Data Processing Agreement

Last updated: February 24, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between you ("Controller," "Merchant," "you") and Beemlo ("Processor," "we," "us"), and governs the processing of Personal Data by Beemlo on your behalf in connection with the Service.

This DPA applies automatically to all Merchants. By using the Service, you accept the terms of this DPA. Where this DPA refers to the "Agreement," it means the Terms of Service available at beemlo.com/terms.

1. Definitions

In this DPA, unless the context requires otherwise:

• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR (Regulation (EU) 2016/679), the UK GDPR (as defined in the Data Protection Act 2018), the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), Brazil's Lei Geral de Proteção de Dados ("LGPD"), and any other applicable data protection legislation.
• "Personal Data" means any information that relates to an identified or identifiable natural person, as defined in the applicable Data Protection Laws, that is processed by Beemlo on your behalf in connection with the Service.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
• "Subprocessor" means any third party engaged by Beemlo to process Personal Data on your behalf.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914, as may be amended or replaced.

2. Scope of Processing

2.1 Subject Matter and Purpose

Beemlo processes Personal Data solely to provide the Service as described in the Agreement: recording and displaying tag and metafield changes on customers, orders, and products in your Shopify store.

2.2 Categories of Data Subjects

Data Subjects whose Personal Data may be processed include:

• Customers of the Merchant's Shopify store (identified only by Shopify resource IDs)
• The Merchant and the Merchant's authorized personnel (store domain, owner email)

2.3 Types of Personal Data

The following categories of Personal Data may be processed:

Category	Examples	Source
Shopify resource identifiers	Customer IDs, order IDs, product IDs	Shopify webhooks
Tag data	Tag names, add/remove actions	Shopify webhooks
Metafield data	Namespace, key, old value, new value, action type	Shopify webhooks
Timestamps	Date and time of change events	Shopify webhooks
Store identifiers	myshopify.com domain, owner email	Shopify OAuth

Note: Beemlo does not process customer names, email addresses, phone numbers, physical addresses, payment information, or any other directly identifying personal data of your customers. Metafield values may, depending on your store's configuration, contain Personal Data (e.g., a metafield storing a custom note). You are responsible for determining whether your metafield values contain Personal Data and for complying with applicable Data Protection Laws accordingly.

2.4 Duration

Processing continues for the duration of the Agreement. Upon termination of the Agreement, Beemlo will delete Personal Data in accordance with Section 8 of this DPA and Section 9 of the Terms of Service.

3. Obligations of the Processor

Beemlo shall:

1. Process Personal Data only on your documented instructions, including as set forth in the Agreement, this DPA, and any subsequent written instructions. If we are required by applicable law to process Personal Data other than on your instructions, we will notify you of that legal requirement before processing (unless the law prohibits such notice).
2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as further described in Section 5.
4. Not engage another processor (Subprocessor) without your prior authorization, as further described in Section 6.
5. Assist you, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights under Data Protection Laws, insofar as this is possible.
6. Assist you in ensuring compliance with your obligations regarding security of processing, notification of personal data breaches, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to Beemlo.
7. At your choice, delete or return all Personal Data upon termination of the Agreement, and delete existing copies unless applicable law requires retention.
8. Make available to you all information necessary to demonstrate compliance with this DPA and the obligations under Article 28 of the GDPR, and allow for and contribute to audits and inspections, as described in Section 7.

4. Obligations of the Controller

You shall:

1. Comply with your obligations under applicable Data Protection Laws, including providing any required notices to Data Subjects and obtaining any required consents.
2. Ensure that your instructions to Beemlo comply with applicable Data Protection Laws.
3. Be solely responsible for the accuracy, quality, and legality of the Personal Data you provide or make available to Beemlo and the means by which you acquired it.
4. Determine whether your use of the Service (including the metafield values stored) involves the processing of Personal Data and take appropriate measures under applicable law.

5. Security Measures

Beemlo implements and maintains the following technical and organizational security measures:

• Encryption in transit: All data transmitted between your browser, the Shopify platform, and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Data stored in Cloudflare D1 databases is encrypted using Cloudflare's platform-level encryption.
• Data isolation: Each Merchant's change event data is stored in a dedicated, isolated database instance. No cross-tenant data access is possible.
• Access controls: Access to stored data requires a valid, authenticated Shopify session. Administrative access to infrastructure requires multi-factor authentication.
• Webhook authentication: All incoming Shopify webhooks are verified using HMAC-SHA256 signature validation. Webhooks with invalid signatures are rejected.
• Minimal data collection: Beemlo collects only the minimum data necessary to provide the Service, in accordance with the principle of data minimization.
• Secure infrastructure: The Service is hosted on Cloudflare's enterprise-grade edge network, which provides built-in DDoS protection, Web Application Firewall, and network security.

