Data Processing Agreement (DPA)

Contracting parties

This agreement is concluded between:

Controller (client)

The Shopify merchant who installs and operates the app "EU Withdrawal Button Pro" in their store. Identification is unambiguous via the shop domain and the master data stored in the Shopify account.
— hereinafter the "Controller" —

Processor

Martini & Radl OG
Garnisongasse 4/11
1090 Vienna, Austria
VAT: ATU78306557 · Commercial register: FN 579551 g · Commercial Court Vienna
— hereinafter the "Processor" —

— both hereinafter jointly the "Parties" —

Recitals

This agreement sets out the conditions under which the Processor processes personal data on behalf of the Controller. The Parties thereby specify their mutual data protection rights and obligations as required by Art. 28 GDPR for the provision of the agreed services.

§ 1 Scope

1. This agreement applies to the processing (Art. 4(2) GDPR) of all personal data (hereinafter "Data") that is the subject of the service agreement or arises in the course of its performance and is processed on the instructions of the Controller. Data of the Processor's employees, insofar as it relates exclusively to its own employment relationship, is not covered.
2. This agreement takes precedence over other arrangements between the Parties on the same subject, unless expressly agreed otherwise.

§ 2 Specification of the processing

1. The subject matter, nature and purpose of the processing is the provision of the Shopify app "EU Withdrawal Button Pro" by the Processor. The app enables the Controller to provide its end customers with a withdrawal button and a withdrawal form, and to receive, document and respond to incoming withdrawal declarations in a structured way via confirmation email. The duration of the processing corresponds to the term of the app installation or the usage relationship.
2. The following types of personal data are subject to processing:
   • Personal master data (first name, last name, customer ID)
   • Contact data (email address, delivery and billing address)
   • Order data (order number, order date, withdrawn items, quantity, purchase price, withdrawal date, delivery terms)
   • Communication data (content from the withdrawal form, e.g., reason for withdrawal and free-text messages)
   • Usage data (IP address, timestamp of form/button use, user agent, and technical identifiers to secure the form)
3. Categories of data subjects:
   • End customers (buyers) who ordered in the Controller's online shop and used the withdrawal button to exercise their statutory right of withdrawal.
   • Prospective customers / shop visitors who activate the withdrawal button or open the form, even if the process is not completed (collection of usage data / IP address).
   • Contacts of the Controller whose data is processed in the course of configuring and managing the app (admin area).
4. Special categories of personal data (Art. 9 GDPR) are not subject to processing.
5. The data processed has a normal protection requirement.

§ 3 Obligations and right to issue instructions

1. Both Parties comply with the obligations imposed on them by data protection law (in particular the GDPR).
2. Processing takes place exclusively within the scope of the Controller's documented instructions. The app functionality described in the main agreement constitutes the basic instruction. The Controller may issue supplementary or differing instructions in documented form (e.g., by email or via the app's user interface). As a rule, only persons with administrative access rights to the relevant Shopify store, or expressly named persons, are authorized to issue instructions.
3. If the Processor considers an instruction to be unlawful under data protection law, it informs the Controller without undue delay and may suspend execution until the matter is clarified.
4. Processing generally takes place in the European Union (EU) or the European Economic Area (EEA). The Controller issues the general instruction to use specialized subcontractors for cloud infrastructure (see Annex 2). Insofar as a transfer to third countries occurs, the Processor ensures that the requirements of Art. 44 et seq. GDPR are met (e.g., by EU Standard Contractual Clauses or an adequacy decision).
5. Processing outside the primary business premises (e.g., remote work) is permitted, provided that the agreed technical and organizational measures are consistently observed, in particular device encryption and multi-factor authentication.
6. The Processor reasonably supports the Controller in fulfilling data subject rights (e.g., access, rectification, erasure). Requests addressed directly to the Processor are forwarded to the Controller without undue delay.
7. The Processor maintains a record of processing activities pursuant to Art. 30(2) GDPR.

§ 4 Statutory obligations of the Processor

1. The Processor ensures that all persons authorized to process data have committed to confidentiality and have been instructed about the strict purpose limitation and instruction-binding nature of this processing relationship.
2. It supports the Controller in its accountability obligations (Art. 5(2), Art. 24(1) GDPR) and, upon request, provides information on the technical and organizational measures implemented.
3. As the Processor is not obliged to appoint a data protection officer, it designates its management as the central point of contact. Requests should be addressed to [email protected].
4. It informs the Controller without undue delay about inspections or measures by supervisory authorities, insofar as these concern the Controller's processing.

