Data Processing Agreement
Last updated: January 18, 2026
Need a signed DPA?
Contact us to receive a countersigned copy
1. Definitions
- "Controller" means you, the Shopify merchant using our Service
- "Processor" means North Star Metric
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data
- "Data Subject" means the individual whose Personal Data is processed
2. Scope of Processing
This DPA applies to the processing of Personal Data by North Star Metric on behalf of the Controller in connection with the provision of analytics and attribution services.
2.1 Categories of Data Subjects
- Visitors to the Controller's Shopify store
- Customers who make purchases
2.2 Types of Personal Data
- Device identifiers (fingerprint hashes)
- IP addresses (hashed)
- Browsing behavior (pages visited, time on site)
- Order information (via Shopify webhooks)
- Email addresses (hashed, for attribution)
3. Processor Obligations
North Star Metric shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject requests
- Delete or return Personal Data upon termination of services
- Make available information necessary to demonstrate compliance
4. Sub-Processors
The Controller authorizes the Processor to engage the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure | Germany (EU) |
| Cloudflare, Inc. | CDN and DDoS protection | USA (SCCs in place) |
The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller an opportunity to object.
5. Data Transfers
Personal Data is primarily processed within the European Economic Area (EEA). For any transfers outside the EEA, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
6. Security Measures
The Processor implements the following security measures:
- Encryption of data in transit (TLS 1.3)
- Access controls and authentication
- Regular security monitoring and logging
- Incident response procedures
- Employee security training
7. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to data portability
- Right to restriction of processing
8. Data Breach Notification
In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay (within 72 hours) and provide all information necessary for the Controller to fulfill its breach notification obligations.
9. Term and Termination
This DPA shall remain in effect for the duration of the processing of Personal Data by the Processor. Upon termination, the Processor shall delete all Personal Data within 30 days, unless legally required to retain it.
10. Contact
For DPA-related inquiries, contact our Data Protection team at privacy@northstarmetric.io