Acuerdo de Procesamiento de Datos

1. Preamble and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Shadow Software LLC ("Processor," "we," "us") and the vendor using the DabDash platform ("Controller," "you"). It applies wherever the Controller's storefront collects or processes personal data of individuals located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland ("CH").

This DPA is entered into automatically when you accept the Terms of Service and operate a storefront that serves customers in the EEA, UK, or CH. No separate signature is required. You represent that you have authority to enter into this DPA on behalf of your business.

This DPA supplements — and does not replace — the Terms of Service. In the event of a conflict between this DPA and the Terms of Service on a data protection matter, this DPA governs.

2. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meaning given in the Terms of Service or, where applicable, in the GDPR.

• Controller — the vendor who determines the purposes and means of processing personal data collected through their DabDash storefront.
• Processor — Shadow Software LLC, which processes personal data on behalf of the Controller by operating the DabDash platform infrastructure.
• Data Subject — any identified or identifiable natural person whose personal data is processed, including the Controller's customers.
• Personal Data — any information relating to an identified or identifiable natural person, as defined by the GDPR.
• Processing — any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
• GDPR — EU Regulation 2016/679 (General Data Protection Regulation) as applicable, including its implementation in UK law ("UK GDPR") and Swiss law.
• Sub-processor — any third party engaged by the Processor to process personal data on the Controller's behalf.
• Security Incident — any confirmed or reasonably suspected unauthorized access to, disclosure of, alteration of, or destruction of personal data.

3. Roles and Responsibilities

The Controller is solely responsible for:

• Determining the lawful basis for all processing of personal data it collects through its storefront
• Providing all required privacy notices and disclosures to its customers
• Obtaining all required consents, where consent is the chosen lawful basis
• Ensuring its use of the DabDash platform complies with all applicable data protection laws
• Responding to data subject requests (access, rectification, erasure, portability, objection) in accordance with applicable law
• Conducting any required data protection impact assessments (DPIAs) for its processing activities

The Processor will process personal data only on documented instructions from the Controller (as set out in Section 4 below) and will not process personal data for any other purpose.

4. Subject Matter, Nature, and Purpose of Processing

The Processor processes personal data solely to provide the DabDash platform Service as described in the Terms of Service. The following describes the processing activities covered by this DPA:

The Processor will inform the Controller if, in its opinion, an instruction from the Controller would cause the Processor to violate applicable data protection law. In that event, the Processor may suspend processing until the Controller provides a lawful instruction.

5. Processor Obligations

The Processor agrees to:

1. Process personal data only on the Controller's documented instructions, as set out in this DPA and the Terms of Service, except where required to do so by applicable law.
2. Ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations.
3. Implement appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage (see Section 7).
4. Not engage any Sub-processor without informing the Controller in advance and, where required, obtaining prior written consent (see Section 6).
5. Assist the Controller in fulfilling its obligation to respond to data subject requests, to the extent technically feasible and within the scope of the Processor's control over the data.
6. Assist the Controller, taking into account the nature of processing and information available to the Processor, in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation).
7. At the Controller's election, delete or return all personal data upon termination of the service relationship, and delete existing copies unless retention is required by applicable law.
8. Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and cooperate with audits or inspections conducted by the Controller or an authorized auditor, provided that the Controller gives reasonable advance notice and such audits do not unreasonably disrupt the Processor's operations.

6. Sub-processors

The Controller grants the Processor general written authorization to engage the following categories of Sub-processors to provide the Service:

• Cloud infrastructure — hosting, storage, and compute services
• Payment processor — Stripe, Inc. (vendor subscription billing only — no customer payment data is processed)
• Transactional email — email delivery infrastructure for order notifications and account communications
• Error monitoring — application error tracking and performance monitoring

The Processor will impose data protection obligations on all Sub-processors that are at least equivalent to those in this DPA. The Processor remains liable to the Controller for the acts and omissions of its Sub-processors.

