Data Processing Agreement (DPA)

Last updated: 22 April 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Costplus OÜ, a company registered in Estonia, with its registered office at Pärnu mnt 139b, 11317 Tallinn, Estonia, company registration number 16936614 ("Processor", "we", "us", or "Cost+"); and
  • the merchant that has installed the Cost+ Checkout Shopify application, or otherwise integrated with the Cost+ Checkout service, by agreeing to our Terms of Service at https://costplus.io/shopify-app-terms ("Controller", "Merchant", or "you"),

each a "Party" and together the "Parties".

This DPA forms part of, and is subject to, the Terms of Service between the Parties. In case of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA prevails.

2. Definitions

Unless otherwise defined, capitalised terms have the meanings given to them in Regulation (EU) 2016/679 (the "GDPR"). For convenience:

  • "Personal Data" has the meaning in Article 4(1) GDPR.
  • "Processing" has the meaning in Article 4(2) GDPR.
  • "Data Subject" means a Shopify customer or end-user whose Personal Data is processed under this DPA.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Services" means the Cost+ Checkout service (the Shopify app, associated APIs, and hosted checkout pages) provided by the Processor to the Controller under the Terms of Service.

3. Subject matter, nature, purpose, and duration of processing

3.1 Subject matter

The Processor processes Personal Data about the Controller's customers in order to provide the Services. Cost+ Checkout is a funnel-orchestration tool that routes shoppers arriving from Merchant-controlled entry points (for example, email campaigns, landing pages, social advertisements, or direct Shopify storefront links) through a single consistent checkout experience and creates the corresponding order in the Merchant's Shopify store after payment.

3.2 Nature and purpose of processing

The Processor processes Personal Data for the following purposes:

  • Collecting buyer contact and shipping information during checkout;
  • Calculating applicable taxes and shipping rates through Shopify's own tax and shipping calculation services;
  • Creating the corresponding Shopify order after the buyer completes payment;
  • Processing payments through Cost+'s payment infrastructure or the Merchant's configured payment provider;
  • Reflecting refunds, cancellations, and fulfilment events initiated by the Merchant in their Shopify admin back into the Merchant's Cost+ Checkout configuration;
  • Responding to data-subject requests forwarded by Shopify via the standard GDPR webhooks (customers/data_request, customers/redact, shop/redact);
  • Providing merchant-facing analytics derived from aggregated and pseudonymised session data.

3.3 Duration

The Processor processes Personal Data for the duration of the Services, and retains such data for the periods set out in Section 9 below.

4. Types of Personal Data and categories of Data Subjects

4.1 Types of Personal Data

  • First and last name;
  • Email address;
  • Phone number (when provided);
  • Shipping address (street, city, postal code, country, optional address line 2, province/state);
  • Billing address (same fields);
  • Order details, including line items, product identifiers, quantities, prices, applied discount codes, order total, currency, and fulfilment status;
  • Payment-related metadata (payment method token or reference, authorization and capture identifiers) — note that full primary account numbers (PAN) never enter the Processor's systems; they are tokenised by Cost+'s PCI-DSS-compliant payment infrastructure or the Merchant's configured payment provider.

4.2 Categories of Data Subjects

  • The Controller's customers (buyers) who complete checkout via Cost+ Checkout.

5. Obligations of the Processor

The Processor shall:

5.1 Documented instructions

Process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Parties agree that the Terms of Service, this DPA, and the Controller's use of the Services through standard configuration options constitute documented instructions within the meaning of Article 28(3)(a) GDPR.

5.2 Confidentiality

Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security measures

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. A summary of these measures is set out in Annex 1. The Controller acknowledges that Annex 1 may be updated from time to time to reflect improvements in the Processor's security posture, and that any such update will not result in a material reduction of the level of security.

5.4 Sub-processors

Engage Sub-processors only under the terms of Section 7 below.

5.5 Assistance with Data Subject rights

Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR.

5.6 Assistance with Controller's other obligations

Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor.

5.7 Return or deletion at end of Services

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services relating to processing, and delete existing copies, unless Union or Member State law requires storage of the Personal Data. The Processor shall delete Personal Data within 90 days of the end of the Services, except where longer retention is required by Section 9.

5.8 Records of processing

Maintain a written record of all categories of processing activities carried out on behalf of the Controller, as required by Article 30(2) GDPR.

5.9 Audits

Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller shall bear any cost of such audits beyond providing the standard information already available to the Controller through the Services. The Controller shall give reasonable prior notice (at least 30 days), conduct audits during normal business hours, and not disrupt the Processor's operations.

6. Obligations of the Controller

The Controller warrants that:

  • It has established a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) for all Personal Data it makes available to the Processor through the Services;
  • It has provided all required transparency information to Data Subjects under Articles 13 and 14 GDPR, including the fact that Cost+ Checkout is used to process checkout and order data;
  • It has properly configured Cost+ Checkout (including flow rules, allowed countries, payment methods, and any custom scripts or blocks) such that the Services process only Personal Data necessary for the Merchant's lawful purposes;
  • It will respond to Data Subject requests forwarded by the Processor within the timeframes required by law.

7. Sub-processors

7.1 General authorisation

The Controller provides general authorisation for the Processor to engage Sub-processors for the performance of the Services. A list of current Sub-processors is maintained at Annex 2 and is updated from time to time.

7.2 Notice of changes

The Processor shall inform the Controller of any intended changes to the list of Sub-processors (addition or replacement) with at least 30 days' prior notice, giving the Controller an opportunity to object on reasonable grounds. If the Controller objects and the Parties cannot agree on a resolution within 30 days, the Controller may terminate the affected portion of the Services for convenience.

