AppThrive
Legal

Data processing addendum

The GDPR-required addendum that governs our role as a data processor for merchant personal data your apps collect.

Draft — in review with legal counsel

The text below is AppThrive's internal draft of this document. It has not been reviewed by qualified legal counsel yet and is not binding. We're publishing it in-place so reviewers and interested readers can see our direction; final binding text replaces this once counsel signs off.

If you need this signed as part of a procurement or security-review process before we publish, email jahangir@efoli.com and we'll send the current draft under NDA.

This DPA forms part of the Agreement between EFOLI (“Processor”) and the Customer (“Controller”) relating to the processing of Personal Data.

1. Definitions

  • “Personal Data”: as defined in GDPR Art. 4 — any information relating to an identified or identifiable person.
  • “Processing”: as defined in GDPR Art. 4.
  • “Data Subject”: the individual to whom Personal Data relates (typically the Customer’s merchants or their end-customers).
  • “Sub-processor”: a third party engaged by the Processor.

2. Scope

This DPA applies to all Personal Data processed by EFOLI on behalf of the Customer through the AppThrive Service.

3. Details of processing (Art. 28(3))

CategoryValue
NatureStorage, analysis, enrichment, and orchestration of merchant data
PurposeProviding the AppThrive Service per the main Agreement
DurationFor the term of the Agreement plus retention periods
Categories of Data SubjectsCustomer’s merchants, merchants’ contacts (shop owners, employees)
Types of Personal DataName, email, shop address, business data, engagement events, preferences

4. Processor obligations

EFOLI will:

  1. Process Personal Data only on Customer’s documented instructions
  2. Ensure personnel are bound by confidentiality
  3. Implement appropriate technical and organizational measures (per §9)
  4. Assist Customer with DPIAs, data subject requests, and security incidents
  5. Delete or return Personal Data after termination (Customer’s choice)
  6. Make available information necessary to demonstrate compliance
  7. Allow audits (per §10)

5. Sub-processors (Art. 28(2))

Customer authorizes EFOLI to engage the sub-processors listed at /subprocessors.

EFOLI will:

  • Provide 30 days’ advance notice of new sub-processors (via email to Customer’s billing contact)
  • Impose data protection obligations on sub-processors equivalent to this DPA
  • Remain liable for sub-processor actions

Customer may object to a new sub-processor within 30 days with reasonable grounds; EFOLI may then either:

  • Provide alternative arrangement, or
  • Allow Customer to terminate for convenience with pro-rated refund

6. International transfers

Where Personal Data is transferred outside the EEA/UK, EFOLI relies on:

  • Standard Contractual Clauses (SCCs) Module Two (Controller to Processor) — incorporated by reference
  • UK International Data Transfer Addendum (if applicable)

Full SCC text: attached as Annex 1 to this DPA.

7. Data subject rights

EFOLI will assist Customer in responding to data subject requests by:

  • Providing tools in the AppThrive admin panel to export, rectify, or delete merchant data
  • Responding to escalated requests within 5 business days
  • Not independently responding to data subjects without Customer’s instruction

8. Personal Data breaches

EFOLI will notify Customer of a Personal Data breach affecting Customer’s data without undue delay and within 48 hours of awareness, including:

  • Nature of the breach
  • Categories and approximate number of data subjects
  • Likely consequences
  • Measures taken or proposed

9. Technical and organizational measures

EFOLI implements:

  • Encryption: TLS 1.3 in transit; AES-256-GCM at rest for sensitive fields
  • Access controls: RBAC, MFA for admin, principle of least privilege
  • Network security: firewalls, intrusion detection, DDoS protection (via Cloudflare)
  • Backup and resilience: daily encrypted backups, 30-day retention, tested restore
  • Staff: background checks where legal, confidentiality obligations, security training
  • Incident response: documented runbooks, on-call rotation, post-mortems
  • Vendor management: due diligence on sub-processors, contractual protections
  • SOC 2 Type I: target 6 months post-launch; Type II within 18 months
  • Penetration testing: annual third-party pen tests (post-V1)

10. Audits

Customer may audit EFOLI’s compliance with this DPA:

  • Up to once per year at Customer’s expense (more frequently for cause)
  • 30 days’ advance notice
  • Conducted during business hours, minimally disruptive
  • Subject to confidentiality obligations
  • EFOLI may satisfy audits by providing SOC 2 reports (when available)

11. Liability

Liability under this DPA is subject to the limitations in the main Agreement.

12. Term

This DPA is effective as of the Agreement effective date and terminates when the Agreement terminates.

← Back to homeEmail us a question