This Data Processing Agreement ("DPA") forms part of the agreement between you ("Data Controller") and Merstell Limited, trading as ProfitEdge ("Data Processor"), for the provision of the ProfitEdge platform ("Service").

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined in the UK GDPR / EU GDPR.
Processing: Any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.
Sub-processor: A third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.

2. Scope and purpose of processing

The Data Processor processes Personal Data solely to provide the Service as described in the Terms of Service. Processing activities include:

Authenticating user accounts and managing access control.
Syncing and storing product, order, and advertising data from connected integrations.
Generating pricing recommendations and analytics.
Sending transactional emails (invitations, notifications, billing alerts).
Logging activity and errors for security monitoring and service improvement.

3. Types of Personal Data processed

User names and email addresses.
IP addresses and browser metadata (for security and rate limiting).
Activity logs within the platform.

Note: The Service processes primarily business data (product catalogues, pricing, stock levels, sales metrics, advertising performance). Customer PII from Shopify orders is not stored.

4. Obligations of the Data Processor

The Data Processor shall:

Process Personal Data only on documented instructions from the Data Controller, unless required by law.
Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organisational measures to ensure the security of processing.
Not engage a Sub-processor without prior written authorisation from the Data Controller (see Section 6).
Assist the Data Controller in responding to data subject requests (access, rectification, erasure, portability).
Notify the Data Controller without undue delay (and within 72 hours) upon becoming aware of a personal data breach.
Delete or return Personal Data upon termination of the Service, subject to the Data Retention Policy.
Make available all information necessary to demonstrate compliance with this DPA.

5. Technical and organisational measures

The Data Processor maintains the following security measures:

Encryption: Data encrypted in transit (TLS 1.2+) and at rest. Integration tokens encrypted with AES-256.
Access control: Role-based access with per-store scoping. Every database query scoped to user's store access.
Authentication: Managed authentication service with rate limiting and account lockout.
Infrastructure: Isolated environments for staging and production.
Monitoring: Structured error logging, activity audit trails, and admin monitoring dashboard.
Data isolation: Multi-tenant architecture where each store's data is strictly isolated.

6. Sub-processors

The Data Processor engages third-party Sub-processors to assist in providing the Service, including for authentication, hosting, email delivery, and data collection. The Data Processor will notify the Data Controller before adding or replacing Sub-processors.

A current list of Sub-processors (including their purpose, data processed, and location) is available on request by contacting support@profitedge.app.

7. International transfers

Where Personal Data is transferred outside the UK or EEA, the Data Processor ensures appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreement (IDTA), as applicable.

8. Data breach notification

In the event of a personal data breach, the Data Processor shall:

Notify the Data Controller within 72 hours of becoming aware of the breach.
Provide details of the nature of the breach, categories of data affected, approximate number of records, and likely consequences.
Take immediate steps to contain and remediate the breach.
Cooperate with the Data Controller in notifying supervisory authorities and affected data subjects, if required.

9. Data subject requests

The Data Processor shall assist the Data Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection). Requests should be directed to support@profitedge.app and will be addressed within 30 days.

10. Audit rights

The Data Controller has the right to audit the Data Processor's compliance with this DPA. Audits shall be conducted with reasonable notice and during normal business hours. The Data Processor shall make available all necessary information and cooperate with audits.

11. Term and termination

This DPA remains in effect for the duration of the Service agreement. Upon termination, the Data Processor shall delete or return all Personal Data in accordance with the Data Retention Policy, unless retention is required by applicable law.

12. Contact

For questions about this DPA or to request a signed copy, contact support@profitedge.app.