7.3 Flow-down obligations

The Processor shall impose on every Sub-processor, by way of contract, the same data-protection obligations as set out in this DPA, and shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

8. International data transfers

8.1 Primary hosting

The Processor hosts the Services in the European Union. Personal Data does not leave the EU/EEA in the normal course of operations.

8.2 Sub-processor transfers

Where a Sub-processor is located outside the EU/EEA, the Processor ensures that transfers are covered by an adequacy decision under Article 45 GDPR, or by Standard Contractual Clauses adopted by the European Commission (Module 2: controller-to-processor or Module 3: processor-to-processor, as appropriate), or by another valid transfer mechanism under Chapter V GDPR.

8.3 Onward transfers

Shopify itself acts as an independent controller with respect to the customer data that the Controller has entered into its Shopify store. The Processor's receipt of such data from Shopify, and return of Shopify-created order data to Shopify, are covered by Shopify's own data-protection terms with the Merchant and are not onward transfers under this DPA.

9. Retention and deletion

The Processor retains Personal Data for the following periods:

  • Active session data (in-flight checkout sessions that have not completed): deleted 30 days after the session's expiry;
  • Completed order data (sessions that resulted in a Shopify order): retained for 7 years to meet tax and accounting-law retention requirements in Estonia and most EU jurisdictions, then deleted;
  • Payment tokens and authorization records: retained for the retention period of the underlying payment method (typically 7 years);
  • Log data (request logs, webhook delivery logs): retained for 90 days, then rotated out;
  • Audit / security event logs: retained for 1 year.

Upon termination of the Services, the Processor shall delete or return Personal Data as set out in Section 5.7 above, subject to the retention periods mandated by applicable law.

10. Data breach notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data breach affecting the Controller's data. The notification shall contain at least the information required by Article 33(3) GDPR to the extent available, and shall be updated as additional information becomes known.

11. Liability

The Parties' liability under this DPA is subject to the liability provisions of the Terms of Service, except that any limitation of liability in the Terms of Service does not exclude or limit liability for any matter for which such exclusion or limitation would be unlawful under applicable data-protection law.

12. Governing law and jurisdiction

This DPA is governed by the laws of Estonia, without regard to its conflict-of-laws rules. The Parties submit to the exclusive jurisdiction of the courts of Harju County, Estonia, for any dispute arising out of or in connection with this DPA, subject to any mandatory provisions of law regarding jurisdiction over consumer or data-subject disputes.

13. Term and termination

This DPA takes effect on the date the Controller first installs or uses the Services and terminates automatically upon termination of the Terms of Service. Clauses that by their nature should survive termination (including Sections 5.7, 9, 10, and 12) shall survive.

14. Entire agreement

This DPA, together with the Terms of Service at https://costplus.io/shopify-app-terms and the Privacy Policy at https://costplus.io/privacy-policy, constitutes the entire agreement between the Parties with respect to the subject matter and supersedes all prior understandings.

Annex 1 — Technical and organisational measures

The Processor implements the following technical and organisational measures to protect Personal Data:

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher, with certificates managed via Let's Encrypt and automatic rotation.
  • Shopify API access tokens and third-party payment-provider credentials are encrypted at rest using AES-256-GCM with application-layer keys managed via HashiCorp Vault Transit or an equivalent key-management system.
  • Database backups are encrypted before transfer to off-site storage.

Access control

  • Production system access is restricted to a defined set of authorised personnel with individually identifiable accounts, SSH key-based authentication for server access, and hardware-backed or TOTP multi-factor authentication for administrative interfaces.
  • Application-level merchant passwords are hashed using Argon2id with memory-hard parameters.
  • Access to Personal Data is logged and retained in accordance with Section 9 of the DPA.

Infrastructure

  • Services are hosted in Tier-III or equivalent data centres located within the European Union.
  • Logical separation between test and production environments; no production data is used in development or testing environments.
  • Regular patching of operating systems, runtime environments, and third-party dependencies.

Personnel

  • Personnel with access to Personal Data are bound by written confidentiality obligations that survive termination of their engagement.
  • Onboarding and periodic security-awareness training for all personnel with access to Personal Data or production infrastructure.

Incident response

  • Documented security-incident response procedure covering detection, containment, investigation, notification (including to the Controller within 48 hours per Section 10), and post-incident review.
  • Quarterly review of incident-response procedures and contact information.

Data-loss prevention

  • Application-level access controls scoped to individual merchants and individual sessions; no merchant can access another merchant's data via the API.
  • Audit logging of all access to Personal Data, retained per Section 9.
  • Regular restoration tests of encrypted backups.

Secure development

  • Source code hosted in a private repository with enforced review of all changes before merge.
  • Automated dependency scanning and regular updates of third-party libraries.
  • Penetration testing at least annually once the Services reach general availability.

Annex 2 — Authorised Sub-processors

As of the last-updated date of this DPA, the following Sub-processors are authorised to process Personal Data on behalf of the Controller:

Sub-processor Purpose Location Transfer mechanism
OVH SAS Infrastructure hosting (compute, storage) for the Services France (EU) Not applicable — intra-EU
[PostgreSQL backup provider — e.g., Backblaze B2 EU] Encrypted off-site backups of database volumes EU Not applicable — intra-EU
[Email provider — e.g., Postmark, SendGrid EU endpoint] Transactional emails (merchant notifications, DPA-related communications) EU Not applicable — intra-EU
Cost+ payment infrastructure Payment processing (tokenisation, authorization, capture, refund) on behalf of the Merchant EU Not applicable — intra-EU

The Processor will maintain an up-to-date version of this list at https://costplus.io/dpa/sub-processors and will notify the Controller of any additions or replacements in accordance with Section 7.2 of this DPA.

End of Data Processing Agreement.