The Processor will notify the Controller of any intended addition or replacement of Sub-processors by updating this DPA or issuing a notice to the Controller's registered email address. If the Controller objects to a new Sub-processor on reasonable data protection grounds, the Processor will use reasonable efforts to make available a change to the Service that avoids the use of that Sub-processor. If no such change is feasible within 30 days, either party may terminate the Services without penalty upon written notice.

7. Security Measures

The Processor maintains appropriate technical and organizational measures to protect personal data, including:

• Encryption of personal data in transit (TLS) and at rest
• Access controls limiting personal data access to authorized personnel with a need-to-know
• Hashed storage of account credentials (passwords are never stored in plaintext)
• Regular security testing and vulnerability assessments
• Logging and monitoring of access to systems processing personal data
• Data minimization — collection limited to what is necessary for the Service
• Tenant data isolation — each Vendor's data is logically isolated from other Vendors' data

These measures are reviewed and updated periodically to reflect evolving threats and best practices.

8. Security Incident Notification

In the event of a confirmed Security Incident affecting personal data processed under this DPA, the Processor will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the incident. The notification will, to the extent known at the time, include:

• A description of the nature of the Security Incident
• The categories and approximate number of data subjects and personal data records affected
• The likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident and mitigate its effects

The Controller is solely responsible for determining whether the Security Incident must be reported to a supervisory authority or communicated to affected data subjects under applicable law. The Processor's notification of a Security Incident does not constitute an admission of fault or liability.

9. International Data Transfers

The DabDash platform infrastructure is operated in the United States. Where personal data of EEA, UK, or Swiss data subjects is transferred to the United States or another jurisdiction not recognized by the European Commission as providing an adequate level of data protection, the following transfer mechanism applies:

The Standard Contractual Clauses ("SCCs") approved by the European Commission under Commission Implementing Decision 2021/914 (Module Two: Controller to Processor) are incorporated by reference into this DPA. To the extent of any conflict between the SCCs and this DPA, the SCCs prevail with respect to EEA data transfers. For UK transfers, the UK International Data Transfer Addendum to the SCCs ("UK Addendum") is incorporated by reference. For Swiss transfers, the Swiss Federal Data Protection Act requirements apply.

The parties agree that this DPA and the Terms of Service together constitute the "documented instructions" referred to in the SCCs.

10. Data Subject Rights Assistance

The Processor will assist the Controller in responding to data subject requests as follows:

• Access and portability — the Controller may export customer data in CSV format from the analytics dashboard at any time.
• Erasure — upon the Controller's written request (submitted via the contact form), the Processor will delete the personal data of a specified data subject from the platform within 30 days, subject to any legal retention obligations.
• Rectification — the Controller may correct personal data directly within the platform dashboard. The Processor will process corrections made by the Controller promptly.

The Controller is responsible for verifying the identity of any data subject making a request before instructing the Processor to act on that request. The Processor is not responsible for data subject requests submitted directly to the Processor; any such requests will be forwarded to the Controller.

11. Deletion and Return of Data

Upon expiry or termination of the Controller's subscription, the Processor will retain the Controller's personal data for 30 days as described in the Terms of Service, during which the Controller may request an export. After this retention period, the Processor will delete all personal data processed under this DPA from its systems, except to the extent that applicable law requires longer retention. Anonymized or aggregated data that cannot be re-identified is not subject to this deletion obligation.

12. Term

This DPA is effective from the date the Controller accepts the Terms of Service and continues in force for the duration of the Terms of Service. It terminates automatically upon expiry or termination of the Terms of Service, subject to any post-termination obligations expressly set out in this DPA.

13. Governing Law

This DPA is governed by the laws of the State of Florida, United States, except that the Standard Contractual Clauses (and UK Addendum, where applicable) are governed by the law specified therein. Nothing in this DPA limits the rights of data subjects under applicable data protection law.

14. Contact

Questions or requests under this DPA should be directed to Shadow Software LLC via our contact form. Data subject erasure requests must be submitted in writing through the contact form with sufficient information to identify the data subject and the relevant storefront.