Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service between you (the "Merchant") and Elevate ("Elevate", "we", "us").

• Merchant acts as the Data Controller for personal data of their customers.
• Elevate acts as the Data Processor, handling personal data only on the Merchant's instructions and to deliver the platform.

By installing or continuing to use the Elevate app, the Merchant accepts this DPA on behalf of itself and any affiliates whose data is processed.

We process personal data on the Merchant's behalf for the duration of the Merchant's use of the Elevate platform, plus any retention period required by law or specified in our Privacy Policy.

We process personal data to:

• Operate the creator marketplace (the "Service")
• Sync the Merchant's product catalog to creator storefronts
• Route and fulfill customer orders placed through creators
• Calculate and pay out creator commissions
• Send transactional emails to customers (order, shipping, returns)
• Provide analytics to the Merchant about their own store
• Detect fraud and secure the platform

• Customer name, email, phone number
• Shipping and billing addresses
• Order contents and history (with Merchant's store)
• IP address and device/browser metadata at checkout
• Marketing consent flags

We do not process customer payment card numbers directly; those are handled by our payment processor as an independent controller.

End customers of the Merchant's store who place orders through an Elevate creator storefront, plus the Merchant's own staff who access the dashboard.

We engage the following categories of sub-processors to deliver the Service. A current list is available on request.

• Cloud hosting & database — application servers, managed Postgres, encrypted backups
• Payment processing — to charge customers and pay out creators
• Transactional email — order, shipping, and account notifications
• Error monitoring & observability — to detect platform issues
• Shopify — where the Merchant connects a Shopify store, Shopify remains an independent processor of the Merchant's data

Each sub-processor is bound by contractual data protection obligations at least as protective as those in this DPA.

We will give the Merchant prior notice of any new sub-processor and an opportunity to object on reasonable data protection grounds. If the parties cannot resolve the objection, the Merchant may terminate the affected portion of the Service.

We maintain the following technical and organisational measures:

• TLS encryption for all data in transit (HTTPS, database connections)
• Encryption at rest for production databases, object storage, and backups
• Role-based access controls; access to customer data restricted to staff who need it
• Short-lived access tokens (15 minutes) with refresh-token rotation
• Multi-factor authentication on production infrastructure accounts
• Audit logging of administrative actions on customer data
• Annual review of security controls and dependencies
• Documented incident response policy

We assist the Merchant in responding to data subject requests (access, rectification, erasure, portability, restriction, objection). For Shopify-connected stores, we honour the Shopify GDPR mandatory webhooks (customers/data_request, customers/redact, shop/redact) and act within their SLAs.

On a verified erasure request, we anonymise the customer's personal data while retaining order and financial records as required by tax, accounting, and fraud-prevention laws.

We notify the Merchant without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the Merchant's customer data. The notification includes the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and the measures taken or proposed to address it.

Where personal data is transferred outside the EEA, UK, or other jurisdictions requiring transfer safeguards, we rely on Standard Contractual Clauses (SCCs) or another lawful transfer mechanism with each affected sub-processor.

At the Merchant's reasonable written request (no more than once per year, except after a confirmed incident), we will provide a summary of our security controls, recent audit or penetration test results, and any relevant certifications. On-site audits are available subject to mutually agreed scope and reasonable notice.

On termination of the Merchant's use of the Service, we delete or anonymise the Merchant's customer data within 90 days, except where retention is required by law (tax records, fraud-prevention records). Where the Merchant is a Shopify app installer, the Shopify shop/redact webhook fires 48 hours after the standard 90-day grace period, and we redact accordingly.

The liability provisions of the Terms of Service apply to this DPA. Nothing in this DPA limits either party's liability to the extent prohibited by applicable data protection law.

For any data protection question, contact us at our contact page or email privacy@elevate.app. We aim to respond within five business days.