Data Processing Agreement (DPA)

Last updated: February 9, 2026

This Data Processing Agreement (“DPA”) forms part of, and is subject to, the Terms of Service or other written or electronic agreement (the “Principal Agreement”) between TruUp (“TruUp”, “Processor”, “we”, “us”, or “our”) and the customer identified in the Principal Agreement (“Customer”, “Controller”, “you”, or “your”) governing your use of the TruUp Services.

This DPA applies to the extent TruUp processes Personal Data (as defined below) on your behalf that is subject to Data Protection Laws (as defined below), including, where applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and similar laws.

If there is any conflict between this DPA and the Principal Agreement with respect to the subject matter of this DPA, the terms of this DPA will control.

1. Definitions

For the purposes of this DPA:

  • “Data Protection Laws” means all applicable privacy and data protection laws and regulations that apply to the processing of Personal Data under this DPA, including, where applicable, the GDPR, the UK GDPR, the ePrivacy Directive, and any implementing or related national legislation, as amended or replaced from time to time.

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined in the Data Protection Laws, that TruUp processes on your behalf in the course of providing the Services.

  • “Processing”, “Controller”, “Processor”, “Data Subject” and “Supervisory Authority” have the meanings given in the applicable Data Protection Laws.

  • “Subprocessor” means any third party engaged by TruUp that processes Personal Data on behalf of TruUp in connection with the Services.

  • “Services” means the TruUp services described in the Principal Agreement, including the TruUp application and related tools, features, and websites.

Capitalized terms used but not defined in this DPA have the meanings given in the Principal Agreement.

2. Roles of the Parties

2.1 Controller and Processor. For the purposes of Data Protection Laws, you are the Controller and TruUp is the Processor with respect to the Personal Data that we process on your behalf as part of providing the Services.

2.2 Nature of Processing. TruUp processes Personal Data only for the purposes described in the Principal Agreement and this DPA, including to ingest, store, analyze, and report on ecommerce orders, returns, refunds, exchanges, and related financial data for your stores and channels.

2.3 Your responsibilities as Controller. You are responsible for:

  • Ensuring that you have a valid legal basis for processing Personal Data and for instructing TruUp to process Personal Data on your behalf.
  • Ensuring that the Personal Data you provide or cause to be provided to TruUp is collected and processed in compliance with Data Protection Laws.
  • Providing appropriate privacy notices and obtaining any necessary consents from Data Subjects where required by Data Protection Laws.
  • Ensuring that your use of the Services and your instructions to TruUp comply with all applicable laws.

3. Processing Instructions

3.1 Documented instructions. TruUp will process Personal Data only:

  • On your documented instructions, as set out in the Principal Agreement, this DPA, and your configuration of the Services, and
  • As necessary to comply with applicable law.

3.2 Scope of instructions. Your instructions include processing Personal Data to:

  • Provide, maintain, and improve the Services.
  • Perform obligations and exercise rights under the Principal Agreement.
  • Comply with your documented requests (for example, support requests or configuration changes).
  • Assist you with data subject requests, as described in Section 9.

3.3 Conflict with law. If TruUp is required by applicable law to process Personal Data in a way that conflicts with your instructions, we will notify you (unless prohibited by law) before processing.

3.4 Instructions that may infringe law. If TruUp believes an instruction from you infringes Data Protection Laws, we will inform you without undue delay. We may decline to perform any processing that we believe violates Data Protection Laws.

4. Categories of Data and Data Subjects

4.1 Categories of Data Subjects. Personal Data processed under this DPA may relate to the following categories of Data Subjects:

  • Your customers (buyers) who place orders on your connected stores.
  • Your staff, contractors, or other individuals whose information you include in Your Data.
  • Other individuals whose data appears in order, refund, return, exchange, or configuration data you provide or that is provided via your ecommerce and accounting integrations.

4.2 Categories of Personal Data. Personal Data processed under this DPA may include:

  • Identification and contact details associated with orders:
    • Names, email addresses, shipping/billing addresses, phone numbers (where present in order data).
  • Transactional and ecommerce data:
    • Order IDs, order numbers, transaction dates and times.
    • Products purchased, quantities, prices, discounts, taxes, shipping amounts.
    • Payment status information and payment metadata (to the extent included in platform APIs).
  • Refund, return, and exchange data:
    • Refund amounts, dates, reasons (where available).
    • Return/exchange status, store credit usage or similar data (where exposed by platforms).
  • Technical and usage data:
    • Limited log/event data tied to specific accounts or users, such as IP addresses, browser/user agent data, device type, and similar metadata.

TruUp does not intentionally collect or process special categories of data (such as health information, biometric data, or information about political opinions) in the ordinary course of providing the Services. If you choose to include such data in Your Data, you are responsible for ensuring that you have a lawful basis and appropriate safeguards in place.

