Data Processing Agreement.

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Eazy Access Ltd (trading as Flintmere, the “Processor”) and the customer (the “Controller”). It applies whenever Flintmere processes personal data on behalf of the Controller in the course of providing the scanner, Shopify app, or concierge audit services.

The subject matter is Flintmere’s provision of catalog scoring and fixing services to the Controller. Duration is the term of the subscription plus the retention periods set out in the Privacy Policy.

Flintmere processes personal data to:

• Authenticate the Controller’s Shopify store
• Read and (where authorised) write product catalog data
• Generate scores, diagnostics, and suggested fixes
• Deliver email reports on explicit consent
• Provide support and billing
• Meet legal and regulatory obligations

Categories of personal data:

• Shopify store owner email (from OAuth install)
• IP address of scanner submitters (for abuse prevention)
• Email addresses voluntarily submitted to receive reports
• Billing contact (for direct-invoiced customers)

Categories of data subjects:

• Controller’s staff with Shopify access
• Public visitors to the scanner
• Report recipients (who opt in)

We do not process special-category data, children’s data, or payment card data as part of this DPA.

Flintmere will:

• Process personal data only on documented instructions from the Controller (including those embedded in these terms and in the Shopify app’s normal use)
• Ensure persons authorised to process the data are under confidentiality obligations
• Implement the security measures set out in Schedule 2
• Not engage sub-processors without authorisation (see Clause 07)
• Assist the Controller in responding to data subject rights requests
• Assist the Controller with data protection impact assessments on reasonable request
• Notify the Controller without undue delay of any personal data breach (within 24 hours of Flintmere becoming aware)
• On termination, delete or return all personal data as required by the retention rules in the Privacy Policy

The Controller warrants that:

• It has a lawful basis to share the personal data it instructs us to process
• Its own privacy notices disclose the use of Flintmere as a processor
• It will respond to data subject rights requests directed at it within statutory timelines

The Controller authorises Flintmere to engage the sub-processors listed in Schedule 1 below. Flintmere will:

• Maintain a written agreement with each sub-processor requiring equivalent data protection obligations
• Give at least 30 days’ notice of any new or replaced sub-processor via email to the Controller’s billing contact
• Allow the Controller to object on reasonable data protection grounds; if the objection cannot be resolved, the Controller may terminate the affected service without penalty

Where personal data is transferred outside the UK/EEA, Flintmere relies on one of:

• An adequacy decision of the UK Government or the European Commission
• The UK International Data Transfer Addendum to the EU Standard Contractual Clauses (IDTA) approved by the ICO
• The EU Standard Contractual Clauses (Module 2 or Module 3 as appropriate) with the 2021 updates

The SCCs / IDTA are incorporated by reference into this DPA. The Controller is the “data exporter” and Flintmere is the “data importer” (or Flintmere’s onward sub-processor, as applicable).

Flintmere will make available on request the information necessary to demonstrate compliance with this DPA. Plus customers may conduct an audit no more than once per year on 30 days’ notice, during business hours, at their own cost, and subject to confidentiality. Flintmere may substitute independent third-party audit reports for on-site audits.

The liability limits in the main Terms of Service apply to this DPA. Nothing in this DPA limits a data subject’s rights under UK GDPR.

See the “Who we share it with” section of our Privacy Policy for the current list, region, and purpose of each sub-processor: flintmere.com/privacy. That list is the canonical version for this DPA.

Flintmere applies the measures set out on our Security page, including encryption at rest (AES-256-GCM), TLS 1.2+ in transit, HMAC webhook verification, dependency scanning, access control, logging, and incident response: flintmere.com/security. That page is the canonical version for this DPA.

Installing the Shopify app or accepting a paid subscription is treated as acceptance of this DPA on behalf of the Controller. Plus customers who require a countersigned copy should email legal@flintmere.com; we will return a signed PDF within 5 working days.