Data Processing Agreement
Last updated: July 2026. Not legal advice. Contact apollo@ebrands.com for a signed copy.
1. Parties and roles
This Data Processing Agreement ("DPA") supplements the terms of use between eBrands Holdings Oy ("eBrands", the "Processor") and the merchant who has installed the Apollo Shopify Connector ("Customer", the "Controller"). Where the GDPR or an equivalent framework applies to personal data that the Customer transmits to eBrands via the Shopify Admin API, the parties agree to be bound by this DPA.
2. Subject matter and duration
eBrands processes personal data on behalf of the Customer solely for the purpose of providing the Apollo Shopify Connector service. Processing continues for the duration of the Customer's use of the service and, in the case of the GDPR request audit trail, for a further 7 years thereafter.
3. Nature and purpose of processing
eBrands processes personal data received via the Shopify Admin API (customer names, email addresses, shipping/billing addresses, order line items, refunds, returns) for the following purposes, in order of primacy:
- Forwarding Shopify order events (order-create, order-updated, order-paid, order-cancelled, order-fulfilled, associated refunds and returns) into the Customer's own Brightpearl ERP instanceso the Customer's fulfillment and finance operations run from a single system of record. This is the primary purpose of the connector and the reason personal data (buyer name and address) is required — those fields are necessary to create a fulfillable order in Brightpearl.
- Aggregating the Customer's Shopify performance for the Customer's own analytical use within the Apollo platform.
- Providing customer support to the Customer.
4. Categories of data subjects and personal data
- Data subjects:the Customer's end customers who purchase products from the Customer's Shopify store.
- Personal data: name, email, phone (where present in the Shopify record), shipping address, billing address, order history metadata, refund metadata, return metadata.
5. Sub-processors
The Customer authorizes eBrands to engage the sub-processors listed at /subprocessors. eBrands provides at least 30 days' notice by email before adding or replacing a sub-processor. The Customer may object during that window; if the objection cannot be resolved, either party may terminate the affected service.
6. Technical and organisational measures
eBrands implements the following security measures: encryption in transit (TLS 1.2+), encryption at rest (AES-256), IAM- and IRSA-scoped access, per-brand data isolation (separate Vault path, Secrets Manager entry, and ClickHouse partition per merchant), logging with PII redaction, and documented access reviews. A more detailed internal security-posture document is made available to the Customer on reasonable request (see §10).
7. Data-subject rights
eBrands assists the Customer in responding to data-subject requests. In particular, eBrands honors Shopify's mandatory compliance webhooks:
customers/data_request: eBrands compiles the customer's data across all Apollo stores and returns it to the Customer within 30 days.customers/redact: eBrands deletes the customer's data from all Apollo stores within 30 days.shop/redact: on final uninstallation, eBrands deletes all of the Customer's data from all Apollo stores within 30 days.
8. Security incidents
eBrands will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of a confirmed personal-data breach affecting the Customer's data.
9. International transfers
Personal data is processed inside the EEA. If a transfer outside the EEA is necessary, eBrands relies on Standard Contractual Clauses or another lawful transfer mechanism.
10. Audit rights
eBrands makes available to the Customer, on reasonable notice and no more than annually, information necessary to demonstrate compliance with this DPA, including the security-posture document, the sub-processor list, and audit-trail samples on request.
11. Deletion or return upon termination
Upon termination of the service, eBrands returns or deletes personal data at the Customer's choice, unless retention is required by law. The default is deletion via the shop/redact mechanism.
12. Contact
Data Protection Officer / privacy inquiries: apollo@ebrands.com
13. Changes
eBrands may update this DPA to reflect changes in law, sub-processors, or service scope. Material changes will be communicated to active Customers by email at least 30 days before taking effect.