6. Subprocessors

6.1 Authorized Subprocessors

You hereby provide general written authorization for Beemlo to engage the following Subprocessors:

Subprocessor	Purpose	Location
Cloudflare, Inc.	Data storage (D1), compute (Workers), CDN, security	Global edge network
Vercel, Inc.	Application hosting	United States
Resend, Inc.	Transactional email delivery	United States

6.2 Subprocessor Obligations

Beemlo shall: (a) impose data protection obligations on each Subprocessor that are substantially similar to those in this DPA; (b) remain fully liable to you for the performance of each Subprocessor's obligations; and (c) ensure that each Subprocessor provides sufficient guarantees to implement appropriate technical and organizational measures.

6.3 Changes to Subprocessors

Beemlo shall provide you with at least thirty (30) days' advance written notice before engaging a new Subprocessor. If you reasonably object to a new Subprocessor on data protection grounds, you shall notify us in writing within fifteen (15) days of receiving notice. The parties shall discuss the objection in good faith. If the parties are unable to reach a resolution, you may terminate the Agreement by providing written notice, and we shall refund any prepaid fees for the unused portion of the subscription.

7. Audits

Beemlo shall make available to you, upon reasonable request and subject to confidentiality obligations, information necessary to demonstrate compliance with this DPA. You may conduct an audit (or appoint a qualified third-party auditor, subject to reasonable confidentiality obligations) no more than once per twelve (12) month period, with at least thirty (30) days' advance written notice. Audits shall be conducted during normal business hours and shall not unreasonably disrupt Beemlo's operations. You shall bear the costs of any audit. Beemlo may satisfy audit requests by providing relevant certifications, audit reports, or summaries of security practices in lieu of on-site inspections, where such documentation reasonably addresses the scope of the requested audit.

8. Data Deletion and Return

8.1 Upon Termination

Upon termination of the Agreement, Beemlo will: (a) cease processing Personal Data; and (b) delete all Personal Data within thirty (30) days, unless applicable law requires retention. At your written request prior to deletion, Beemlo will provide you with a copy of your data in a commonly used, machine-readable format.

8.2 Shopify Compliance Webhooks

Beemlo processes Shopify's mandatory customers/redact and shop/redact webhooks to ensure timely deletion of Personal Data upon customer data erasure requests and store uninstallation.

9. Data Breach Notification

In the event of a Personal Data breach, Beemlo shall: (a) notify you without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach; (b) provide sufficient information to enable you to fulfill your breach notification obligations under applicable Data Protection Laws; (c) take reasonable steps to mitigate the effects of the breach; and (d) cooperate with you and provide reasonable assistance in investigating and remediating the breach.

10. International Data Transfers

10.1 Transfer Mechanisms

To the extent that the processing of Personal Data involves a transfer of Personal Data from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of data protection, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) shall apply, as supplemented by the following:

• Clause 7: The optional docking clause is included.
• Clause 9: Option 2 (general written authorization) applies, with a notice period of thirty (30) days.
• Clause 11: The optional language regarding independent dispute resolution is not included.
• Clause 17 (Option 1): The SCCs shall be governed by the laws of Ireland.
• Clause 18(b): Disputes shall be resolved before the courts of Ireland.

For transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, as issued by the UK Information Commissioner under s.119A(1) of the Data Protection Act 2018) shall apply.

For transfers subject to the Swiss Federal Act on Data Protection, the SCCs apply with the modifications required under Swiss law, including treating the Federal Data Protection and Information Commissioner as the competent supervisory authority.

10.2 Supplementary Measures

In addition to the SCCs, Beemlo implements the following supplementary measures to protect Personal Data during international transfers: encryption in transit (TLS 1.2+), encryption at rest, per-store database isolation, access controls, and HMAC-SHA256 webhook verification.

11. Cooperation with Data Subject Requests

Taking into account the nature of the processing, Beemlo will assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection). If Beemlo receives a request directly from a Data Subject, we will promptly redirect the Data Subject to you and notify you of the request.

12. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. The obligations imposed on Beemlo with respect to the processing of Personal Data shall survive any termination or expiration of the Agreement until all Personal Data has been deleted in accordance with this DPA.

13. Precedence

In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall prevail with respect to the processing of Personal Data. In the event of any conflict between the terms of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

14. Contact

For questions about this DPA or to exercise any rights hereunder, please contact: