Data Processing Agreement (DPA) - Tapita.io

 

This Data Processing Agreement ("DPA") forms part of the Agreement between Tapita.io ("Tapita," "Company," "we," or "us") and the subscribing party ("Subscriber," "you," or "your") and is effective on the date both parties execute this DPA ("Effective Date").

1. Definitions

All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. Terms used but not defined in this DPA, such as "controller," "data subject," "personal data," "processing," and "processor" will have the same meaning as set forth in the EU Data Protection Law.

"Affiliate" means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.

"Agreement" means Tapita.io's Terms of Service, which govern the provision of the Services to Subscriber, as such terms may be updated by Tapita.io from time to time.

"Data Protection Laws" means all data protection and privacy laws applicable to the processing of personal data under the Agreement, including, where applicable, EU Data Protection Law.

"EU Data Protection Law" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Directive") and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).

"EEA" means the European Economic Area, United Kingdom and Switzerland.

"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Subscriber Data.

"Services" means any SEO optimization tools, analytics, applications, or related services provided by Tapita.io to Subscriber pursuant to the Agreement.

"Subprocessors" means the third-party processors that are used by Tapita.io to process Personal Data.

"Subscriber Data" means any personal data that Tapita.io processes on behalf of Subscriber as a processor in the course of providing Services, as more particularly described in this DPA.

2. Relationship with the Agreement

The parties agree that this DPA shall replace any existing data processing addendum the parties may have previously entered into in connection with the Services.

Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

3. Scope and Applicability of this DPA

This DPA applies where and only to the extent that Tapita.io processes Subscriber Data that originates from the EEA or that is otherwise subject to EU Data Protection Law on behalf of Subscriber as a processor in the course of providing Services pursuant to the Agreement.

4. Roles and Scope of Processing

4.1 Role of the Parties

As between Tapita.io and Subscriber, Subscriber is controller of Subscriber Data, and Tapita.io shall process Subscriber Data only as a processor acting on behalf of Subscriber.

4.2 Subscriber Processing of Subscriber Data

Subscriber agrees that (i) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of Subscriber Data and any processing instructions it issues to Tapita.io; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Tapita.io to process Subscriber Data and provide the Services pursuant to the Agreement and this DPA.

4.3 Tapita.io Processing of Subscriber Data

Tapita.io shall process Subscriber Data only for the purposes described in this DPA and only in accordance with Subscriber's documented, lawful instructions. The parties agree that this DPA and the Agreement set out the Subscriber's complete and final instructions to Tapita.io in relation to the processing of Subscriber Data.

4.4 Details of Data Processing

(a) Subject matter: The subject matter of the data processing under this DPA is the Subscriber Data processed through Tapita.io's SEO optimization tools and analytics services.

(b) Duration: As between Tapita.io and Subscriber, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.

(c) Purpose: The purpose of the data processing under this DPA is the provision of SEO optimization services, website analytics, performance monitoring, and related technical services to the Subscriber.

(d) Nature of the processing: Tapita.io provides AI-powered SEO optimization tools, website performance analytics, search engine optimization services, metadata management, and related technical services for Shopify merchants, as described in the Agreement.

(e) Categories of data subjects:

  • Shopify merchants and store owners using the Services ("Users")
  • Website visitors and customers of Subscriber's Shopify stores ("End Users")
  • Any individual whose data is processed through Subscriber's use of the Services

(f) Types of Subscriber Data:

Subscriber and Users:

  • Identification and contact data (name, email address, phone number, business information)
  • Account information (username, billing details, subscription information)
  • Technical data (IP addresses, browser information, usage analytics)
  • Business data (store information, product details, SEO preferences)

End Users:

  • Website analytics data (page views, session duration, bounce rates)
  • Technical data (IP addresses, browser type, device information, geographic location)
  • Behavioral data (search queries, page interactions, conversion data)
  • SEO-related data (keyword rankings, search performance metrics)

5. Subprocessing

5.1 Authorized Subprocessors

Subscriber agrees that Tapita.io may engage Subprocessors to process Subscriber Data on Subscriber's behalf. The Subprocessors currently engaged by Tapita.io include but are not limited to:

  • Cloud hosting providers (AWS, Google Cloud Platform)
  • Analytics service providers
  • Payment processors
  • Customer support platforms
  • Security monitoring services

A current list of Subprocessors is available upon request.

5.2 Subprocessor Obligations

Tapita.io shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect the Subscriber Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Tapita.io to breach any of its obligations under this DPA.

5.3 Changes to Subprocessors

Tapita.io shall notify Subscriber if it adds new Subprocessors at least 10 days prior to any such changes. Subscriber may object in writing to Tapita.io's appointment of a new Subprocessor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection.

6. Security

6.1 Security Measures

Tapita.io shall implement and maintain appropriate technical and organizational security measures to protect Subscriber Data from Security Incidents and to preserve the security and confidentiality of the Subscriber Data, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Security monitoring and incident response procedures
  • Employee training on data protection and security

6.2 Security Incident Response

Upon becoming aware of a Security Incident, Tapita.io shall notify Subscriber without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Subscriber.

6.3 Subscriber Responsibilities

Subscriber is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Subscriber Data when in transit to and from the Services, and taking appropriate steps to securely configure its Shopify store and related integrations.

7. International Transfers

7.1 Data Processing Locations

Tapita.io may transfer and process Subscriber Data in locations where Tapita.io, its Affiliates, or its Subprocessors maintain data processing operations. Tapita.io shall at all times provide an adequate level of protection for the Subscriber Data in accordance with the requirements of Data Protection Laws.

7.2 Transfer Mechanisms

For transfers of personal data from the EEA to countries that have not been designated by the European Commission as providing an adequate level of protection, Tapita.io shall implement appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms as recognized under EU Data Protection Laws.

8. Data Subject Requests and Cooperation

8.1 Data Subject Rights

The Services provide Subscriber with controls to retrieve, correct, delete, or restrict Subscriber Data. To the extent that Subscriber is unable to independently address data subject requests through the Services, Tapita.io shall provide reasonable cooperation to assist Subscriber in responding to such requests.

8.2 Cooperation with Authorities

If Tapita.io receives a request directly from a data subject or data protection authority, Tapita.io shall not respond without Subscriber's prior authorization, unless legally compelled to do so. If required to respond, Tapita.io shall promptly notify Subscriber.

9. Return or Deletion of Data

Upon termination or expiration of the Agreement, Tapita.io shall (at Subscriber's election) delete or return to Subscriber all Subscriber Data in its possession or control, except to the extent Tapita.io is required by applicable law to retain some or all of the Subscriber Data.

10. Compliance and Audits

Upon reasonable request, Tapita.io will verify its compliance with this DPA through appropriate documentation or third-party certifications, provided that Subscriber shall not exercise this right more than once per year.

11. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitation of liability provisions in the Agreement. Subscriber agrees that any regulatory penalties incurred by Tapita.io in relation to the Subscriber Data that arise as a result of Subscriber's failure to comply with its obligations under this DPA or applicable Data Protection Laws shall count toward and reduce Tapita.io's liability under the Agreement.

12. Term and Termination

This DPA shall remain in effect for as long as the Agreement is in force or until all Subscriber Data has been deleted or returned in accordance with this DPA.

13. Contact Information

For questions regarding this DPA or data protection matters, please contact:

Tapita.io Data Protection Officer
Email: admin@tapita.io
Address: M5 Building, 91 Đ. Nguyễn Chí Thanh, Đống Đa, Hà Nội 100000