Sub-processors
Last updated: July 2026
The following third parties process Shopify data on behalf of the Apollo connector. The primary purpose of the connector is to push Shopify order data into the merchant's Brightpearl ERP as orders happen; the other sub-processors below host the pipeline that receives, routes, and archives those events. We select sub-processors based on their security posture, EU data-residency options, and equivalent-protection contractual commitments.
Amazon Web Services (AWS)
- Purpose
- Compute, storage, event queues, key management, and secret vault hosting for the entire Apollo backend.
- Region
- eu-west-1 (Ireland) — compute and event queues. eu-north-1 (Stockholm) — canonical brand data and Shopify secrets.
- Data processed
- OAuth access tokens (Secrets Manager, Vault); brand configuration (DynamoDB); Shopify business events (SQS, Kafka); analytical data (ClickHouse on EC2/EBS).
- Certifications
- SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS
- Contractual terms
- https://aws.amazon.com/service-terms/
Vercel
- Purpose
- Hosts the OAuth landing app at app-connect.ebrands.com — receives the initial Shopify redirect and coordinates the token exchange with the Apollo backend.
- Region
- Vercel's serverless functions run in configurable regions; Apollo's project runs in Vercel's default EU-adjacent regions.
- Data processed
- Transient — the Shopify OAuth authorization code and access token pass through Vercel functions during install but are not persisted there. All persistence happens in AWS.
- Certifications
- SOC 2 Type II
- Contractual terms
- https://vercel.com/legal/dpa
Shopify
- Purpose
- Source of the data. The Shopify Admin API is what Apollo reads with the merchant's authorization.
- Region
- Shopify's own regions (typically US/Canada, with EU replication).
- Data processed
- All merchant Shopify data — Shopify already holds it; Apollo receives a copy under the merchant's authorization.
- Certifications
- SOC 2 Type II, ISO 27001, PCI DSS
- Contractual terms
- https://www.shopify.com/legal/dpa
Brightpearl
- Purpose
- Primary destination for Shopify order data. When a Shopify order-related webhook arrives (orders/create, orders/updated, orders/paid, orders/cancelled, orders/fulfilled, plus associated refunds and returns), Apollo's webhook-receiver normalizes it and pushes it into the merchant's own Brightpearl instance as an order-create/update call so the merchant's ERP stays in sync with their Shopify store. Forward-only sync; Apollo does not read from Brightpearl.
- Region
- Merchant's Brightpearl instance region (per merchant's contract with Brightpearl).
- Data processed
- Order line items, quantities, shipping address, customer identifier, order totals — everything needed to fulfill the order downstream.
- Certifications
- ISO 27001
- Contractual terms
- https://www.brightpearl.com/customer-terms
- Additional references
Material changes to this list will be communicated to affected partners by email at least 30 days before taking effect. Questions: apollo@ebrands.com.