Data Processing Agreement

This DPA is between:

• Data Controller ("Controller"): The Shopify merchant who installs and uses the B2B Onboard application
• Data Processor ("Processor"): Mentilead Commerce (a trade name of Aggregatit, CVR 35963022), a Danish company operating the B2B Onboard application

This DPA supplements and forms part of the B2B Onboard Terms of Service and applies to all processing of personal data by the Processor on behalf of the Controller through the App.

For certain processing activities — including account management, technical support, audit logging, and service analytics — the Processor acts as an independent data controller as described in the Processor's Privacy Policy. Such processing is governed by the Processor's Privacy Policy and is not subject to the Controller's instructions under this DPA.

The Processor shall:

1. Process personal data only on documented instructions from the Controller, including transfers to third countries, unless required by EU or member state law
2. Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 5)
4. Respect the conditions for engaging sub-processors as set out in Section 6
5. Assist the Controller in fulfilling its obligations to respond to data subject requests under Chapter III of the GDPR
6. Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 GDPR, including obligations relating to the security of processing (Article 32), notification of personal data breaches (Articles 33-34), data protection impact assessments (Article 35), and prior consultation with supervisory authorities (Article 36), taking into account the nature of processing and the information available to the Processor
7. At the Controller's choice, delete or return all personal data upon termination of the service (see Section 9)
8. Make available to the Controller all information necessary to demonstrate compliance and allow for and contribute to audits (see Section 7)
9. Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other applicable EU or member state data protection law

The Controller shall:

1. Ensure a lawful basis exists for the processing of personal data through the App
2. Provide adequate privacy notices to data subjects whose data is collected through registration forms
3. Handle data subject requests (access, rectification, erasure, etc.) in a timely manner
4. Ensure that any instructions given to the Processor comply with applicable data protection law

The Processor implements the following technical and organizational security measures:

5.1 Encryption

• At rest: All data stored in Amazon DynamoDB and Amazon S3 is encrypted using AWS-managed encryption keys (AES-256)
• In transit: All data transmitted between clients, the application, and AWS services is encrypted using TLS 1.2 or higher

5.2 Access Controls

• Role-based access control (IAM) with least-privilege policies
• No direct database access from the public internet
• Uploaded files accessible only via time-limited signed URLs
• Merchant data is logically isolated by shop domain (multi-tenant single-table design)

5.3 Infrastructure

• All infrastructure hosted in AWS eu-central-1 (Frankfurt, Germany)
• Serverless architecture (Lambda, DynamoDB) with automatic scaling and built-in redundancy
• Infrastructure defined as code (AWS CDK) for consistent, auditable deployments

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.

The following sub-processors are currently authorized:

Each sub-processor is bound by data processing obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each sub-processor's obligations under its sub-processing agreement.

Sub-processor Change Notification

The Processor shall notify the Controller by email at least 30 days in advance of any intended addition or replacement of sub-processors. The Controller may object to the change in writing within the 30-day notice period. If the Controller objects and a reasonable resolution cannot be reached, the Controller may terminate the agreement before the new sub-processor begins processing.

1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR
2. The Processor shall allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller
3. Audit requests must be submitted with reasonable advance notice (minimum 30 days) and shall be conducted during normal business hours
4. The Controller shall bear its own costs for any audit. If multiple Controllers request similar audits, the Processor may provide a summary audit report prepared by an independent third party
5. The Processor may satisfy the audit obligations in items 1 and 2 by providing the Controller with: (a) a current SOC 2 Type II report, ISO 27001 certification, or equivalent independent third-party certification, where such certification has been obtained by the Processor, and (b) written responses to a reasonable data protection questionnaire. On-site audits shall be limited to once per calendar year per Controller, unless triggered by a confirmed personal data breach affecting the Controller's data or a formal investigation by a supervisory authority

1. The Processor shall notify the Controller without undue delay, and no later than 48 hours, after becoming aware of a personal data breach
2. The notification shall include:
   • A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
   • The name and contact details of the data protection point of contact
   • A description of the likely consequences of the breach
   • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any data breach
4. The Processor shall document any personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken, in accordance with Article 33(5) GDPR

1. Upon termination of the service (including App uninstallation), the Processor shall, at the Controller's choice, delete or return all personal data to the Controller. The Controller may request data return via the App's built-in CSV export function or by contacting the Processor at the address in Section 13 to arrange return in a structured, commonly used, machine-readable format
2. After termination, the Processor shall retain all merchant data (forms, applications, uploaded documents, and associated metadata) for a grace period of 12 months to allow for re-installation recovery, after which it is permanently deleted
3. Deletion includes all application records, form configurations, uploaded documents, and associated metadata stored in DynamoDB and S3
4. The Controller may request immediate deletion of all data at any time by contacting the Processor at the address in Section 13, waiving the 12-month recovery period
5. Audit logs containing limited personal data (application metadata, IP addresses, timestamps, and status changes) are retained for 7 years as required under the Danish Bookkeeping Act (bogføringsloven §3). These logs are not subject to the deletion obligations in items 1 through 4 of this section
6. The Processor shall provide written confirmation of deletion upon request

The Processor stores all primary application data within the EU (AWS eu-central-1, Frankfurt). Where sub-processors process data outside the EEA, the following transfer mechanisms apply:

If the EU-US Data Privacy Framework is invalidated, the Processor shall implement alternative transfer mechanisms (such as SCCs) within 30 days or cease the relevant data transfers.

The Processor shall conduct Transfer Impact Assessments (TIAs) for transfers outside the EEA and make summaries available to the Controller upon request.

1. The total aggregate liability of each party arising out of or in connection with this DPA (whether in contract, tort, or otherwise) shall be subject to the limitations and exclusions of liability set forth in the B2B Onboard Terms of Service
2. Nothing in this DPA shall be construed to create liability beyond what is provided in the Terms of Service
3. This limitation shall not apply to: (a) liability that cannot be excluded or limited under applicable law, or (b) either party's liability for breaches of its confidentiality obligations

This DPA shall be governed by and construed in accordance with the laws of Denmark, without regard to its conflict of laws principles. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Copenhagen, Denmark.

For questions about this DPA or to exercise your rights as a Controller, please contact:

1. The Processor may amend this DPA by providing the Controller with at least 30 days' notice via email. The Controller's continued use of the App after the notice period constitutes acceptance of the amended terms. If the Controller does not agree to the amendment, the Controller may terminate the agreement before the amendment takes effect
2. Neither party may assign this DPA without the other party's prior written consent, except in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of the assigning party's assets, provided the assignee agrees to be bound by the terms of this DPA