Data Processing Agreement

Effective Date: 28.01.2026

This Data Processing Agreement ("DPA") forms part of the Terms of Use between you (the "Merchant" or "Data Controller") and Sonar Seed (the "Processor" or "Data Processor") and governs the processing of personal data by Sonar Seed on behalf of the Merchant.

1. Definitions

1.1 Terms used in this DPA have the meanings set forth in the GDPR and the Terms of Use. Specifically:

  • "Data Subject" means an identified or identifiable natural person whose personal data is processed.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • "Personal Data" has the meaning given in GDPR Article 4(1).
  • "Processing" has the meaning given in GDPR Article 4(2).
  • "Controller" means the entity that determines the purposes and means of processing personal data (typically, the Merchant).
  • "Processor" means the entity that processes personal data on behalf of the Controller (Sonar Seed).
  • "Sub-Processor" means any processor engaged by Sonar Seed to process personal data.
  • "Standard Contractual Clauses" or "SCCs" means the standard data protection clauses for the transfer of personal data to third countries approved by the European Commission.

2. Scope and Roles

2.1 Application

This DPA applies to all processing of personal data by Sonar Seed on behalf of the Merchant in connection with the provision of the App Services.

2.2 Data Controller and Data Processor Roles

The parties acknowledge and agree to the following roles:

(a) Merchant Data

  • Merchant as Controller: The Merchant is the data controller for merchant account information, settings, and configurations.
  • Sonar Seed as Processor: Sonar Seed processes this data solely to provide the App Services as instructed by the Merchant.

(b) End-Customer Order Data

  • Merchant as Controller: The Merchant is the data controller for all end-customer personal data in Shopify orders.
  • Sonar Seed as Processor: Sonar Seed processes end-customer order data ephemerally for affiliate tracking and recruitment automation, solely as instructed by the Merchant's configuration settings.

(c) Influencer Data (Joint Controllers)

  • Joint Controllers: Both the Merchant and Sonar Seed act as joint controllers (GDPR Art. 26) for influencer personal data, as both parties determine purposes and means of processing.
  • Division of Responsibilities:
    • Merchant Responsibilities: Defining recruitment criteria, setting commission structures, managing influencer relationships, and ensuring influencers comply with advertising disclosure laws.
    • Sonar Seed Responsibilities: Providing the technical platform, facilitating influencer portal access, processing commission calculations, and ensuring data security.
    • Shared Responsibilities: Both parties must ensure lawful processing, provide privacy notices, and respond to data subject requests.

2.3 Processing Instructions

Sonar Seed shall process personal data only on documented instructions from the Merchant, except where required to do so by applicable law. The Merchant's instructions are set forth in:

  1. The Terms of Use and this DPA
  2. Configuration settings within the App (e.g., recruitment thresholds, auto-approval settings)
  3. Additional written instructions provided by the Merchant via email to support@sonarseed.com

If Sonar Seed believes an instruction violates GDPR or other applicable law, Sonar Seed will promptly inform the Merchant.

3. Details of Processing

3.1 Subject Matter and Duration

  • Subject Matter: Provision of influencer marketing management platform services.
  • Duration: For the term of the Terms of Use agreement, until the Merchant uninstalls the App or terminates the agreement.

3.2 Nature and Purpose of Processing

Sonar Seed processes personal data for the following purposes:

  • Affiliate sales tracking and commission calculation
  • Automated influencer recruitment based on customer purchase behavior
  • Creation of Shopify Draft Orders for product seeding
  • Providing influencer portal access and analytics
  • Synchronizing data with Merchant's Klaviyo account (if enabled)
  • Sending transactional emails via Resend

3.3 Categories of Data Subjects

  • Shopify store owners and authorized administrators (Merchants)
  • Influencers and brand ambassadors recruited through the App
  • End-customers of the Merchant's Shopify store (processed ephemerally for recruitment triggers and affiliate attribution only)

3.4 Types of Personal Data

Merchant Data:

  • Name, email, phone number, business address
  • Shopify shop ID and access tokens

Influencer Data:

  • Full name, email address, phone number, shipping address
  • Social media handles and profile URLs
  • Affiliate performance metrics and commission history
  • Submitted content (images, videos, captions)

End-Customer Data (Ephemeral Processing Only):

  • Order details: line items, total spend, discount codes used
  • Customer email (only if recruitment threshold met)
  • Purchase timestamps and order IDs

4. Processor Obligations

4.1 Confidentiality

Sonar Seed shall ensure that all persons authorized to process personal data are subject to binding confidentiality obligations (whether contractual or statutory).

