‍1. Introduction and Purpose

This Data Processing Agreement (DPA) is entered into between Veeper, Inc., a company organized and existing under the laws of the State of Delaware, United States ("Data Controller"), and Shopify Inc. ("Data Processor"), and sets forth the terms and conditions governing the processing of personal data on behalf of the Data Controller in compliance with:

• The General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable implementing legislation
• The United Kingdom GDPR as retained in UK law under the Data Protection Act 2018
• The California Consumer Privacy Act (CCPA) and other applicable data protection laws

This DPA applies whenever Shopify Inc. acts as a processor on behalf of Veeper, Inc. subject to EU GDPR, UK GDPR, or other applicable data protection laws.

The parties acknowledge that the Data Processor processes personal data solely on the instructions of the Data Controller and subject to the terms of this Agreement.

2. Scope of Processing

This DPA applies to all processing of personal data that Shopify Inc. performs on behalf of Veeper, Inc. in connection with ecommerce platform integration and data synchronization services. The scope includes:

• Subject Matter: Ecommerce platform integration and synchronization services between Veeper and Shopify stores
• Duration: For the duration of the service agreement between Veeper, Inc. and Shopify Inc., and for any legally required retention period for synchronization records and logs thereafter
• Nature and Purpose: Accessing, receiving, and transmitting store, product, order, and customer data from Shopify to Veeper and back as needed to provide Veeper's discount and coupon management functionality to Shopify merchants
• Types of Personal Data: Merchant account data (names, emails, store identifiers), merchant store and configuration data, end-customer order data (order IDs, products, prices, discounts/coupons used, order status), and associated identifiers (customer name, email, shipping/billing details as provided via Shopify APIs). Veeper does not use Shopify to store payment card numbers
• Categories of Data Subjects: Shopify merchants using Veeper, merchant staff and team members, and end customers of those merchants (shop customers)

3. Processing Instructions

The Data Processor shall process personal data only on documented instructions from the Data Controller regarding purpose, scope, nature, and duration of processing. The Data Processor shall not process personal data for any purpose other than those specified without prior written authorization from the Data Controller.

If Shopify Inc. is required by law to process personal data in a manner not specified in the Controller's instructions, it shall promptly notify Veeper, Inc. unless prohibited by law.

4. Confidentiality and Personnel

The Data Processor ensures that all persons authorized to process personal data are under appropriate confidentiality obligations and receive training on data protection obligations and security measures.

5. Security of Personal Data

Shopify Inc. shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit using TLS 1.2 or higher
• Encryption of personal data at rest using AES-256 or equivalent
• Role-based access controls (RBAC) and multi-factor authentication (MFA)
• Audit logging of all data access and modifications retained for at least 90 days
• 24/7 monitoring and incident detection capabilities
• Regular vulnerability assessments and penetration testing (quarterly)
• Documented incident response procedures
• Regular automated backups with geographically redundant storage
• Recovery Time Objective (RTO): 24 hours
• Recovery Point Objective (RPO): 4 hours
• Annual disaster recovery testing

Shopify Inc. shall maintain compliance with ISO 27001, SOC 2 Type II, and NIST Cybersecurity Framework standards.

6. Sub-Processors

Shopify Inc. shall not engage sub-processors without prior written authorization from Veeper, Inc. Shopify Inc. shall provide at least 30 days' advance notice before adding or replacing any sub-processor, and Veeper, Inc. shall have the right to object on reasonable data protection grounds.

Any sub-processor agreements shall impose data protection obligations not less protective than those in this DPA and shall include SCCs or UK IDTA for international transfers where applicable.

7. Data Subject Rights

Shopify Inc. shall assist Veeper, Inc. in fulfilling data subject rights requests under Articles 15-22 of the EU GDPR and UK GDPR, including:

• Right of Access (Article 15): Provide personal data in structured, commonly-used, machine-readable format
• Right to Rectification (Article 16): Promptly correct inaccurate data
• Right to Erasure (Article 17): Delete personal data from all systems including backups
• Right to Restrict Processing (Article 18): Limit processing to storage only
• Data Portability (Article 20): Provide data in portable format (CSV, JSON, XML)
• Right to Object (Article 21): Cease processing as instructed
• Rights Related to Automated Decision-Making (Article 22): Not engage in automated decision-making producing legal effects

Shopify Inc. shall respond to requests within 30 days (extendable to 60 days for complex requests).

8. Data Breach Notification

In the event of a suspected or confirmed personal data breach, Shopify Inc. shall:

• Notify Veeper, Inc. without undue delay and within 24 hours of becoming aware of the breach
• Provide detailed description including nature, scope, categories and number of affected data subjects, likely consequences, and measures taken
• Cooperate fully with breach investigation and provide forensic analysis
• Complete preliminary investigation within 5 business days and detailed report within 15 business days

Breach notifications shall be sent to: jordan@veeper.com

9. Data Protection Impact Assessments

Shopify Inc. shall provide all necessary information for DPIA completion and assist in assessing risks associated with processing. Shopify Inc. shall respond to DPIA information requests within 15 business days.

