Last updated: October 1, 2024
This Data Processing Agreement (“DPA”) is made between:
This DPA outlines the terms under which personal data will be processed by the Processor on behalf of the Controller, in compliance with relevant data protection laws.
1. Subject Matter and Duration of Processing
The subject of this DPA is the processing of data by Hiro Analytics for the purpose of providing analytics and retention marketing services. This agreement is effective for the duration of the Controller’s use of the services, including any backup retention periods necessary under legal obligations.
2. Nature and Purpose of Processing
The data processing activities involve collecting, storing, organizing, and analyzing:
• Klaviyo message and attribution data for email and SMS marketing performance evaluation.
• Shopify order data for customer behavior insights and sales analytics.
These processing activities are conducted solely to deliver the services contracted by the Controller, such as generating reports, tracking marketing attribution, and analyzing sales trends. Data is never shared with any third party except for the sub-processors listed in Section 5.
3. Categories of Data Subjects and Types of Data Processed
• Data Subjects: Individuals associated with the Controller’s Klaviyo or Shopify account, excluding personally identifiable information (“PII”).
• Categories of Data: Klaviyo profiles without PII (no email addresses, phone numbers, names, or physical addresses), Shopify order data, including transactional details, order numbers, order values, and product information.
4. Data Transfers and Locations
All data is processed in the United States. The Processor ensures that adequate measures are in place to protect the data transferred, in compliance with applicable data protection laws.
5. Sub-processors
The Processor engages the following sub-processors for data processing:
• Amazon Web Services (AWS): For data storage and infrastructure services.
• Retool: For internal tools used to access and process data for reporting and analysis.
The Processor ensures that these sub-processors comply with similar data protection obligations as stipulated in this DPA.
6. Technical and Organizational Security Measures
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
• Encryption: Encryption of data at rest and in transit.
• Access Controls: Role-based access and multi-factor authentication for accessing data.
• Data Minimization: Only process the minimum amount of data necessary to fulfill the purposes.
• Regular Security Audits: Periodic security assessments and audits of sub-processors to ensure data protection standards.
• Incident Response Plan: Procedures for promptly identifying, assessing, and mitigating data breaches.
7. Data Subject Rights
The Processor shall assist the Controller in responding to requests from data subjects, in accordance with applicable data protection laws, including requests to access, correct, delete, or restrict processing of personal data.
8. Data Retention and Deletion
Upon termination of the service, the Processor shall, at the Controller’s request, delete or return all personal data, except where retention is required by law.
9. Liability
The Controller acknowledges that the use of the Service is at its own risk. The Service is provided in a competent and professional manner but is offered “AS IS.” We make no representations, warranties, or guarantees, express or implied, regarding the Service, including but not limited to any implied warranties of fitness for a particular purpose, non-infringement, or quality.
To the fullest extent allowed by law, we shall not be liable for any direct, indirect, incidental, special, or consequential damages, lost profits, or business interruptions arising from the Controller’s use of, or inability to use, the Service, or any errors or omissions, even if we have been advised of the possibility of such damages.
10. Miscellaneous
• Governing Law: This DPA shall be governed by and construed in accordance with the laws of the United States.
• Amendments: Any amendments to this DPA must be agreed upon in writing by both parties or by the Controller’s agreement to updated terms of service.