Data Processing Agreement

Version: v1.0-2026-05 · Effective from: 2026-05-04

⚠️ Questo DPA è un template standard EDPB. Prima del go-live commerciale deve essere revisionato da un avvocato qualificato in materia di protezione dati. Per modifiche custom contatta legal@botnoos.com.

1. Definitions

Data Controller: the merchant operating the Shopify store (the "Controller").
Data Processor: Botnoos S.r.l., trading as "Botswe" (the "Processor").
Personal Data: any data relating to an identified or identifiable natural person, processed under Regulation (EU) 2016/679 ("GDPR").
Sub-Processors: third parties engaged by the Processor — see Annex 1.

2. Subject matter and duration

The Processor provides an AI chatbot service (Botswe Shopify Assistant) on the Controller's storefront. Processing covers visitor conversations, product searches, cart interactions, and Shopify customer ID associations. Duration: until termination of the service or written request by the Controller.

3. Nature and purpose of processing

The Processor performs processing solely to (a) deliver AI-generated chat responses, (b) integrate with Shopify Storefront/Admin APIs, (c) enable operator handoff, (d) fulfill Controller-initiated analytics — all on documented written instructions from the Controller. Cross-purpose use (e.g. training models on Controller data) is prohibited.

4. Categories of data subjects and personal data

Data subjects: visitors of the Controller's storefront and (where logged in) Shopify customers.

Personal data:

Anonymous browser identifier (cookie bw_id, 365 days).
Shopify customer ID (when logged in).
Cart token (session).
Conversation messages (text content) — retention 90 days rolling.
Page type, locale, currency, current product viewed.

The Processor does NOT collect: payment details, government IDs, full credit cards, biometric data.

5. Obligations of the Processor

The Processor shall:

Process Personal Data only on documented instructions from the Controller (including with regard to transfers to third countries).
Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.
Implement appropriate technical and organizational measures (Annex 2).
Engage Sub-Processors only with prior general written authorization (Annex 1) and impose equivalent obligations.
Assist the Controller in fulfilling data subject rights (access, rectification, erasure, portability) within reasonable time.
Notify the Controller of personal data breaches without undue delay (within 24 hours of awareness).
Make available all information necessary to demonstrate compliance and allow audits by the Controller (or authorized auditor) on reasonable notice.
At choice of the Controller, return or delete all Personal Data after termination of the service.

6. Data subject rights

Botswe automates response to Shopify GDPR mandatory webhooks:

customers/data_request → automatic export of all conversations of the data subject, sent to Controller via secure presigned URL within 7 days.
customers/redact → automatic deletion of all messages associated with the data subject's customer ID, completed within 30 days.
shop/redact → 48 hours after app uninstall, all shop data permanently deleted.

7. International transfers

Primary processing occurs in the EU (AWS Frankfurt, eu-central-1). Limited transfers may occur to:

OpenAI (USA): only when AI fallback active. Covered by EU-US Data Privacy Framework (DPF) certification + Standard Contractual Clauses (SCC).
Google (USA): NextAuth Google OAuth. SCC + DPF.
Cloudflare (USA + global edge): CDN/DNS. SCC + DPF.

8. Liability

Each party is liable for its own breach of this DPA. The Processor's liability is capped at the subscription fees paid in the 12 months preceding the event. The cap does not apply to gross negligence or willful misconduct.

9. Termination

Either party may terminate this DPA on 30 days' written notice. Termination of the Botswe service automatically terminates this DPA. Upon termination, the Processor will delete all Personal Data within 90 days unless retention is required by law.

10. Governing law and jurisdiction

This DPA is governed by the laws of Italy. Jurisdiction: courts of Milan, Italy. The Italian Garante per la protezione dei dati personali is the lead supervisory authority for the Processor.

Annex 1 — Sub-Processors

Sub-Processor	Purpose	Region	Safeguards
Amazon Web Services (AWS)	Hosting, DDB, Bedrock AI, Lambda, S3	EU (Frankfurt)	SCC, DPF
Shopify Inc.	Source data via official APIs	Global	SCC
OpenAI Inc.	AI fallback (only when active)	USA	SCC, DPF
Google LLC	Authentication (NextAuth)	USA	SCC, DPF
Cloudflare Inc.	CDN, DNS	Global edge	SCC, DPF
Stripe Inc.	Subscription billing (NO end-customer data)	EU + USA	SCC, DPF

The Controller is notified via email at least 30 days before any new Sub-Processor is added.

Annex 2 — Technical and organizational measures

Encryption at rest: AES-256-GCM for tenant tokens, JWT NextAuth, Stripe records.
Encryption in transit: TLS 1.3 enforced.
Access control: IAM least-privilege, MFA on AWS root + admin accounts.
Audit logging: CloudWatch + GDPR audit table (7 years retention).
Backup: DDB point-in-time recovery; S3 versioning.
Multi-tenant isolation: every query enforces tenantId scoping; cross-tenant data leak verified zero in testing.
Data retention: messages 90 days rolling; shop sessions until uninstall + 48h grace.
Pseudonymization: visitor identifier bw_id is a UUID, not a real-world identifier.
Vulnerability management: dependency scanning via npm audit; quarterly review.
Incident response: breach SOP with 24h Controller notification, 72h Garante notification.

Acceptance

Verifica sessione…

Document version: v1.0-2026-05 · Last updated: 2026-05-04 · Privacy Policy · Terms of Service