DATA PROCESSING AGREEMENT (DPA)

Last updated: February 2026

1. Parties

This Data Processing Agreement is entered into between:

Data Controller:
GiraffeVolt OÜ
[YOUR REGISTERED ADDRESS], Tallinn, Estonia
Registry Code: [YOUR REGISTRY CODE]

And

Data Processors:

Shopify Inc. (E-commerce Platform)
Stripe / PayPal (Payment Processing)
DPD / Omniva (Shipping Carriers)
Google Analytics (Analytics Provider)
Email Service Provider (Order Confirmations)

2. Subject Matter and Duration

This DPA governs the processing of personal data by the Data Processors on behalf of GiraffeVolt OÜ for the purpose of operating our e-commerce business, including order processing, payment handling, shipping, and customer analytics.

This agreement remains in effect for as long as the Data Processor provides services to GiraffeVolt OÜ.

3. Nature and Purpose of Processing

Categories of Data Subjects:

Customers who purchase products
Website visitors
Newsletter subscribers

Categories of Personal Data:

Name, email address, phone number
Shipping and billing addresses
Payment information (tokenized)
Order history and preferences
IP address, browser type, device information

4. Obligations of the Data Processor

The Data Processor shall:

Process personal data only on documented instructions from GiraffeVolt OÜ
Ensure that persons authorized to process personal data are committed to confidentiality
Implement appropriate technical and organizational security measures
Only engage sub-processors with prior written authorization
Assist GiraffeVolt OÜ in responding to data subject requests
Notify GiraffeVolt OÜ of any personal data breaches within 24 hours
Delete or return all personal data upon termination of services

5. Security Measures

The Data Processor shall implement the following security measures:

Encryption of data in transit (TLS/SSL) and at rest
Access controls and authentication mechanisms
Regular security audits and vulnerability assessments
Backup and disaster recovery procedures
Employee training on data protection

6. International Data Transfers

If personal data is transferred outside the European Economic Area (EEA), the Data Processor shall ensure that:

Standard Contractual Clauses (SCCs) approved by the European Commission are in place, or
The recipient country has been granted an adequacy decision by the European Commission, or
Other appropriate safeguards under GDPR Article 46 are implemented

7. Data Subject Rights

The Data Processor shall assist GiraffeVolt OÜ in fulfilling data subject rights requests, including:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)

8. Liability and Indemnification

Each party shall be liable for any damage caused by its processing of personal data in violation of GDPR. The Data Processor shall indemnify GiraffeVolt OÜ against any claims, losses, or fines resulting from the Data Processor's breach of this DPA.

9. Termination

This DPA shall terminate automatically upon termination of the service agreement between GiraffeVolt OÜ and the Data Processor. Upon termination, the Data Processor shall delete or return all personal data to GiraffeVolt OÜ, unless legally required to retain it.