4.2 Security Measures

Sonar Seed shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit (TLS 1.3) and at rest (AES-256)
  • Secure authentication mechanisms (OAuth 2.0 for merchants, magic links for influencers)
  • Regular security vulnerability assessments and penetration testing
  • Access controls limiting employee access to personal data
  • Logging and monitoring of data access
  • Incident response procedures

A detailed description of security measures is provided in Annex A.

4.3 Sub-Processors

(a) General Authorization

The Merchant provides general authorization for Sonar Seed to engage sub-processors to process personal data, provided Sonar Seed:

  1. Maintains a current list of sub-processors at sub-processors
  2. Notifies the Merchant of any intended changes (additions or replacements) at least 30 days in advance
  3. Provides the Merchant an opportunity to object to the new sub-processor

(b) Merchant's Right to Object

If the Merchant objects to a new sub-processor on reasonable grounds relating to data protection, the Merchant may:

  1. Notify Sonar Seed in writing within 14 days of receiving notice
  2. Request alternative solutions or discontinue the affected features
  3. If no alternative is available, terminate the agreement without penalty

(c) Sub-Processor Contracts

Sonar Seed shall ensure that any sub-processor is bound by a written contract imposing data protection obligations no less protective than those in this DPA, including:

  • Processing only on instructions
  • Maintaining confidentiality
  • Implementing appropriate security measures
  • Assisting with data subject requests
  • Deleting or returning data upon termination

Sonar Seed remains fully liable to the Merchant for the performance of any sub-processor.

(d) Current Sub-Processors

The Merchant acknowledges and consents to the sub-processors listed at sub-processors as of the Effective Date.

4.4 International Data Transfers

(a) Transfer Mechanisms

Where personal data is transferred outside the EEA, UK, or Switzerland, Sonar Seed shall ensure the transfer is protected by:

  1. Standard Contractual Clauses (SCCs): Sonar Seed has executed the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) with sub-processors located in third countries. The SCCs are incorporated into this DPA by reference.
  2. Adequacy Decisions: Where the European Commission has determined that a country ensures an adequate level of protection.
  3. Derogations: In limited cases, relying on specific derogations under GDPR Article 49 (e.g., necessary for contract performance).

(b) Documentation

Upon request, Sonar Seed will provide the Merchant with:

  • Copies of executed SCCs with sub-processors
  • Details on supplementary measures implemented to ensure adequate protection
  • Evidence of sub-processor compliance with data transfer requirements

4.5 Assistance with Data Subject Requests

Sonar Seed shall, taking into account the nature of processing, assist the Merchant in responding to requests from data subjects exercising their rights under Chapter III of the GDPR, including:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)

Sonar Seed will:

  1. Direct Requests: If a data subject submits a request directly to Sonar Seed, Sonar Seed will promptly forward the request to the Merchant (within 2 business days).
  2. Assistance: Provide the Merchant with access to relevant personal data and cooperate in responding to the request.
  3. Technical Support: Offer tools within the App to facilitate data export, correction, or deletion.
  4. Timeframe: Provide assistance within a reasonable timeframe considering the Merchant's legal deadlines (e.g., 30 days under GDPR).

Reimbursement: If the Merchant's requests for assistance require substantial additional effort beyond normal service provision, Sonar Seed may charge reasonable fees based on time and materials.

4.6 Assistance with Compliance Obligations

Sonar Seed shall, taking into account the nature of processing and information available, assist the Merchant in ensuring compliance with obligations under GDPR Articles 32-36, including:

  • Security of Processing (Art. 32): Implementing appropriate security measures (see Section 4.2).
  • Data Breach Notification (Art. 33-34): See Section 4.7 below.
  • Data Protection Impact Assessments (Art. 35): Providing information necessary for the Merchant to conduct DPIAs upon request.
  • Prior Consultation (Art. 36): Cooperating with the Merchant if prior consultation with a supervisory authority is required.

4.7 Data Breach Notification

(a) Notification Obligation

Sonar Seed shall notify the Merchant without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the Merchant's data.

