Data Processing Agreement

1. Definitions

• "Personal data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
• "Controller" means the entity that determines the purposes and means of processing personal data.
• "Processor" means the entity that processes personal data on behalf of the controller.
• "Sub-processor" means any third party engaged by Superstack to process personal data on the Merchant's behalf.
• "Data subject" means the natural person to whom personal data relates.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679 and, where applicable, its national implementations.
• "EEA" means the European Economic Area.

2. Scope and Purpose

Superstack processes personal data as a processor on behalf of the Merchant as controller, solely for the purpose of operating and delivering the Apps. The details of processing are as follows:

• Subject matter: delivery of Shopify messaging applications that facilitate WhatsApp communication between the Merchant and its customers.
• Nature: collection, storage, transmission, and deletion of customer communications data.
• Types of personal data: customer names, phone numbers, order information, and WhatsApp message history.
• Categories of data subjects: the Merchant's end customers.
• Duration: for the term of the Merchant's subscription to the Apps, subject to the retention and deletion obligations in Section 13.

3. Merchant's Instructions

Superstack shall process personal data only on the Merchant's documented instructions, including those set out in this DPA and the Terms of Use. If Superstack believes that an instruction infringes the GDPR or other applicable data protection law, it shall promptly inform the Merchant. Superstack shall not be required to follow an instruction that would require it to act in breach of applicable law.

4. Confidentiality

Superstack shall ensure that access to personal data is limited to personnel who need it to fulfil Superstack's obligations under these Terms. All such personnel are bound by confidentiality obligations that survive the termination of their engagement with Superstack.

5. Security

Superstack shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. Such measures include, at a minimum:

• Encryption of personal data in transit using TLS.
• Encryption of personal data at rest.
• Access controls restricting personal data to authorized personnel.
• Processes for regularly testing and evaluating the effectiveness of security measures.

Superstack is not responsible for security incidents originating from Meta's, Shopify's, or any other third-party provider's infrastructure.

6. Sub-processors

The Merchant grants Superstack general authorization to engage sub-processors to assist in providing the Apps. Superstack shall give the Merchant at least 30 days' prior written notice before engaging a new sub-processor, during which time the Merchant may object on reasonable grounds related to data protection. Superstack shall ensure that each sub-processor is bound by data protection obligations equivalent to those in this DPA.

Current sub-processors:

7. Independent Controllers

Meta Platforms, Inc. and Shopify Inc. are independent data controllers for data processed on their respective platforms. They are not sub-processors of Superstack. When the Merchant sends messages through the Apps, message content and recipient data is transmitted to and processed by Meta under Meta's own terms and privacy policy. The Merchant is solely responsible for ensuring a lawful basis exists for that onward transmission and for any processing by Meta or Shopify. Superstack accepts no liability for Meta's or Shopify's data practices.

8. Data Subject Rights

Superstack shall provide reasonable technical assistance to enable the Merchant to fulfil its obligations as data controller to respond to data subject rights requests (including access, rectification, erasure, portability, restriction, and objection) under applicable data protection law. The Merchant remains solely responsible for communicating with data subjects and for the timely fulfillment of their requests.

9. Data Breach Notification

In the event of a personal data breach affecting data processed under this DPA, Superstack shall notify the Merchant without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification shall include, to the extent available:

• A description of the nature of the breach.
• The categories and approximate number of data subjects and records affected.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate its effects.

The Merchant is responsible for notifying supervisory authorities and affected data subjects as required by applicable law.

10. Data Protection Impact Assessments

Superstack shall provide reasonable assistance to the Merchant in carrying out any data protection impact assessment required under Article 35 of the GDPR, taking into account the nature of the processing and the information available to Superstack.

11. Audit Rights

Upon reasonable prior written notice, the Merchant may audit Superstack's compliance with this DPA, no more than once per calendar year unless a confirmed data breach has occurred. Superstack may satisfy an audit request by providing a current third-party audit report (such as a SOC 2 Type II report or equivalent) in lieu of permitting a direct on-site audit. The Merchant shall bear the costs of any audit it initiates.

12. International Data Transfers

Superstack's own infrastructure — application hosting (Vercel) and database (Neon) — is located entirely within the EEA (EU Frankfurt, Germany). Superstack does not transfer personal data to third countries in the course of operating the Apps.

When the Merchant sends messages through the WhatsApp Business Platform, message content and recipient data is transmitted to Meta Platforms, Inc., which operates infrastructure outside the EEA. This transmission occurs at the Merchant's direction. The Merchant is responsible for ensuring a valid transfer mechanism exists for this onward transfer, in accordance with Chapter V of the GDPR.

13. Return and Deletion of Data

Upon termination of the Merchant's subscription or uninstallation of the Apps, Superstack shall delete all personal data within 30 days, except as follows:

• WhatsApp message logs are retained for up to 1 year from the date each message was sent or received, then permanently deleted.
• Data that Superstack is required to retain by applicable law may be retained for the legally required period and shall be deleted thereafter.

14. Liability

Each party shall be liable to data subjects for damages caused by its own breach of applicable data protection law. As between the parties, the limitation of liability provisions in Section 11 of the Terms of Use apply to this DPA. Superstack accepts no liability for the Merchant's failure to comply with its obligations as data controller, including its failure to obtain required consents or to establish a lawful basis for processing.

15. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Pakistan, consistent with the governing law clause in the Terms of Use.

16. Contact

For data protection queries or to exercise rights under this DPA, contact us at hello@superstack.ltd.