Data Processing Agreement

Version 1.0 — Last updated: February 25, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Atharv Enterprises ("Data Processor", "we", "us"), operating COD Confirm, and the Shopify merchant ("Data Controller", "you") who installs the App.

This DPA applies to the extent that we process Personal Data on your behalf in connection with providing COD Confirm services. It supplements our Privacy Policy.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1).
  • Processing: Any operation performed on Personal Data, including collection, storage, alteration, retrieval, use, disclosure, or deletion.
  • Data Controller: The Merchant who determines the purposes and means of processing Personal Data (you).
  • Data Processor: Atharv Enterprises, which processes Personal Data on behalf of the Data Controller (us).
  • Sub-processor: A third party engaged by us to process Personal Data on your behalf.

3. Scope of Processing

We process Personal Data solely to provide COD Confirm services as described in our Terms of Service. The scope of processing is as follows:

CategoryDetails
Data subjectsShopify store owners/administrators
Types of Personal DataShop domain, store owner email address, billing plan status
Purpose of processingApp functionality (COD rules, pincode blocking), billing management, support ticket handling
DurationFor the duration of App installation, plus 48-hour retention after uninstall, then permanent deletion on GDPR shop/redact webhook
Nature of processingStorage, retrieval, display, backup (config snapshots), deletion

Important: COD Confirm does NOT process end-customer Personal Data. We access customer tags (e.g., "vip", "block_cod") only within the Shopify Function at checkout time — these are evaluated on Shopify's infrastructure and are never stored in our database.

4. Obligations of the Processor

We commit to the following:

  • Process Personal Data only on your documented instructions and solely for the purposes described in this DPA
  • Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (see Section 6)
  • Not engage additional sub-processors without your prior knowledge (see Section 5)
  • Assist you in responding to data subject requests (access, deletion, portability, rectification)
  • Notify you without undue delay (and within 72 hours) upon becoming aware of a Personal Data breach
  • Delete or return all Personal Data upon termination of the service relationship, as described in our Privacy Policy
  • Make available to you all information necessary to demonstrate compliance with this DPA

5. Sub-processors

We use the following sub-processors to provide COD Confirm services:

Sub-processorPurposeLocationData Processed
Shopify Inc.Platform, billing, checkout executionCanada / GlobalShop domain, metafields, scopes
Railway Corp.Database hosting (PostgreSQL)United StatesShop domain, email, rules, tickets
Better Stack (Logtail)Log aggregation and monitoringEuropean UnionShop domain, event types (no PII)
Slack TechnologiesOperational alerts (webhook-based)United StatesShop domain, ticket subjects

We will inform you of any intended changes to sub-processors and give you the opportunity to object. If you object, and we cannot reasonably accommodate the objection, either party may terminate the agreement.

6. Security Measures

We implement the following technical and organizational measures to protect Personal Data:

  • Encryption: All data in transit uses HTTPS/TLS. Database is encrypted at rest (Railway PostgreSQL).
  • Authentication: Shopify OAuth with session token validation. No third-party cookies.
  • Webhook security: All Shopify webhooks validated via HMAC signature verification. Idempotency prevents duplicate processing.
  • Access control: Minimal API scopes (3 scopes only). Database access restricted to application layer.
  • Monitoring: Structured logging via Logtail. Real-time alerts via Slack for critical events.
  • Data minimization: We only collect data necessary for App functionality. No end-customer PII is stored.

7. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests under applicable law, including:

  • Access requests: We can provide a complete export of all data associated with your shop within 5 business days.
  • Deletion requests: Uninstalling the App triggers soft-deletion. Shopify's shop/redact webhook triggers permanent hard-deletion of all data.
  • Portability requests: We can export your data in JSON format upon request.
  • Rectification: You can update your configurations directly through the App at any time.

8. Data Breach Notification

In the event of a Personal Data breach, we will:

  • Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide details including: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address it
  • Cooperate with you in notifying supervisory authorities and affected data subjects as required by law
  • Document all breaches and remediation steps taken

9. International Data Transfers

Personal Data may be transferred to and processed in:

  • United States — Railway (database hosting), Slack (alerts)
  • Canada / Global — Shopify (platform services)
  • European Union — Better Stack / Logtail (logging)
  • India — Atharv Enterprises (data controller operations)

For transfers outside the EEA, we rely on: (a) Standard Contractual Clauses (SCCs) as approved by the European Commission, and (b) the data protection commitments of our sub-processors. Copies of applicable SCCs are available upon request.

10. Audit Rights

You have the right to verify our compliance with this DPA. We will:

  • Make available all information reasonably necessary to demonstrate compliance
  • Allow and contribute to audits, including inspections, conducted by you or an auditor mandated by you
  • Provide reasonable notice (at least 30 days) for on-site audits
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt our operations

11. Term & Termination

This DPA remains in effect for the duration of your use of COD Confirm. Upon termination:

  • We will delete all Personal Data within the timeframes specified in our Privacy Policy (48-hour soft-delete, then permanent deletion on shop/redact webhook)
  • At your request, we will provide a complete data export before deletion
  • Sections 4 (Obligations), 6 (Security), 8 (Breach Notification), and 10 (Audit) survive termination for a period of 12 months

12. Governing Law

This DPA is governed by the laws of India, without regard to conflicts of law provisions. For merchants in the European Economic Area, this DPA is also subject to GDPR requirements. For merchants in California, this DPA incorporates CCPA requirements.

13. Contact

For questions about this DPA, or to request a signed copy, contact:

Data Protection Contact — Atharv Enterprises

Gurugram, Haryana, India

Email: codbeacon@gmail.com

Response time: Within 24 hours on business days