Legal
Data Processing Agreement
Last updated · {{TODO: real updated date}}
{{TODO: legal review required — do not publish without lawyer sign-off}}
This document is a structural placeholder. The real DPA must be drafted by qualified legal counsel and signed by both parties. Do not rely on this template for any real legal or compliance purpose.
Scope
This Data Processing Agreement (DPA) supplements the Terms of Service between you (the Controller, your Shopify shop) and Cervito (the Processor). It governs how Cervito processes personal data on your behalf.
Subject matter
{{TODO: describe the subject matter, duration, nature, and purpose of processing per Article 28 GDPR}}Categories of data subjects
- Storefront visitors who interact with the Cervito widget
- Merchants and their authorized staff using the Cervito dashboard
Categories of personal data
- Visitor session identifiers (anonymous tokens)
- Conversation transcripts (visitor-submitted text)
- Email addresses captured via the optional email capture flow
- Order metadata received via Shopify webhooks
- Merchant account credentials (encrypted at rest)
Sub-processors
Current sub-processor list:
- {{TODO: list every sub-processor — Anthropic, OpenAI, Railway, Cloudflare, Resend, etc.}}
Notice of new sub-processors: 30 days before they take effect. Merchants
may object via [email protected].
Security measures
{{TODO: enumerate technical and organizational measures — AES-256-GCM at rest, TLS 1.3 in transit, JWT auth, tenant isolation, access controls, audit logging, etc.}}Data subject rights
Cervito will assist Controllers in responding to data subject requests within the timelines required by GDPR.
Breach notification
In the event of a personal data breach affecting Controller data, Cervito will notify the Controller within 72 hours of becoming aware.
Contact
Email [email protected] with your company name and Shopify domain to
receive a countersigned DPA copy.