10. Audits and Monitoring

Veeper, Inc. shall have the right to:

• Conduct audits of Shopify Inc.'s compliance with this DPA at least annually
• Request and review security documentation and certifications
• Conduct on-site inspections with 10 business days' notice
• Have audits conducted by its representatives or qualified third-party auditors

Audit costs shall be borne by the requesting party unless the audit reveals material non-compliance. Shopify Inc. shall implement corrective actions within the timeframe specified by Veeper, Inc.

11. International Data Transfers

For EU personal data transferred outside the EEA and UK personal data transferred outside the UK, Shopify Inc. shall implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• UK International Data Transfer Addendum (IDTA) for UK data
• Transfer Impact Assessments documenting legal frameworks and adequacy assessments
• Supplementary technical measures (encryption, pseudonymization) where residual risks are identified
• Annual review and updating of transfer mechanisms

Shopify Inc. shall comply with Schrems II requirements and notify Veeper, Inc. of any material changes to legal frameworks affecting data transfers.

12. Deletion and Return of Data

Upon termination of this DPA or Shopify Inc.'s provision of services, the Data Processor shall delete or return all personal data at Veeper, Inc.'s direction. Deletion shall be verified and certified in writing within 30 days using secure deletion techniques. The Data Processor may retain personal data only to the extent required by applicable law.

13. Assistance and Cooperation

Shopify Inc. shall:

• Cooperate with Veeper, Inc. to comply with data protection obligations
• Respond to inquiries within 10 business days
• Provide requested documentation and information
• Cooperate with data protection authorities and provide assistance with regulatory requests

14. Liability and Indemnification

Shopify Inc. shall be liable for violations of this DPA or applicable data protection laws. The Data Processor's total liability shall not exceed 12 months of fees paid by Veeper, Inc., or the limitations in the underlying service agreement, whichever is greater.

Shopify Inc. shall indemnify and hold harmless Veeper, Inc. from claims arising from its violations of this DPA, unauthorized processing, or data breaches caused by its negligence or willful misconduct.

15. Data Protection Officer Contact

Name: Dr. Wasim Irshad

Title: CTO & Cofounder of Veeper (Data Protection Officer)

Email: wasim@veeper.com

For questions regarding this DPA, contact: jordan@veeper.com or wasim@veeper.com

16. Governing Law and Dispute Resolution

This DPA shall be governed by:

• For EU Data: EU GDPR and applicable Member State law
• For UK Data: UK GDPR and Data Protection Act 2018
• For Other Jurisdictions: Applicable local data protection laws

Disputes shall be resolved through good-faith negotiation (30 days), mediation (60 days), or binding arbitration/litigation in Delaware courts as a last resort.

In the event of conflict between this DPA and mandatory provisions of the EU SCCs or UK IDTA, the SCCs or IDTA shall prevail.

17. Regulatory Compliance

Both parties commit to full compliance with EU GDPR, UK GDPR (Articles 28-32, 33-34, 35-36, 44-50, 55-60, 77-84), CCPA, and other applicable data protection laws. Shopify Inc. shall promptly notify Veeper, Inc. of any new or materially changed data protection laws affecting processing.

The parties acknowledge oversight by competent data protection authorities:

• For EU Data: Lead supervisory authority and relevant Member State authorities
• For UK Data: Information Commissioner's Office (ICO)
• For CCPA Data: California Attorney General

18. Standard Contractual Clauses and UK IDTA

The parties incorporate by reference:

• EU Standard Contractual Clauses (Processor-Processor Module 2 or as applicable) available at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses_en
• UK International Data Transfer Addendum (IDTA) available at: https://ico.org.uk/for-organisations/international-transfers/

The parties shall cooperate to implement supplementary technical and organizational measures (encryption, pseudonymization, data minimization) as necessary under Schrems II requirements.

19. Entire Agreement and Severability

This DPA, together with the underlying service agreement and referenced policies, constitutes the entire agreement between the parties regarding processing of personal data and supersedes all prior negotiations and agreements.

If any provision is found invalid, illegal, or unenforceable, it shall be modified to the minimum extent necessary to make it enforceable, or if not possible, severed. Remaining provisions continue in full force and effect.

20. Contact Information

Data Controller (Veeper, Inc.)