(b) Notification Content

The notification shall include, to the extent possible:

  1. Description of the nature of the breach, including categories and approximate number of data subjects and records affected
  2. Name and contact details of Sonar Seed's data protection officer or point of contact
  3. Description of likely consequences of the breach
  4. Description of measures taken or proposed to address the breach and mitigate its effects

(c) Cooperation

Sonar Seed shall:

  • Cooperate with the Merchant in investigating the breach
  • Provide timely updates as new information becomes available
  • Assist the Merchant in meeting its obligations to notify supervisory authorities and data subjects (GDPR Art. 33-34)
  • Preserve forensic evidence in accordance with industry best practices

(d) Contact for Breaches

Data breach notifications should be sent to:
Email: security@sonarseed.com

4.8 Deletion or Return of Data

Upon termination of the Services or upon the Merchant's request, Sonar Seed shall, at the Merchant's choice:

(a) Deletion

Delete all personal data processed on behalf of the Merchant, including all existing copies, within 30 days of termination, unless:

  • Storage is required by applicable law (e.g., tax records, legal holds)
  • The data qualifies as Sonar Seed's data (e.g., aggregated anonymized analytics)

(b) Return

Return all personal data to the Merchant in a structured, commonly used, and machine-readable format (e.g., JSON, CSV), within 14 days of the request.

(c) Certification

Upon request, Sonar Seed will provide written certification that deletion has been completed in accordance with this section.

(d) Exceptions

Sonar Seed may retain personal data to the extent required by EU or Member State law, provided that Sonar Seed:

  1. Informs the Merchant of such legal retention requirements
  2. Continues to ensure confidentiality and security of the retained data
  3. Processes the retained data only for the purposes required by law

4.9 Audit Rights

(a) Merchant's Audit Rights

Sonar Seed shall make available to the Merchant all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by the Merchant or an auditor mandated by the Merchant.

(b) Audit Procedure

  • Notice: The Merchant shall provide Sonar Seed with at least 30 days' written notice of any audit.
  • Frequency: Audits shall not occur more than once per year, unless required by a supervisory authority or in response to a data breach.
  • Scope: Audits shall be limited to verifying compliance with this DPA and shall be conducted during normal business hours.
  • Confidentiality: The Merchant and any auditors shall execute a confidentiality agreement protecting Sonar Seed's confidential information and other customer data.

(c) Audit Reports

In lieu of an on-site audit, Sonar Seed may provide:

  • SOC 2 Type II reports
  • ISO 27001 certification (if applicable)
  • Third-party security audit reports
  • Self-assessment questionnaires

(d) Costs

The Merchant shall bear all costs associated with audits, including Sonar Seed's reasonable costs if the audit requires more than 8 hours of Sonar Seed personnel time.

5. Controller Obligations

The Merchant, as data controller (or joint controller for influencer data), is responsible for:

5.1 Lawful Processing

Ensuring that processing instructions comply with GDPR and other applicable laws, including:

  • Establishing a lawful basis for processing (Art. 6)
  • Obtaining necessary consents from data subjects where required
  • Conducting Data Protection Impact Assessments (DPIAs) if required (Art. 35)

5.2 Data Subject Rights

Primarily responsible for responding to data subject requests, with assistance from Sonar Seed as set forth in Section 4.5.

5.3 Privacy Notices

Providing adequate privacy notices to data subjects (end-customers and influencers) informing them of:

  • The Merchant's identity and contact details
  • Purposes of processing and legal basis
  • Recipients of personal data (including Sonar Seed as a processor)
  • Data retention periods
  • Data subject rights

5.4 Data Quality

Ensuring personal data provided to Sonar Seed is accurate, adequate, and limited to what is necessary.

5.5 Cooperation

Promptly responding to inquiries from Sonar Seed related to data protection compliance.

6. Liability and Indemnification

6.1 Allocation of Liability (GDPR Art. 82)

Each party shall be liable for damages caused by processing that violates the GDPR only to the extent it is responsible for the violation. If both parties are involved in the same processing and are responsible for damages, each shall be held liable for the entire damage in order to ensure effective compensation (joint and several liability).

6.2 Right of Recovery

Where a party has paid full compensation for damages caused by processing, that party is entitled to claim back from the other party that part of the compensation corresponding to the other party's degree of responsibility for the damage.

6.3 Indemnification

Sonar Seed shall indemnify and hold the Merchant harmless from any claims, fines, or penalties imposed by supervisory authorities arising solely from Sonar Seed's breach of this DPA, provided that:

  1. The Merchant promptly notifies Sonar Seed of the claim
  2. Sonar Seed has sole control of the defense and settlement
  3. The Merchant cooperates reasonably with the defense

This indemnification does not apply to claims arising from:

  • The Merchant's instructions that violate applicable law
  • Actions of the Merchant or its influencers
  • Factors outside Sonar Seed's reasonable control

7. General Provisions

7.1 Precedence

In the event of any conflict between this DPA and the Terms of Use, this DPA shall prevail with respect to data protection matters.

