Data Processing Agreement

This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Service.

The Processor shall process personal data solely for the purpose of delivering the Service and in accordance with the Controller's lawful instructions. The Processor shall not process personal data for any purpose other than those expressly set out in this Agreement or as otherwise instructed in writing by the Controller.

This Agreement applies to all personal data processed by the Processor in the course of providing the Service, regardless of the means or medium of processing, and remains in effect for the duration of the service relationship between the parties.

The Processor provides a financial evaluation and control system that processes transactional and operational data, including limited personal data, for the following purposes:

• Evaluating financial outcomes of transactions — assessing the margin impact, cost implications, and financial viability of each commercial action (including discounts, promotions, inventory allocations, and loyalty interactions) in real time prior to execution
• Enforcing rules configured by the Controller — applying the Controller's defined business logic, pricing policies, discount thresholds, and financial guardrails to determine whether a transaction should be allowed, blocked, or escalated for review
• Generating reporting and analytics — producing aggregated and transaction-level reports that enable the Controller to monitor financial performance, identify margin erosion patterns, and assess the effectiveness of configured controls

The processing is automated and deterministic in nature. All evaluations are performed by the system based on defined rules and data inputs. The Processor does not exercise discretionary decision-making in relation to any personal data processed under this Agreement.

3.1 Data Subjects

The personal data processed under this Agreement may relate to the following categories of data subjects:

• Customers of the Controller — individuals who purchase goods or services from the Controller's retail operations, including those transacting via Shopify storefronts, POS terminals, or other connected sales channels
• Employees or agents of the Controller — individuals authorised by the Controller to access, configure, or administer the Service, including staff operating POS systems where the Service enforces transaction controls

3.2 Categories of Personal Data

The Processor processes the following categories of personal data on behalf of the Controller:

• Customer identifiers — unique identifiers assigned by Shopify or the Controller's commerce platform, used to associate transactions with individual customers for the purpose of evaluating loyalty, gift card, and discount interactions
• Transactional metadata — order identifiers, timestamps, line item details, payment method indicators, and discount codes applied, used to evaluate the financial outcome of each transaction
• Order-related behavioural data — purchase frequency, average order value, discount usage patterns, and return history, used to assess the financial impact of customer-level commercial interactions
• Merchant account credentials — business name, email address, and authentication credentials of authorised users accessing the Service's administrative interfaces

The Processor does not intentionally process sensitive personal data (also known as special categories of data), including data relating to racial or ethnic origin, political opinions, religious beliefs, health conditions, sexual orientation, or biometric data, unless such data is inadvertently included within transactional data provided by the Controller.

The Processor shall, in relation to all personal data processed under this Agreement:

• Process personal data only on documented instructions from the Controller — the Processor shall not process personal data for any purpose other than providing the Service, unless required to do so by applicable law, in which case the Processor shall inform the Controller of such legal requirement before processing (unless prohibited from doing so by law)
• Ensure that all persons authorised to process personal data are bound by appropriate confidentiality obligations — whether by contract or by operation of law, and that such obligations survive the termination of their engagement
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk — including measures to protect against unauthorised or unlawful processing, accidental loss, destruction, or damage, as further described in Section 6 of this Agreement
• Not use personal data for its own purposes — the Processor shall not use personal data for marketing, profiling, data monetisation, or any other purpose that is not directly necessary for the provision of the Service
• Assist the Controller in meeting its obligations under applicable data protection legislation — including obligations relating to data subject rights, data protection impact assessments, and consultation with supervisory authorities, to the extent that such assistance is feasible given the nature of the processing and the information available to the Processor
• Maintain a record of processing activities carried out on behalf of the Controller — in accordance with applicable regulatory requirements, including the nature, purpose, and categories of processing performed

The Controller provides general authorisation for the Processor to engage subprocessors for the purpose of delivering the Service. The following subprocessors are currently engaged:

The Processor shall:

• Ensure that all subprocessors are bound by written contractual obligations that impose data protection obligations no less protective than those set out in this Agreement
• Remain fully liable to the Controller for the acts and omissions of any subprocessor
• Notify the Controller of any intended changes to the list of subprocessors, providing the Controller with a reasonable opportunity to object to such changes
• Where the Controller objects to a new subprocessor on reasonable grounds, the parties shall work in good faith to resolve the objection, which may include the Processor offering an alternative subprocessor or the Controller exercising its right to terminate the Service

The Processor shall implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:

• Encryption of data in transit — all data transmitted between the Controller's systems and the Service is encrypted using TLS 1.2 or higher, with HTTPS enforced across all endpoints
• Encryption of data at rest — personal data stored within the Processor's infrastructure is encrypted at the block storage level using AES-256 encryption
• Access controls and authentication mechanisms — role-based access controls (RBAC) are enforced across all systems, with multi-factor authentication (MFA) required for administrative access to production environments
• Monitoring and logging of system activity — all access events, data processing activities, and system operations are logged and monitored using automated alerting systems to detect anomalies and potential security incidents
• Network segmentation and isolation — production environments are segmented from development and staging environments, with strict firewall rules and private network configurations preventing unauthorised lateral access
• Vulnerability management — the Processor maintains an active programme of dependency scanning, security patch management, and periodic assessment of newly disclosed vulnerabilities
• Personnel security — access to personal data is limited to authorised personnel on a need-to-know basis, with access rights reviewed periodically and revoked promptly upon change of role or termination of engagement
• Incident response capability — documented incident response procedures are maintained and periodically tested, covering identification, containment, eradication, recovery, and post-incident analysis

These measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing.