4.3 Purpose of processing. We process Personal Data for the purposes described in the Principal Agreement and our Privacy Policy, including:

  • Reconciling ecommerce orders, returns, and refunds with accounting records.
  • Calculating and presenting metrics such as true revenue, return rates, and discrepancies.
  • Generating reports and exports for accounting and analytics.
  • Supporting forecasting and benchmarking features (using aggregated and anonymized data where possible).
  • Providing customer support and maintaining the security and performance of the Services.

5. Confidentiality

5.1 Confidentiality obligations. TruUp will ensure that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations (whether contractual or statutory), and only process Personal Data as necessary to perform their duties and provide the Services.

6. Security Measures

6.1 Security. TruUp will implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by Data Protection Laws and taking into account:

  • The state of the art,
  • The costs of implementation,
  • The nature, scope, context, and purposes of processing, and
  • The risks to the rights and freedoms of natural persons.

6.2 Examples of measures. These measures may include, as appropriate:

  • Encryption of data in transit and at rest, where reasonable and appropriate.
  • Access controls and authentication, including role-based access restrictions for internal systems.
  • Regular security updates, patch management, and vulnerability management.
  • Logging and monitoring of critical systems.
  • Data backup and recovery procedures.
  • Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

6.3 Customer responsibilities. You are responsible for:

  • Properly configuring and using the Services in a secure manner.
  • Implementing adequate access controls and security measures in relation to your own systems and devices.
  • Keeping your credentials secure and notifying us promptly of any unauthorized access or suspected breaches.

7. Subprocessors

7.1 Use of Subprocessors. You authorize TruUp to engage Subprocessors to process Personal Data in connection with providing the Services, subject to the terms of this Section.

7.2 List of Subprocessors. A current list of Subprocessors is available at:

https://truup.app/legal/subprocessors

and in the docs/legal/subprocessors.md file. This list may be updated from time to time to reflect new or replaced Subprocessors.

7.3 Requirements for Subprocessors. TruUp will:

  • Enter into written agreements with Subprocessors that impose data protection obligations at least as protective as those in this DPA, to the extent applicable to the nature of the services provided by the Subprocessor.
  • Remain responsible for the acts and omissions of Subprocessors to the same extent that TruUp would be responsible if performing the services of each Subprocessor directly.

7.4 Notification of new Subprocessors. Where required by Data Protection Laws, TruUp will provide notice of any intended addition or replacement of Subprocessors, for example via updates to the Subprocessor list or other reasonable means.

If you reasonably object to a new Subprocessor based on legitimate data protection concerns, you must notify us promptly. We will discuss your concerns in good faith and may, at our discretion:

  • Propose a commercially reasonable alternative, or
  • Allow you to terminate the part of the Services impacted by the new Subprocessor, without penalty, if we are unable to provide a suitable alternative.

8. Data Subject Requests

8.1 Assistance with requests. Taking into account the nature of the processing, TruUp will provide reasonable assistance to you, at your cost, by appropriate technical and organizational measures, in fulfilling your obligations to respond to Data Subject requests to exercise their rights under Data Protection Laws, including rights of access, rectification, restriction, deletion, portability, and objection, as applicable.

8.2 Requests received directly. If TruUp receives a request directly from a Data Subject relating to Personal Data that we process on your behalf, we will, to the extent permitted by law:

  • Notify you without undue delay, and
  • Either refer the Data Subject to you or cooperate with you, as appropriate, to respond to the request.

You are responsible for responding to Data Subject requests and for complying with any applicable obligations under Data Protection Laws.

9. Personal Data Breach Notification

9.1 Notification. In the event of a Personal Data Breach (as defined in the GDPR) affecting Personal Data that TruUp processes on your behalf, we will notify you without undue delay after becoming aware of the breach.

9.2 Information provided. Our notification will include, to the extent reasonably available:

  • A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and data records concerned.
  • The likely consequences of the Personal Data Breach.
  • The measures taken or proposed to be taken by TruUp to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at once, we may provide the information in phases without undue further delay as it becomes available.

9.3 Your responsibilities. You are responsible for:

  • Notifying the appropriate supervisory authorities and affected Data Subjects of the Personal Data Breach when required under Data Protection Laws.
  • Complying with any applicable legal or regulatory obligations relating to the breach.

TruUp will provide reasonable assistance to you, considering the nature of the processing and the information available to us, in meeting these obligations.

10. International Data Transfers

10.1 Transfers by TruUp. TruUp may process and transfer Personal Data in and to countries outside the EEA, the UK, or other jurisdictions where the Data Protection Laws may apply, including to Subprocessors and affiliates located in such countries.

