Data Processing Agreement (DPA)

Last updated: 2 October 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written agreement (“Principal Agreement”) between:

  • BSS Commerce, developer of the MIDA Session Recording & Replay Shopify App (“Processor”), contact: [email protected], and
  • The Shopify Merchant using the app (“Controller”).

Together, the Processor and Controller are the “Parties.”

1. Subject Matter and Purpose

1.1 The Processor provides session recording, replay, and analytics services for Shopify stores.
1.2 The Processor processes personal data on behalf of the Controller solely for the purposes of delivering these services, including user experience analysis, debugging, fraud prevention, and customer journey insights.
1.3 No processing shall occur for purposes other than those instructed by the Controller.

2. Duration

This DPA remains in force for as long as the Controller uses the Processor’s services. Upon termination, data will be deleted or returned in accordance with Annex II (Data Retention & Deletion).

3. Categories of Data Subjects

The Processor may process personal data relating to the following categories of data subjects:

  • Visitors and customers of the Controller’s Shopify store.
  • Users interacting with the Controller’s website.

4. Types of Personal Data

The Processor processes only the following types of data:

  • Metadata: IP address, user agent, device information.
  • Interaction Data: Clicks, scrolls, page navigation events.
  • Page Content: DOM snapshot, with all sensitive fields masked.
  • Excluded Data: No passwords, payment card data, social security numbers, or other sensitive identifiers are collected.

5. Obligations of the Controller

The Controller shall:

  • Obtain a valid legal basis for processing and inform end users about session recording activities.
  • Configure and use the app responsibly, ensuring no unlawful collection of personal data.
  • Provide instructions to the Processor regarding data deletion, export, or suspension of processing.

6. Obligations of the Processor

The Processor agrees to:

  • Process data only on documented instructions from the Controller.
  • Maintain confidentiality of personal data and ensure staff and sub-processors are bound by confidentiality.
  • Implement technical and organizational security measures described in Annex I.
  • Assist the Controller in fulfilling data subject rights (access, rectification, erasure, portability, objection).
  • Notify the Controller of any personal data breach without undue delay and in no event later than 36 hours after confirmation.
  • Make available relevant information for audits, as outlined in Section 11.
  • Delete or return all personal data upon termination of services, as outlined in Annex II.

7. Sub-processors

7.1 The Processor may engage sub-processors to provide infrastructure or supporting services.
7.2 Current sub-processors:

  • Linode – Hosting & Database (Regions: Singapore, EU).
  • Cloudflare – CDN, WAF, DDoS Protection.
  • Zabbix – Monitoring & Logging.
  • Sentry – Error Logging.
  • Mailgun – Transactional Emails.

7.3 The Processor shall ensure sub-processors are bound by written agreements providing the same level of protection as this DPA.
7.4 The Controller will be notified of any intended changes to sub-processors and may object where justified.

8. International Data Transfers

8.1 Data is primarily processed and stored in the EU (Linode).
8.2 Where data is transferred outside the EU/EEA (e.g., Cloudflare routing, Linode Singapore region), such transfers will be protected by Standard Contractual Clauses (SCCs) or other legally valid mechanisms.

9. Security Measures

The Processor implements appropriate technical and organizational measures to ensure the security of processing. These measures are detailed in Annex I (Technical & Organizational Security Measures).

10. Data Subject Rights

The Processor shall assist the Controller, to the extent possible, in fulfilling obligations to respond to data subject requests under applicable data protection laws.

11. Audit & Reporting

  • The Controller may request the Processor to complete a security questionnaire or provide documentation necessary to demonstrate compliance.
  • Onsite audits may be requested with reasonable prior notice and are subject to the Controller bearing associated costs.

12. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Detect and assess incidents within 12 hours.
  • Notify the affected Controller within 36 hours of confirmation.
  • Provide details of the nature of the breach, scope of data affected, and remediation steps taken.

13. Liability & Indemnity

To be agreed between Parties in the Principal Agreement. Typically: each Party is liable for damages arising from its own breach of data protection obligations.

14. Termination

Upon termination of the Principal Agreement:

  • The Controller may instruct the Processor to return or delete personal data.
  • Unless otherwise instructed, the Processor will delete personal data according to Annex II.

15. Governing Law & Jurisdiction

This DPA shall be governed by the laws of Vietnam, unless otherwise required by applicable data protection law.

Annex I – Technical & Organizational Security Measures

  • Encryption: Data encrypted in transit and at rest.
  • Authentication: Multi-Factor Authentication (MFA) for all admin accounts.
  • Access Control: Least privilege principle enforced using Passbolt.
  • Penetration Testing: Regular penetration tests and vulnerability scans.
  • Network Security: Virtual Private Cloud (VPC) with private subnets.
  • Masking & Redaction: Automatic masking of passwords; regex-based redaction for payment and PII data.
  • Access Governance:
    • Engineering: Read-only access to anonymized data.
    • Security: Full access for incident response.
    • Support: Limited playback access with masked data.

Annex II – Data Retention & Deletion

  • Session replay data: 30 days.
  • Logs: 90 days.
  • Backups: None retained.
  • Deletion Requests: Controller may request deletion of specific sessions within 7 days.
  • Suspension: Controller may suspend processing at any time by disabling the tracking script.
  • Export: Controller may export raw data (JSON/CSV) at any time.

Annex III – Sub-processors

  • Linode – Hosting & Database (Regions: Singapore, EU).
  • Cloudflare – CDN, WAF, DDoS Protection.
  • Zabbix – Monitoring & Logging.
  • Sentry – Error Logging.
  • Mailgun – Transactional Emails.