Standard Contractual Clauses

Effective Date: 28.01.2026

This document incorporates the Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (GDPR), as approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

Purpose

These Standard Contractual Clauses govern the transfer of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to Sonar Seed and its sub-processors located in countries that have not been subject to an adequacy decision by the European Commission.

Applicable Module

The parties agree to be bound by Module 2: Controller-to-Processor transfers, as defined in the SCCs.

  • Data Exporter (Controller): The Merchant (Shopify store owner)
  • Data Importer (Processor): Sonar Seed

Full Text of SCCs

The complete, official text of the Standard Contractual Clauses (EU Commission Decision 2021/914) is incorporated by reference and can be accessed at:

Official EU Source:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

Sonar Seed Hosted Copy:
Standard Contractual Clauses

ANNEX I: LIST OF PARTIES

A. DATA EXPORTER(S)

Name: The Merchant

Address: [Merchant's registered business address as provided during App installation]

Contact person's name, position, and contact details:
As provided in the Merchant's Shopify account and Sonar Seed App settings

Activities relevant to the data transferred under these Clauses:
Operating an e-commerce store on Shopify and engaging influencers for marketing purposes via the Sonar Seed App

Role: Controller

B. DATA IMPORTER(S)

Name: Sonar Seed

Address: Sonar Stack, c/o GAM, Pappelallee 64, 10437 Berlin, Deutschland

Contact person's name, position, and contact details:
Data Protection Officer
Email: privacy@sonarseed.com
Legal: legal@sonarseed.com

Activities relevant to the data transferred under these Clauses:
Providing an influencer marketing management platform, including affiliate tracking, influencer recruitment automation, and commission management

Role: Processor

ANNEX II: DESCRIPTION OF TRANSFER

A. Categories of Data Subjects

The personal data transferred concerns the following categories of data subjects:

  1. Merchants: Shopify store owners and authorized administrators
  2. Influencers: Brand ambassadors, affiliates, and content creators recruited by the Merchant
  3. End-Customers: Shoppers on the Merchant's Shopify store (ephemeral processing only for affiliate attribution and recruitment triggers)

B. Categories of Personal Data

The personal data transferred concerns the following categories of data:

Merchant Data:

  • Identification data: Name, email address, phone number, business address
  • Account data: Shopify shop ID, shop URL, access tokens (encrypted)
  • Configuration data: App settings, automation rules, commission structures

Influencer Data:

  • Identification data: Full name, email address, phone number, physical shipping address
  • Professional data: Social media handles (Instagram, TikTok, YouTube), follower counts
  • Financial data: Affiliate sales performance, commission amounts, discount code usage, payout history
  • Content data: Uploaded images, videos, captions, and deliverables

End-Customer Data (Ephemeral Processing):

  • Transaction data: Order ID, line items, total spend, discount codes used, order date
  • Contact data: Customer email (only if recruitment threshold is met)

C. Sensitive Data

The data transferred does not include special categories of data as defined in GDPR Article 9(1), such as:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (for the purpose of uniquely identifying a person)
  • Health data
  • Data concerning sex life or sexual orientation

Exception: If an influencer voluntarily submits content (e.g., photos, videos) that reveals special category data, the data exporter (Merchant) is responsible for ensuring a lawful basis exists for processing such data.

D. Frequency of Transfer

  • Continuous: Data is transferred on an ongoing basis as the Merchant and influencers use the App.
  • Event-driven: Specific transfers occur upon events such as:
    • Merchant installing the App (initial data sync)
    • New orders being placed (for affiliate tracking)
    • Influencers submitting content
    • Merchant creating Draft Orders for product seeding

E. Nature and Purpose of Processing

The data importer will process the personal data for the following purposes:

  1. Service Provision: Providing the core functionality of the Sonar Seed App as described in the Terms of Use, including:

    • Affiliate sales tracking and commission calculation
    • Automated influencer recruitment based on customer purchase behavior
    • Creation of Shopify Draft Orders for product seeding
    • Providing influencer portal access and analytics

  2. Integration Services: Syncing influencer data with the Merchant's Klaviyo account (if enabled)

  3. Communication: Sending transactional emails (welcome messages, magic login links, shipping notifications) via Resend

  4. Security and Fraud Prevention: Monitoring for suspicious activity and preventing unauthorized access

  5. Service Improvement: Analyzing aggregated, anonymized usage data to improve App features (no personal data used for AI training or profiling beyond what is necessary for service provision)

F. Period for Which Personal Data Will Be Retained

  • Active Use: Personal data is retained for as long as the Merchant's account is active and the App is installed.