10.2 Safeguards. Where the processing of Personal Data involves a transfer to a country that does not provide an adequate level of protection under Data Protection Laws, TruUp will ensure that such transfers are made in compliance with applicable requirements, such as:

  • Standard Contractual Clauses approved by the European Commission or UK authorities (as applicable), or
  • Other appropriate safeguards or derogations authorized under Data Protection Laws.

10.3 Documentation. Upon request, and subject to any confidentiality obligations, TruUp will provide information reasonably necessary to demonstrate compliance with applicable cross-border transfer obligations (for example, details about the relevant safeguards and Subprocessors).

11. Return and Deletion of Data

11.1 Return or deletion at your request. During the term of the Principal Agreement, you may, through the Services or via written request, instruct TruUp to:

  • Provide a copy of Personal Data processed on your behalf, and/or
  • Delete or anonymize certain Personal Data, as required under Data Protection Laws and consistent with the Service’s capabilities.

11.2 Deletion upon termination. Upon termination or expiration of the Principal Agreement:

  • TruUp will delete or anonymize Personal Data processed on your behalf within a reasonable period, except where retention is required by applicable law or necessary for our legitimate business interests (for example, maintaining records for accounting, audit, or fraud prevention).
  • If you request it in writing prior to termination or within a reasonable time thereafter, we will provide you with a copy of Personal Data that we still retain at that time, where technically feasible.

11.3 Backups and logs. Personal Data may persist in encrypted backups or logs for a limited period after deletion as part of normal backup and archival processes. Such data will remain subject to appropriate technical and organizational protections and will be deleted or overwritten in accordance with our standard backup retention schedules.

12. Audits and Compliance Assistance

12.1 Information and documentation. Upon reasonable request, TruUp will make available to you information necessary to demonstrate our compliance with this DPA and, where applicable, Data Protection Laws, including:

  • Documentation of our security measures and practices.
  • Information about our Subprocessors and data flows.

12.2 Audits. Where required by Data Protection Laws, you may, no more than once per year (unless otherwise required by law), and at your own cost, conduct or have conducted an audit of TruUp’s processing of Personal Data. Any audit must:

  • Be subject to reasonable advance written notice (at least 30 days).
  • Be conducted during regular business hours and in a manner that does not unduly interfere with TruUp’s operations.
  • Maintain strict confidentiality of TruUp’s confidential information and the security of other customers’ data.

12.3 Third-party assessments. In many cases, TruUp’s obligations under this Section may be satisfied by providing up-to-date third-party security or compliance reports, certifications, or audit summaries (for example, SOC 2 or similar reports), where available.

12.4 Limitations. You agree not to exercise your audit rights in a manner that could compromise the security of TruUp’s systems or the confidentiality of information relating to other customers or third parties. Any additional audit rights beyond what is required by Data Protection Laws must be agreed upon in writing and may be subject to additional fees.

13. Shopify and Other Platform-Specific Obligations

13.1 Shopify webhooks and deletion. For Shopify-based processing, TruUp will respect and implement Shopify’s mandatory data protection obligations, including handling the following webhooks:

  • customers/data_request
  • customers/redact
  • shop/redact

Upon receiving such webhooks, or equivalent requests, TruUp will locate and delete or anonymize relevant Personal Data associated with the customer or shop in accordance with Shopify’s requirements and applicable laws.

13.2 Other platforms. Where similar requirements or mechanisms exist for other platforms (for example, different ecommerce channels), TruUp will implement and maintain reasonable processes to respect those requirements as part of the Services, in line with the platform’s developer terms and Data Protection Laws.

14. Liability

The liability of each party under this DPA is subject to the limitations of liability and exclusions set out in the Principal Agreement. Nothing in this DPA is intended to limit either party’s liability with respect to any Data Subject rights or obligations to the extent such limitation is not permitted under Data Protection Laws.

15. Relationship to the Principal Agreement

This DPA forms part of the Principal Agreement and is effective for as long as TruUp processes Personal Data on your behalf under that agreement.

  • In the event of any conflict between the terms of this DPA and the terms of the Principal Agreement, this DPA will govern with respect to the subject matter of data protection and processing.
  • All other terms and conditions of the Principal Agreement remain in full force and effect.

16. Changes to This DPA

We may update this DPA from time to time to reflect changes in our practices, legal requirements, or the Services. If we make material changes, we will provide notice in accordance with the Principal Agreement (for example, via email, in-app notices, or posting an updated version).

If you do not agree to an updated DPA, you should stop using the Services and may terminate the Principal Agreement in accordance with its terms. Continued use of the Services after the updated DPA becomes effective constitutes your acceptance of the changes.

17. Contact

If you have questions about this DPA or our data protection practices, please contact us at:

TruUp TruUp

Email: [email protected]