This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service between Slay Commerce Pty Ltd (ACN registered in Australia) ("SlayCommerce", "we", "us", or "Processor") and the merchant that installs and uses the Service ("Merchant", "you", or "Controller"). It describes how SlayCommerce processes personal data on the Merchant's behalf and reflects the requirements of the Shopify Partner Program, the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the Australian Privacy Act 1988 (Cth). By installing or continuing to use the Service, the Merchant agrees to this DPA. Capitalized terms not defined here have the meaning given in our Privacy Policy.
1. Roles of the Parties
For personal data relating to a Merchant's customers and store ("Customer Data"), the Merchant is the Controller (or "business") and SlayCommerce is the Processor (or "service provider"), processing Customer Data only on the Merchant's documented instructions. For data about the Merchant's own account, SlayCommerce acts as an independent controller as described in the Privacy Policy.
2. Subject Matter & Details of Processing
- Subject matter: provision of the SlayCommerce AI-native commerce operating system and related features (analytics, insights, forecasting, ordering, pricing, and communications).
- Duration: for the term of the Merchant's use of the Service, plus the retention period described in Section 8.
- Nature & purpose: reading, storing, organizing, analyzing, and transmitting personal data to operate the features the Merchant enables, and to transmit data to tools the Merchant connects on the Merchant's instruction.
- Categories of data subjects: the Merchant's customers and the Merchant's own staff/operators.
- Categories of personal data: names, email addresses, phone numbers, shipping and billing addresses, order history, and related commerce data. We do not require or intend to process special categories of personal data.
3. Merchant Instructions
SlayCommerce processes Customer Data only on the Merchant's documented instructions, including as set out in this DPA and the Terms, unless required to do otherwise by applicable law (in which case we will inform the Merchant where legally permitted). The Merchant is responsible for the lawful basis and required notices/consents for the personal data it makes available to the Service.
4. Confidentiality
SlayCommerce ensures that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations and access that data only as needed to perform their duties.
5. Security Measures
SlayCommerce implements appropriate technical and organizational measures designed to protect personal data, including:
- encryption of data in transit (TLS) and encryption of stored integration credentials at rest;
- role-based access controls limiting access to personal data to authorized staff on a need-to-know basis;
- strong authentication requirements for staff with access to systems that process personal data;
- an auditable access trail attributing system requests to the originating shop and operator;
- signed/verified webhooks for inbound third-party traffic; and
- a documented incident-response process (Section 7) and periodic review of these measures.
6. Sub-processors
The Merchant authorizes SlayCommerce to engage sub-processors to provide the Service (for example, cloud hosting and database, AI model providers, and email delivery). SlayCommerce imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for their performance. We will make available the current list of sub-processors and provide notice of intended changes so the Merchant has the opportunity to object on reasonable data-protection grounds. Data transmitted to tools the Merchant separately connects (such as HubSpot or monday.com) is sent on the Merchant's instruction and behalf and is governed by the Merchant's agreement with that tool.
7. Personal Data Breach & Incident Response
SlayCommerce maintains an incident-response policy and will notify the affected Merchant without undue delay after becoming aware of a personal data breach affecting that Merchant's Customer Data, providing the information reasonably available to assist the Merchant in meeting its own notification obligations.
8. Data Subject Requests, Return & Deletion
Taking into account the nature of the processing, SlayCommerce assists the Merchant, by appropriate measures, in responding to data-subject requests (access, correction, deletion, portability, restriction, and objection), including via Shopify's mandatory compliance webhooks (customers/data_request, customers/redact, and shop/redact). Upon termination, and at the Merchant's choice, SlayCommerce will delete or de-identify Customer Data within a commercially reasonable period, except where retention is required by law.
9. Audits & Compliance
SlayCommerce makes available information reasonably necessary to demonstrate compliance with this DPA and will cooperate with reasonable audit requests, subject to confidentiality and appropriate scope, scheduling, and frequency limits.
10. International Transfers
Where personal data is transferred across borders, SlayCommerce relies on an appropriate transfer mechanism (such as the Standard Contractual Clauses) and applies supplementary measures where required.
11. Liability & Order of Precedence
Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service. In the event of a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls.
12. Contact
For questions about this DPA or to exercise rights, contact support@slaycommerce.com.