    • Fault occurrences
    • Changes to security and system configuration parameters
    • Modifications to application software
    • Usage of privileged functions
  • Logs will be securely protected and made available, retained for a minimum period of twelve (12) months or longer if required by law.
  • Environment Separation: The Company will ensure a clear separation between development, testing, and operational environments.
  • Data Deletion: Any data provided by the Client will be securely deleted following the agreed period of use or upon the Client's first written request.
  • Capacity Planning: The Company will implement proper procedures to anticipate capacity needs, regularly back up all information, and protect the Services infrastructure against malicious code.

5. Communication Security

The Company will implement secure and reliable networks to ensure accurate and prompt data transmission, minimizing communication disruptions and guaranteeing confidentiality and integrity to protect the Client's business and reputation. Key measures include:

  • Network Management: The network architecture will be managed and controlled to defend against emerging security threats and to protect information within systems and applications.
  • Security Mechanisms: Suitable security controls (including cryptographic protections and access controls) will be established to secure data in transit across both private and public networks, safeguarding IT Services from unauthorized access.

6. System Acquisition, Development, and Maintenance

The Company will ensure that information security considerations are integrated throughout the entire lifecycle of its information systems to reduce potential vulnerabilities. This includes:

  • Secure Coding Standards: Adoption of secure coding practices when developing products and services.
  • Planning Requirements: Information security requirements will be integrated during the planning stages of new information systems or enhancements to existing systems.
  • Development Environment Protection: The Company will safeguard its development environments and ensure security measures are incorporated throughout the system development lifecycle.
  • Compliance with Security Rules: Security policies will be established and applied to software and systems development within the organization. If development is outsourced, the Company will obtain assurances that any external party adheres to these security provisions.
  • Acceptance Testing: Acceptance testing programs and criteria will be established for new information systems, upgrades, and new versions. Test data will be selected, protected, and managed carefully.
  • Code Security: The Company will ensure that all developed code is free from malicious software and commonly recognized security vulnerabilities. Additionally, systems will undergo vulnerability testing before and after each major release.

7. Security Incident Management

The Company shall implement a consistent and effective approach to managing information security incidents, which includes communication with the Client. Key provisions include:

  • Establishing management responsibilities and procedures to ensure a swift, effective, and orderly response to information security incidents.
  • Utilizing knowledge gained from analyzing and resolving such incidents to reduce the likelihood and impact of future occurrences.

8. Business Continuity

The Company will develop and implement comprehensive business continuity plans, disaster recovery plans, and a crisis management framework aligned with international standards. This is to prevent service interruptions that exceed acceptable limits or defined service levels. Specific measures include:

  • Regular maintenance and updates to the plans and procedures, at minimum once per year.
  • Establishing clear and well-understood procedures for activation, escalation, and management of incident responses.

9. Cloud-Based Services

In addition to the previously mentioned requirements, the Company will:

  • Inform the Client of the countries and regions from which the Services are provided, as well as the locations of databases that are hosted and accessed.
  • Provide features that enable tracking of access to the cloud infrastructure, including detailed auditing of data access within databases and administrative procedure executions.

10. Specific Control Measures

The Company will ensure the following control measures are in place:

  • Implementing a formal methodology that defines the approach to system development.
  • Documenting all requests for changes, system maintenance, and provider management to ensure traceability of implemented changes.
  • Establishing identification, authentication, and authorization mechanisms for accessing systems and applications.
  • Developing procedures to ensure timely actions regarding the requesting, establishment, issuance, suspension, and closure of user accounts.
  • For Shopify end customers' data, compliance with GDPR will be facilitated through the implementation of Shopify's data protection mechanisms.
  • Defining and implementing a problem management and escalation procedure system to ensure all non-standard operational events (incidents, problems, and errors) are recorded, analyzed, and resolved promptly.
  • Maintaining physical and network security controls to ensure the ongoing security and availability of systems and applications.