Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Tradik ("Processor", "we", "us") and the Customer ("Controller", "you") for the use of Wash services.

This DPA is designed to meet the requirements of Article 28 of the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).

2. Definitions

Term	Definition
Personal Data	Any information relating to an identified or identifiable natural person
Processing	Any operation performed on Personal Data (collection, storage, transfer, etc.)
Controller	The entity that determines the purposes and means of processing (Customer)
Processor	The entity that processes Personal Data on behalf of the Controller (Tradik/Wash)
Sub-processor	A third party engaged by the Processor to process Personal Data
Data Subject	An identified or identifiable natural person whose data is processed

3. Scope of Processing

3.1 Nature and Purpose

Wash processes Personal Data solely for the purpose of synchronizing content from WordPress to Shopify, including:

• Blog posts and pages content synchronization
• Media files (images, documents) transfer to Shopify CDN
• SEO metadata synchronization
• Author information mapping
• Custom fields and metafield synchronization

3.2 Categories of Personal Data

The following categories of Personal Data may be processed:

Category	Examples
Author Information	Names, email addresses, biographical information
Content Data	Blog post content that may reference individuals
Media Metadata	Image alt text, captions containing personal information
User Comments	If comments are synced: commenter names, emails (optional feature)

3.3 Categories of Data Subjects

• WordPress site administrators and editors
• Content authors and contributors
• Individuals mentioned in synchronized content
• Comment authors (if comment sync is enabled)

3.4 Duration of Processing

Processing continues for the duration of the service agreement. Upon termination:

• Active synchronization ceases immediately
• Cached data is deleted within 30 days
• Logs are retained for 90 days for security purposes, then deleted
• Backups are purged within 180 days

4. Processor Obligations

4.1 Processing Instructions

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Immediately inform the Controller if an instruction infringes data protection law
• Not process Personal Data for any purpose other than providing Wash services

4.2 Confidentiality

The Processor ensures that:

• All personnel processing Personal Data are bound by confidentiality obligations
• Access to Personal Data is limited to authorized personnel only
• Confidentiality obligations survive termination of employment

4.3 Security Measures

The Processor implements appropriate technical and organizational measures:

Technical Measures

• Encryption in Transit: TLS 1.3 for all API communications
• Encryption at Rest: AES-256 for stored data
• Authentication: HMAC-SHA256 signed API requests
• Access Control: Role-based access with principle of least privilege
• Network Security: Firewall protection, DDoS mitigation
• Monitoring: 24/7 security monitoring and alerting

Organizational Measures

• Regular security training for all personnel
• Background checks for employees with data access
• Documented security policies and procedures
• Regular security audits and penetration testing
• Incident response plan with defined escalation procedures

5. Sub-processors

5.1 Authorization

The Controller provides general authorization for the Processor to engage sub-processors. The Processor maintains a list of current sub-processors:

Sub-processor	Purpose	Location
Cloudflare, Inc.	CDN, DDoS protection, DNS	Global (US HQ)
Hetzner Online GmbH	Infrastructure hosting	Germany/Finland
Shopify Inc.	Destination platform (via Customer's store)	Canada/Global

5.2 Sub-processor Changes

The Processor shall:

• Notify the Controller of any intended changes to sub-processors
• Provide 30 days advance notice before engaging new sub-processors
• Allow the Controller to object to new sub-processors
• Ensure all sub-processors are bound by equivalent data protection obligations

6. Data Subject Rights

6.1 Assistance with Requests

The Processor shall assist the Controller in responding to Data Subject requests for:

• Access: Providing copies of Personal Data
• Rectification: Correcting inaccurate data
• Erasure: Deleting Personal Data ("right to be forgotten")
• Restriction: Limiting processing activities
• Portability: Providing data in machine-readable format
• Objection: Ceasing processing based on legitimate interests

6.2 Response Time

The Processor shall respond to Controller assistance requests within 10 business days.

7. Data Breach Notification

7.1 Notification Timeline

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay, and within 24 hours of becoming aware
• Provide initial notification via email to the registered account contact
• Follow up with detailed written notification within 72 hours

7.2 Notification Content

Breach notifications shall include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Name and contact details of the Data Protection Officer
• Description of likely consequences of the breach
• Description of measures taken or proposed to address the breach

8. Audit Rights

8.1 Controller Audit Rights

The Controller has the right to:

• Request and receive copies of relevant certifications and audit reports
• Submit written audit questions (responded to within 30 days)
• Conduct on-site audits with 30 days advance notice (at Controller's expense)

8.2 Audit Scope

Audits may cover:

• Security measures and their implementation
• Processing activities and compliance with instructions
• Sub-processor management and oversight
• Breach notification procedures

9. Data Transfers

9.1 Transfer Mechanisms

For international data transfers, the Processor relies on:

• EU Standard Contractual Clauses (SCCs): As approved by the European Commission
• UK International Data Transfer Agreement (IDTA): For UK-origin data
• Adequacy Decisions: Where applicable

9.2 Transfer Impact Assessment

The Processor maintains transfer impact assessments for all international transfers and updates them when legal circumstances change.

10. Termination

10.1 Data Return or Deletion

Upon termination of the service agreement, the Controller may request:

• Data Return: Export of all Personal Data in standard format (JSON/CSV)
• Data Deletion: Secure deletion of all Personal Data

The Controller must make this election within 30 days of termination. If no election is made, data will be deleted.

10.2 Deletion Certification

Upon request, the Processor shall provide written certification of data deletion.

11. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. The Processor shall be liable for damages caused by processing that violates this DPA or applicable data protection law.

12. Governing Law

This DPA is governed by the laws of England and Wales. For Controllers in the EU, this DPA is additionally governed by the applicable EU Member State law where required by GDPR.

13. Contact Information

For DPA-related inquiries:

Data Protection Officer
Tradik
Email: [email protected]

Legal Department
Email: [email protected]

14. Amendments

This DPA may be amended by the Processor to reflect changes in data protection law or processing practices. Material changes will be notified 30 days in advance. Continued use of the service after the effective date constitutes acceptance of the amended DPA.