Data processing addendum

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Sub-processor" have the meanings given in the EU General Data Protection Regulation (Regulation 2016/679, the "GDPR"). "Customer" means the legal entity that operates the ShopMCP workspace; "ShopMCP" means ShopMCP.

For Personal Data that ShopMCP reads from connected platforms (Shopify, Neto, GA4, Search Console) on the Customer's instructions:

• Customer is the Controller.
• ShopMCP is the Processor.

For Personal Data that ShopMCP collects to manage the Customer's own account (sign-in identity, billing records, audit logs of admin actions), ShopMCP is the Controller and the relationship is governed by our privacy policy.

ShopMCP will process Personal Data on the Customer's behalf for the term of the underlying subscription, plus any limited retention period required to delete the data safely. Processing ends when the Customer disconnects the relevant integration or terminates the workspace.

ShopMCP processes Personal Data only to (a) execute tool calls initiated by the Customer's authorised MCP clients, (b) maintain rate limits, audit logs, and usage counters keyed to the workspace, and (c) provide support when the Customer asks for it.

Depending on which modules the Customer enables, the Personal Data may include:

• Shopper / customer records — name, email, shipping and billing address, phone, order history, tags. Sourced from Shopify and Neto.
• Visitor analytics — pseudonymous client ids, geographic region, device class, page paths. Sourced from GA4 and Search Console.
• Staff and team members— names and email addresses of users in the Customer's ShopMCP workspace and, if exposed by the upstream platform, of the Customer's store staff.

ShopMCP does not knowingly process special categories of Personal Data under Article 9 GDPR. Customers must not configure tool calls that pull such data unless they have a valid Article 9 lawful basis and accept full responsibility under that basis.

The complete and final instructions from Customer to ShopMCP are (a) the Terms of Service, (b) this DPA, (c) the documented behaviour of the dashboard and the published tool definitions, and (d) any tool call sent by an authorised MCP client. ShopMCP will notify the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

Everyone with access to Personal Data on ShopMCP's side is bound by a written confidentiality undertaking. Access is granted on a need-to-know basis and reviewed periodically.

ShopMCP implements the technical and organisational measures required by Article 32 GDPR. The current control set includes:

• Envelope encryption of platform credentials at rest using AWS KMS. A fresh data encryption key is generated per stored credential with the workspace id bound as KMS encryption context, and the wrapped key is stored alongside the ciphertext.
• TLS 1.2+ on all external connections.
• Postgres Row-Level Security policies that scope every read and write by workspace id, enforced by a dedicated Postgres role.
• Bearer-token authentication on the MCP runtime. Full keys are stored encrypted at rest (KMS-wrapped) with only a short prefix retained in plaintext for lookup; keys can be revoked per-workspace.
• Centralised logging with credential pattern scrubbing and a no-PII rule on error reports (only opaque workspace ids cross into Sentry).
• Access to production is restricted to authorised personnel and reviewed periodically. Dependency vulnerability scanning runs on every build.

The Customer authorises ShopMCP to engage the sub-processors published on the subprocessors page. ShopMCP will give the Customer at least 30 days' notice (by email to the workspace owner and an update to that page) before adding or replacing a sub-processor that processes Customer Personal Data. The Customer may object on reasonable grounds; if the parties cannot agree on a path forward, the Customer may terminate the affected subscription without penalty.

ShopMCP may transfer Customer Personal Data to the United States for processing. Where the GDPR or UK GDPR requires it, the transfer relies on the EU Standard Contractual Clauses (Module Two) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference.

If a data subject contacts ShopMCP directly with a request to exercise their rights, ShopMCP will refer them to the Customer and notify the Customer without undue delay. ShopMCP will provide reasonable assistance, taking into account the nature of the processing, to help the Customer respond within statutory timelines.

ShopMCP will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Customer's data. The notification will include the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures ShopMCP has taken or proposes to take.

Once per twelve-month period, on at least 30 days' notice and subject to confidentiality, ShopMCP will respond to a written security questionnaire from the Customer and share any current third-party attestations or independent test summaries we hold. On-site audits are available where required by law and at the requesting party's cost.

On termination of the underlying subscription, ShopMCP will delete all Customer Personal Data within 30 days, except for operational backups which are overwritten on the rolling retention cycle of the Customer's database plan (the Customer can request the current retention window in writing). The Customer may export workspace data through the dashboard at any time before termination.

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA is intended to limit liability where it cannot be limited under applicable law (including Article 82 GDPR claims by data subjects).