7.2 Amendments

This DPA may only be amended in writing signed by both parties, except that Sonar Seed may update the list of sub-processors in accordance with Section 4.3.

7.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

7.4 Governing Law

This DPA is governed by the same law as the Terms of Use (State of Delaware), except to the extent EU law applies directly to data processing activities.

7.5 Term

This DPA remains in effect for as long as Sonar Seed processes personal data on behalf of the Merchant.

8. Standard Contractual Clauses

Where Sonar Seed transfers personal data from the EEA, UK, or Switzerland to countries not deemed adequate by the European Commission, the parties agree to be bound by the Standard Contractual Clauses approved by the European Commission (Decision 2021/914), Module 2 (Controller-to-Processor).

The SCCs are incorporated by reference and can be accessed at: Standard Contractual Clauses

In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.

ANNEX A: TECHNICAL AND ORGANIZATIONAL MEASURES

Sonar Seed implements the following security measures to protect personal data:

A.1 Access Control

  • User Authentication: Shopify OAuth 2.0 for merchants; time-limited magic links for influencers
  • Role-Based Access: Employees granted minimum necessary access based on job function
  • Multi-Factor Authentication (MFA): Required for all administrative access to production systems
  • Access Logs: All data access logged and monitored for anomalies

A.2 Encryption

  • Data in Transit: TLS 1.3 encryption for all data transmitted between clients and servers
  • Data at Rest: AES-256-CBC encryption for sensitive data (API keys, influencer addresses)
  • Key Management: Encryption keys stored in Supabase Vault with hardware security module (HSM) backing

A.3 Data Segregation

  • Tenant Isolation: Merchant data logically separated using row-level security (RLS) policies
  • Database Architecture: PostgreSQL with RLS ensures queries cannot access other merchants' data
  • Backups: Encrypted backups stored separately from production environment

A.4 Availability and Resilience

  • Redundancy: Multi-region deployment with automatic failover (Vercel Edge Network)
  • Backups: Daily automated backups with 30-day retention; point-in-time recovery available
  • Disaster Recovery: RTO (Recovery Time Objective) of 4 hours; RPO (Recovery Point Objective) of 1 hour
  • Uptime Monitoring: 24/7 monitoring with automated alerts for downtime or performance degradation

A.5 Incident Response

  • Incident Response Plan: Documented procedures for detecting, reporting, and responding to security incidents
  • Breach Notification: Process in place to notify affected parties within 72 hours (GDPR requirement)
  • Forensics: Incident logs retained for post-mortem analysis

A.6 Employee Training

  • Security Training: Annual mandatory training on data protection and security best practices
  • GDPR Training: All employees handling personal data trained on GDPR principles
  • Background Checks: Background screening for employees with access to personal data

A.7 Vendor Management

  • Sub-Processor Due Diligence: Security assessments conducted before onboarding new sub-processors
  • Contracts: All sub-processors bound by written agreements requiring adequate security measures
  • Monitoring: Ongoing monitoring of sub-processor compliance

A.8 Testing and Audits

  • Penetration Testing: Annual third-party penetration tests
  • Vulnerability Scanning: Automated weekly scans for known vulnerabilities
  • Code Reviews: Security-focused code reviews for all changes to production systems
  • SOC 2 Type II: [If applicable] Annual audit by independent auditor

A.9 Physical Security (Applicable to Sub-Processors)

Sonar Seed uses cloud hosting providers (Supabase, Vercel) that maintain:

  • Data Center Security: 24/7 surveillance, access control, and environmental controls
  • Certifications: ISO 27001, SOC 2 Type II compliance

ANNEX B: SUB-PROCESSORS

See the current list of authorized sub-processors at sub-processors.

Acknowledged and Agreed:

By installing and using the Sonar Seed App, the Merchant acknowledges and agrees to the terms of this Data Processing Agreement.

Sonar Seed
Sonar Seed

Merchant (Electronic Acceptance via App Installation)
Accepted by clicking "Install" in the Shopify App Store

Questions regarding this DPA should be directed to:

Data Protection Officer
Sonar Seed
Email: privacy@sonarseed.com
Legal: legal@sonarseed.com