Email: jordan@veeper.com

Mailing Address: 15517 Outlook St, Overland Park, KS 66223, United States

Data Protection Officer: Dr. Wasim Irshad, wasim@veeper.com

‍1. Introduction and Purpose

This Data Processing Agreement (DPA) is entered into between Veeper, Inc., a company organized and existing under the laws of the State of Delaware, United States ("Data Controller"), and Cloudflare, Inc. ("Data Processor"), and sets forth the terms and conditions governing the processing of personal data on behalf of the Data Controller in compliance with:

• The General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable implementing legislation
• The United Kingdom GDPR as retained in UK law under the Data Protection Act 2018
• The California Consumer Privacy Act (CCPA) and other applicable data protection laws

This DPA applies whenever Cloudflare, Inc. acts as a processor on behalf of Veeper, Inc. subject to EU GDPR, UK GDPR, or other applicable data protection laws.

The parties acknowledge that the Data Processor processes personal data solely on the instructions of the Data Controller and subject to the terms of this Agreement.

2. Scope of Processing

This DPA applies to all processing of personal data that Cloudflare, Inc. performs on behalf of Veeper, Inc. in connection with content delivery, DNS, and security services. The scope includes:

• Subject Matter: Content delivery network (CDN), DNS, security, and performance optimization services for Veeper's web properties and APIs
• Duration: For the duration of the service agreement between Veeper, Inc. and Cloudflare, Inc., and for any legally required retention period for logs and security data thereafter
• Nature and Purpose: Caching and delivery of web content, DNS resolution, protection against DDoS and other attacks, web application firewall (WAF) filtering, and collection of edge and security logs to ensure performance, availability, and security of the Veeper platform
• Types of Personal Data: IP addresses, request and response metadata (URLs, headers, cookies), device and browser information, and security event data (blocked requests, rate limiting events). No payment card numbers or full customer profiles are intentionally stored in Cloudflare
• Categories of Data Subjects: Visitors to Veeper-powered pages and APIs, Shopify merchants and their staff using the Service, and end customers of those merchants as they interact with Veeper-integrated storefronts

3. Processing Instructions

The Data Processor shall process personal data only on documented instructions from the Data Controller regarding purpose, scope, nature, and duration of processing. The Data Processor shall not process personal data for any purpose other than those specified without prior written authorization from the Data Controller.

If Cloudflare, Inc. is required by law to process personal data in a manner not specified in the Controller's instructions, it shall promptly notify Veeper, Inc. unless prohibited by law.

4. Confidentiality and Personnel

The Data Processor ensures that all persons authorized to process personal data are under appropriate confidentiality obligations and receive training on data protection obligations and security measures.

5. Security of Personal Data

Cloudflare, Inc. shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit using TLS 1.2 or higher
• Encryption of personal data at rest using AES-256 or equivalent
• Role-based access controls (RBAC) and multi-factor authentication (MFA)
• Audit logging of all data access and modifications retained for at least 90 days
• 24/7 monitoring and incident detection capabilities
• Regular vulnerability assessments and penetration testing (quarterly)
• Documented incident response procedures
• Regular automated backups with geographically redundant storage
• Recovery Time Objective (RTO): 24 hours
• Recovery Point Objective (RPO): 4 hours
• Annual disaster recovery testing

Cloudflare, Inc. shall maintain compliance with ISO 27001, SOC 2 Type II, and NIST Cybersecurity Framework standards.

6. Sub-Processors

Cloudflare, Inc. shall not engage sub-processors without prior written authorization from Veeper, Inc. Cloudflare, Inc. shall provide at least 30 days' advance notice before adding or replacing any sub-processor, and Veeper, Inc. shall have the right to object on reasonable data protection grounds.

Any sub-processor agreements shall impose data protection obligations not less protective than those in this DPA and shall include SCCs or UK IDTA for international transfers where applicable.

7. Data Subject Rights

Cloudflare, Inc. shall assist Veeper, Inc. in fulfilling data subject rights requests under Articles 15-22 of the EU GDPR and UK GDPR, including:

• Right of Access (Article 15): Provide personal data in structured, commonly-used, machine-readable format
• Right to Rectification (Article 16): Promptly correct inaccurate data
• Right to Erasure (Article 17): Delete personal data from all systems including backups
• Right to Restrict Processing (Article 18): Limit processing to storage only
• Data Portability (Article 20): Provide data in portable format (CSV, JSON, XML)
• Right to Object (Article 21): Cease processing as instructed
• Rights Related to Automated Decision-Making (Article 22): Not engage in automated decision-making producing legal effects

Cloudflare, Inc. shall respond to requests within 30 days (extendable to 60 days for complex requests).

8. Data Breach Notification

In the event of a suspected or confirmed personal data breach, Cloudflare, Inc. shall:

• Notify Veeper, Inc. without undue delay and within 24 hours of becoming aware of the breach
• Provide detailed description including nature, scope, categories and number of affected data subjects, likely consequences, and measures taken
• Cooperate fully with breach investigation and provide forensic analysis
• Complete preliminary investigation within 5 business days and detailed report within 15 business days

Breach notifications shall be sent to: jordan@veeper.com

9. Data Protection Impact Assessments

Cloudflare, Inc. shall provide all necessary information for DPIA completion and assist in assessing risks associated with processing. Cloudflare, Inc. shall respond to DPIA information requests within 15 business days.

