Data Processing Agreement

Last updated 25 June 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the customer (“Customer”, “Controller”) and Assuro, operated by Ravid Efroni, a sole proprietor registered in Austria (“Assuro”, “Processor”). It governs Assuro’s processing of personal data on the Customer’s behalf when providing the Service, and reflects the requirements of Article 28 of the EU General Data Protection Regulation (“GDPR”).

Where the Customer’s use of the Service involves Assuro processing personal data for which the Customer is the controller, this DPA applies. In the event of a conflict on data-protection matters, this DPA prevails over the Terms of Service.

1. Roles and scope

The Customer is the controller and Assuro is the processor of the personal data the Customer provides to, or generates within, the Service (“Customer Personal Data”). Assuro processes Customer Personal Data only to provide the Service and on the Customer’s documented instructions, including as set out in the Terms and this DPA.

2. Subject matter, nature, and duration

Subject matter and nature: hosting, storage, organization, analysis, and processing of Customer Personal Data to deliver the Assuro Service (EU product-compliance organization, monitoring, and documentation).

Purpose: enabling the Customer to map products to compliance obligations, track deadlines, and prepare documentation.

Duration: for the term of the Customer’s use of the Service, plus any limited period needed to return or delete data as set out below.

3. Categories of data subjects and personal data

Data subjects: the Customer’s authorized users and personnel (for example, account owners and team members).

Categories of personal data: names, email addresses, and business contact and account details of those users; and business records the Customer enters that may incidentally contain personal data.

The Service is designed to process the Customer’s product catalog and compliance data, not the Customer’s end-customer or order personal data; the Shopify integration requests product access only. Assuro does not seek to process special categories of personal data.

4. Processor obligations

Assuro will:

  • process Customer Personal Data only on the Customer’s documented instructions, including for international transfers, unless required to act by law (in which case it will inform the Customer where legally permitted);
  • ensure that personnel authorized to process the data are bound by confidentiality;
  • implement appropriate technical and organizational security measures (see section 9);
  • assist the Customer, taking into account the nature of processing, in responding to data-subject requests and in meeting its obligations regarding security, breach notification, and data-protection impact assessments;
  • at the Customer’s choice, delete or return Customer Personal Data at the end of the provision of the Service, and delete existing copies unless storage is required by law.

5. Sub-processors

The Customer provides general authorization for Assuro to engage sub-processors to provide the Service. Assuro imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. Current sub-processors are:

  • Neon — database hosting (EU region).
  • Vercel — application hosting and compute.
  • Stripe — payment processing.
  • Resend — transactional email.
  • Inngest — background job and reminder processing.
  • PostHog — product analytics (EU region).

Assuro will give the Customer reasonable notice of any intended change to its sub-processors, giving the Customer the opportunity to object on reasonable data-protection grounds.

6. International transfers

Assuro hosts Customer Personal Data in the European Union where its providers offer it. Where any transfer of Customer Personal Data outside the EU/EEA occurs, Assuro will ensure an appropriate transfer mechanism is in place, such as the European Commission’s Standard Contractual Clauses.

7. Data-subject requests

Taking into account the nature of the processing, Assuro will assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer’s obligation to respond to requests from data subjects exercising their rights under the GDPR. If Assuro receives such a request directly, it will, where lawful, direct the data subject to the Customer.

8. Personal data breaches

Assuro will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to help the Customer meet its own notification obligations.

9. Security measures

Assuro maintains appropriate technical and organizational measures, including:

  • encryption of data in transit (TLS) and encryption of sensitive integration tokens at rest;
  • passwordless authentication and access controls limiting access to authorized personnel;
  • multi-tenant isolation of customer data;
  • logging and an audit trail of changes;
  • use of reputable, security-conscious infrastructure providers.

10. Audit

Assuro will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable notice, confidentiality, and frequency limits.

11. Deletion and return

On termination of the Service, and at the Customer’s choice, Assuro will return or delete Customer Personal Data within a reasonable period, and delete existing copies, except to the extent retention is required by law.

12. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

13. Contact

For data-protection matters, email hello@assuro.io.

Processor: Ravid Efroni, sole proprietor (Einzelunternehmen), Schönbrunner Straße 211/1/10, 1120 Vienna, Austria.