§ 5 Technical and organizational measures (TOMs) and audit

1. The Parties agree on the technical and organizational measures set out in Annex 1. The Processor ensures compliance with these security standards pursuant to Art. 32 GDPR.
2. The measures are subject to technical progress. The Processor is permitted to implement alternative adequate measures, provided that the security level of the measures set out in Annex 1 is not undercut. Material changes are documented.
3. Evidence of compliance may be provided in particular by current attestations, certificates or reports of the cloud infrastructure providers used (e.g., ISO 27001, SOC 2).
4. The Controller may carry out audits or have them carried out. On-site inspections must be announced with reasonable notice (at least 14 days), take place during normal business hours, and must not unreasonably disrupt operations.
5. The Controller bears the costs of an on-site audit, unless the audit reveals serious violations by the Processor.
6. Where necessary, the Processor supports the Controller with a data protection impact assessment (Art. 35 GDPR) by providing the necessary technical information about the application architecture.

§ 6 Notification obligations in the event of data breaches

1. The Processor notifies the Controller without undue delay (at the latest within 48 hours of becoming aware) if personal data breaches (Art. 4(12) GDPR) are identified.
2. The notification contains at least: a description of the nature of the breach, the categories and approximate number of affected records, and the countermeasures taken or proposed.
3. The Processor reasonably supports the Controller in its notification obligations toward supervisory authorities (Art. 33 GDPR) and data subjects (Art. 34 GDPR).
4. Independent notifications to supervisory authorities or data subjects are made only after prior instruction by the Controller, unless the Processor is directly obliged by law to notify.

§ 7 Deletion and return of data

1. All data processed on behalf remains the property of the Controller.
2. During active use, withdrawal records are retained according to the plan booked by the Controller (Free: 3 months, Basic: 12 months, Premium: 24 months) and automatically deleted after this period expires.
3. After the services end (in particular by uninstalling the app), the Processor, at the Controller's choice, either deletes all data processed on behalf in a data-protection-compliant manner or returns it, unless a statutory retention obligation requires otherwise. If no differing instruction is given before uninstallation, the data is automatically and fully deleted within 30 days of receiving the platform's uninstall or deletion signals (e.g., Shopify mandatory webhooks). A deletion log is provided in electronic form on request. A return in a common, machine-readable format (e.g., CSV) is possible before uninstallation.
4. The Controller is itself responsible for complying with its own statutory retention periods (e.g., under § 132 BAO or § 257 HGB for tax-relevant withdrawal or transaction data).
5. Test and reject material (e.g., temporary log files or interim storage) is deleted without undue delay after completion of the respective processing step, unless a statutory retention obligation requires otherwise.

§ 8 Subcontractors (sub-processors)

1. The Processor receives the Controller's general authorization to engage subcontractors. The subcontractors currently used are listed in Annex 2.
2. The Processor informs the Controller in text form at least two weeks in advance of intended changes to this list. Within this period, the Controller may object for an important data protection reason. If no objection is raised, the change is deemed approved.
3. The Processor ensures that the contractual arrangements with the subcontractor correspond to the data protection level of this agreement (Art. 28(3) and (4) GDPR).
4. If a subcontractor provides services outside the EU/EEA, the Processor ensures data protection compliance through appropriate safeguards pursuant to Art. 44 et seq. GDPR.
5. If a subcontractor fails to meet its obligations, the Processor is liable to the Controller for their compliance.
6. Ancillary services (e.g., telecommunications, postal and logistics services) without the possibility of access to the Controller's data are not considered subcontractors.

§ 9 Audit rights (data protection audit)

1. The Processor makes available to the Controller all information necessary to demonstrate the obligations set out in this agreement and in Art. 28 GDPR.
2. After timely notice (as a rule at least two weeks in advance), the Controller may carry out audits or have them carried out by appointed auditors. The Processor is entitled to reject external auditors who are in a competitive relationship with it.
3. As processing takes place in a cloud infrastructure, the Controller acknowledges that evidence of adequate measures is provided primarily through certificates, attestations or reports of the subcontractors used, as well as through self-declarations. A physical right of access exists only insofar as a remote audit demonstrably does not suffice.