10. Audits and Monitoring

Veeper, Inc. shall have the right to:

• Conduct audits of Cloudflare, Inc.'s compliance with this DPA at least annually
• Request and review security documentation and certifications
• Conduct on-site inspections with 10 business days' notice
• Have audits conducted by its representatives or qualified third-party auditors

Audit costs shall be borne by the requesting party unless the audit reveals material non-compliance. Cloudflare, Inc. shall implement corrective actions within the timeframe specified by Veeper, Inc.

11. International Data Transfers

For EU personal data transferred outside the EEA and UK personal data transferred outside the UK, Cloudflare, Inc. shall implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• UK International Data Transfer Addendum (IDTA) for UK data
• Transfer Impact Assessments documenting legal frameworks and adequacy assessments
• Supplementary technical measures (encryption, pseudonymization) where residual risks are identified
• Annual review and updating of transfer mechanisms

Cloudflare, Inc. shall comply with Schrems II requirements and notify Veeper, Inc. of any material changes to legal frameworks affecting data transfers.

12. Deletion and Return of Data

Upon termination of this DPA or Cloudflare, Inc.'s provision of services, the Data Processor shall delete or return all personal data at Veeper, Inc.'s direction. Deletion shall be verified and certified in writing within 30 days using secure deletion techniques. The Data Processor may retain personal data only to the extent required by applicable law.

13. Assistance and Cooperation

Cloudflare, Inc. shall:

• Cooperate with Veeper, Inc. to comply with data protection obligations
• Respond to inquiries within 10 business days
• Provide requested documentation and information
• Cooperate with data protection authorities and provide assistance with regulatory requests

14. Liability and Indemnification

Cloudflare, Inc. shall be liable for violations of this DPA or applicable data protection laws. The Data Processor's total liability shall not exceed 12 months of fees paid by Veeper, Inc., or the limitations in the underlying service agreement, whichever is greater.

Cloudflare, Inc. shall indemnify and hold harmless Veeper, Inc. from claims arising from its violations of this DPA, unauthorized processing, or data breaches caused by its negligence or willful misconduct.

15. Data Protection Officer Contact

Name: Dr. Wasim Irshad

Title: CTO & Cofounder of Veeper (Data Protection Officer)

Email: wasim@veeper.com

For questions regarding this DPA, contact: jordan@veeper.com or wasim@veeper.com

16. Governing Law and Dispute Resolution

This DPA shall be governed by:

• For EU Data: EU GDPR and applicable Member State law
• For UK Data: UK GDPR and Data Protection Act 2018
• For Other Jurisdictions: Applicable local data protection laws

Disputes shall be resolved through good-faith negotiation (30 days), mediation (60 days), or binding arbitration/litigation in Delaware courts as a last resort.

In the event of conflict between this DPA and mandatory provisions of the EU SCCs or UK IDTA, the SCCs or IDTA shall prevail.

17. Regulatory Compliance

Both parties commit to full compliance with EU GDPR, UK GDPR (Articles 28-32, 33-34, 35-36, 44-50, 55-60, 77-84), CCPA, and other applicable data protection laws. Cloudflare, Inc. shall promptly notify Veeper, Inc. of any new or materially changed data protection laws affecting processing.

The parties acknowledge oversight by competent data protection authorities:

• For EU Data: Lead supervisory authority and relevant Member State authorities
• For UK Data: Information Commissioner's Office (ICO)
• For CCPA Data: California Attorney General

18. Standard Contractual Clauses and UK IDTA

The parties incorporate by reference:

• EU Standard Contractual Clauses (Processor-Processor Module 2 or as applicable) available at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses_en
• UK International Data Transfer Addendum (IDTA) available at: https://ico.org.uk/for-organisations/international-transfers/

The parties shall cooperate to implement supplementary technical and organizational measures (encryption, pseudonymization, data minimization) as necessary under Schrems II requirements.

19. Entire Agreement and Severability

This DPA, together with the underlying service agreement and referenced policies, constitutes the entire agreement between the parties regarding processing of personal data and supersedes all prior negotiations and agreements.

If any provision is found invalid, illegal, or unenforceable, it shall be modified to the minimum extent necessary to make it enforceable, or if not possible, severed. Remaining provisions continue in full force and effect.

20. Contact Information

Data Controller (Veeper, Inc.)

Email: jordan@veeper.com

Mailing Address: 15517 Outlook St, Overland Park, KS 66223, United States

Data Protection Officer: Dr. Wasim Irshad, wasim@veeper.com

‍

‍