In the event of a personal data breach (being any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed under this Agreement), the Processor shall:

• Notify the Controller without undue delay — and in any event no later than 72 hours after becoming aware of the breach, providing the Controller with sufficient information to enable it to meet its obligations under applicable data protection legislation
• Provide the following information to the Controller — (a) a description of the nature of the breach, including the categories and approximate number of data subjects and personal data records concerned; (b) the name and contact details of the Processor's designated point of contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to be taken to address the breach and mitigate its effects
• Take all reasonable and necessary steps to contain, investigate, and remediate the breach — including preserving evidence, preventing further unauthorised access, and implementing corrective measures to prevent recurrence
• Cooperate with the Controller in any investigation, notification, or remediation activity — including providing access to relevant logs, records, and personnel as reasonably required
• Not make any public disclosure regarding the breach without the prior written consent of the Controller — unless such disclosure is required by applicable law or regulation

The Processor shall retain personal data only for as long as necessary to fulfil the purposes for which it was processed under this Agreement.

Upon termination or expiry of the Service, the Processor shall, at the Controller's written direction and within a reasonable period (not exceeding 90 calendar days):

• Delete all personal data processed on behalf of the Controller — including all copies, backups, and archived records, using secure deletion methods appropriate to the storage medium
• Return all personal data to the Controller in a commonly used, machine-readable format — where the Controller requests return rather than deletion, and where such return is technically feasible
• Provide written confirmation to the Controller that deletion has been completed — including a description of the methods used and any residual data that could not be deleted due to technical constraints (such as data embedded within backup systems subject to automated rotation schedules)

Notwithstanding the foregoing, the Processor may retain personal data to the extent required by applicable law or regulation, provided that the Processor shall inform the Controller of such retention requirement and shall continue to protect such data in accordance with this Agreement.

Where personal data is transferred to, stored in, or processed in a jurisdiction outside Australia, the Processor shall take reasonable steps to ensure that such transfers comply with applicable data protection laws, including:

• Ensuring that the recipient country provides an adequate level of data protection — as recognised by applicable regulatory authorities, or that appropriate safeguards are in place
• Implementing contractual protections with subprocessors — including standard contractual clauses or equivalent binding commitments that impose data protection obligations consistent with this Agreement
• Conducting transfer impact assessments where appropriate — to evaluate the legal framework of the recipient jurisdiction and the effectiveness of any supplementary measures applied
• Notifying the Controller of the jurisdictions in which personal data is processed — and providing updated information where there is a material change in processing locations

At present, personal data may be processed in the following jurisdictions due to the Processor's use of global infrastructure providers: the United States, the European Union, and the Asia-Pacific region.

The Processor shall provide reasonable assistance to the Controller in fulfilling its obligations under applicable data protection legislation, including but not limited to:

• Data subject requests — assisting the Controller in responding to requests from data subjects to exercise their rights under applicable law, including rights of access, rectification, erasure, restriction of processing, data portability, and objection, to the extent that such assistance is technically feasible given the nature of the Service
• Data protection impact assessments — providing the Controller with information reasonably necessary to conduct data protection impact assessments in relation to the processing activities carried out under this Agreement
• Regulatory consultation — assisting the Controller in consultations with supervisory authorities or data protection regulators, including providing access to relevant documentation and system information as reasonably required
• Compliance audits — upon reasonable notice and subject to appropriate confidentiality protections, permitting the Controller (or an independent auditor appointed by the Controller) to conduct audits or inspections to verify the Processor's compliance with this Agreement, provided that such audits do not unreasonably disrupt the Processor's operations

The Processor may charge a reasonable fee for assistance that is outside the scope of the Service or that requires substantial effort, provided that the Processor shall inform the Controller of any such fee in advance.

Each party shall be liable for damage caused by processing that infringes this Agreement or applicable data protection legislation, in accordance with the following principles:

• The Processor shall be liable for damage caused by processing where the Processor has acted outside or contrary to the lawful instructions of the Controller, or where the Processor has failed to comply with obligations under this Agreement specifically directed to processors
• The Controller shall be liable for damage caused by processing where the Controller has provided incorrect, incomplete, or unlawful instructions, or where the Controller has failed to fulfil its obligations as a data controller under applicable law
• Where both parties are responsible for damage, each party shall be liable for the entirety of the damage in order to ensure effective compensation of the data subject, without prejudice to each party's right to claim contribution from the other party in respect of its share of responsibility

Liability arising under this Agreement shall be subject to the limitations set out in the Terms and Conditions governing the Service, except to the extent that such limitations are prohibited by applicable data protection legislation.

This Agreement shall be governed by and construed in accordance with the laws of Queensland, Australia. Any disputes arising under or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Queensland, Australia.

Where personal data is processed subject to the GDPR or other international data protection legislation, the provisions of such legislation shall prevail to the extent of any inconsistency with this Agreement.