§ 10 Liability and compensation

1. The Parties are liable for damages in accordance with Art. 82 GDPR.
2. In the relationship between the Parties, the Processor's liability for damages caused by slight negligence is limited to the amount the Controller paid as remuneration for the use of the app within the last 12 months before the damaging event occurred. This limitation does not apply to damages resulting from grossly negligent or intentional breach of duty.
3. The allocation of liability under Art. 82(3) GDPR remains unaffected. In the internal relationship, the Processor is in particular not liable where the damage resulted from a faulty instruction or insufficient cooperation by the Controller.

§ 11 Final provisions

1. Amendments and supplements to this agreement require text form (e.g., email or electronic confirmation in the app interface) and the express indication that this constitutes a change to these terms.
2. Should individual provisions be or become invalid, the validity of the remaining provisions remains unaffected. The Parties replace the invalid provision with a valid one that comes closest to its economic purpose.
3. Austrian law applies, excluding the referral norms of private international law and the UN Convention on Contracts for the International Sale of Goods. Place of jurisdiction is, to the extent legally permissible, the registered office of the Processor (Vienna).

Conclusion of the agreement

This agreement is accepted by the Controller during app installation by electronic confirmation (opt-in). It is legally valid even without a handwritten signature pursuant to Art. 28(9) GDPR. The Processor acts through Martini & Radl OG, represented by its management.

Annex 1: Technical and organizational measures (TOMs)

This annex specifies the security measures agreed under § 5 (Art. 32 GDPR).

The Processor does not operate its own data centers. Processing takes place via modern cloud infrastructure; the Processor combines its own organizational measures with the security standards of the subcontractors used (see Annex 2).

1. Confidentiality

Physical access control. The physical security of the servers is ensured by the certified providers (ISO 27001, SOC 2 Type II).

System access control.

• Administrative access to business-critical cloud platforms is mandatorily secured by multi-factor authentication (TOTP).
• Use of a password manager for the encrypted management of credentials.
• Full disk encryption on all work devices.

Data access control.

• Access to the cloud console and database exclusively via MFA-protected accounts.
• Application-side access via securely managed environment variables (secrets), not in plain text in the source code.
• Assignment of permissions on a need-to-know basis; individual user accounts, no shared accounts.

Separation control. Tenant separation via a multi-tenant architecture: data is strictly logically separated at the database level via unique tenant identifiers (shop IDs). Development (Dev), test (Staging) and production (Prod) environments are separated; as a rule, no real data is used in Dev/Test.

2. Integrity

Transfer control.

• Any data transmission between device, Shopify API and app servers is encrypted (at least TLS 1.2, preferably TLS 1.3).
• Unencrypted requests are automatically redirected to HTTPS (HSTS).
• Internal communication between the cloud services is also encrypted.
• Email addresses and IP addresses are stored pseudonymized (hashing), insofar as not required for sending.

Input control.

• All changes to the source code are fully versioned; every commit is attributed to an authorized developer.
• Every deployment is logged with a timestamp.
• Critical administrative access to the database is logged on the provider side.

3. Availability and resilience

• Use of scalable cloud infrastructure with a multi-availability-zone architecture to protect against localized outages.
• Cloud-native protection mechanisms (WAF) to defend against attacks on availability.
• Fully automated daily backups with a retention period of at least 30 days; regular verification of recovery processes.

4. Procedures for regular review

• Integration of automated security audits into the CI pipeline; builds with critical vulnerabilities in dependencies are blocked.
• Automated test suites to ensure code integrity before every release.
• Careful selection and regular review of subcontractors (ISO 27001, SOC 2 certifications) as well as conclusion of corresponding DPAs and appropriate safeguards for third-country transfers.
• Maintenance of a record of processing activities (Art. 30 GDPR), reviewed at least annually; regular awareness training for all involved.

Annex 2: Approved sub-processors

Pursuant to § 8, the Controller approves the engagement of the sub-processors listed below. Agreements pursuant to Art. 28(2) to (4) GDPR are in place with these service providers. Insofar as data is transferred to third countries, this takes place on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR (in particular the EU-U.S. Data Privacy Framework or EU Standard Contractual Clauses).

Note: This list may change. The Controller will be informed in good time of intended changes pursuant to § 8(2).

This is an English translation provided for convenience; the German version (/avv) is legally authoritative. Available on request by email to [email protected]. Last updated: 1 June 2026.