  • Post-Termination: Upon uninstallation of the App:

    • Merchant Data: Deleted within 30 days
    • Influencer Data: Deleted within 30 days, except where retention is required by law (e.g., financial records for tax purposes: 7 years)
    • End-Customer Data: Not stored long-term (ephemeral processing only)

  • Legal Retention: Data may be retained longer if required by applicable law (e.g., tax obligations, legal holds, ongoing disputes).

G. Sub-Processors

The data importer is authorized to engage the sub-processors listed in Annex III below.

The data importer will:

  1. Maintain an up-to-date list of sub-processors at Subprocessor List
  2. Notify the data exporter of any intended changes (additions or replacements) at least 30 days in advance
  3. Provide the data exporter an opportunity to object on reasonable data protection grounds

ANNEX III: LIST OF SUB-PROCESSORS

The following sub-processors are authorized to process personal data under these SCCs:

Sub-ProcessorLocationProcessing ActivitySafeguards
Shopify Inc.Canada, USAE-commerce platform integration; Draft Order creationSCCs; SOC 2 Type II, ISO 27001
Klaviyo, Inc.USAMarketing automation (optional)SCCs; SOC 2 Type II, ISO 27001
Resend, Inc.USATransactional email deliverySCCs; SOC 2 Type II (in progress)
Supabase, Inc.USA (AWS us-east-1)Database, authentication, file storageSCCs; SOC 2 Type II, ISO 27001
Upstash, Inc.USA, EUCaching and rate limitingSCCs; SOC 2 Type II (in progress)
Vercel Inc.USA, EU, APACHosting infrastructure and CDNSCCs; SOC 2 Type II, ISO 27001

For the complete, up-to-date list including contact information and DPA links, see: Subprocessor List

ANNEX IV: TECHNICAL AND ORGANIZATIONAL MEASURES

The data importer implements the following technical and organizational measures to ensure the security of personal data:

1. Measures of Pseudonymization and Encryption

  • Encryption in Transit: TLS 1.3 for all data transmitted between clients and servers
  • Encryption at Rest: AES-256-CBC for sensitive fields (API keys, passwords, addresses)
  • Pseudonymization: Internal user IDs used in place of email addresses in logs and analytics
  • Key Management: Encryption keys stored in Supabase Vault with hardware security module (HSM) backing

2. Measures for Ensuring Ongoing Confidentiality, Integrity, Availability, and Resilience

  • Access Controls: Role-based access controls (RBAC); multi-factor authentication (MFA) for administrative access
  • Data Segregation: Tenant isolation using PostgreSQL row-level security (RLS) policies
  • Redundancy: Multi-region deployment with automatic failover (Vercel Edge Network)
  • Backups: Daily encrypted backups with 30-day retention; point-in-time recovery available
  • Monitoring: 24/7 uptime monitoring with automated alerts for anomalies

3. Measures for Ensuring the Ability to Restore Availability and Access to Data

  • Disaster Recovery Plan: RTO (Recovery Time Objective) of 4 hours; RPO (Recovery Point Objective) of 1 hour
  • Backup Testing: Quarterly restoration drills to verify backup integrity
  • Incident Response: Documented procedures for detecting and responding to data loss events

4. Processes for Regularly Testing, Assessing, and Evaluating Effectiveness

  • Penetration Testing: Annual third-party penetration tests
  • Vulnerability Scanning: Automated weekly scans for known vulnerabilities
  • Security Audits: Annual internal security assessments; SOC 2 Type II audit (if applicable)
  • Employee Training: Mandatory annual security and privacy training for all personnel

5. Measures for User Identification and Authorization

  • Authentication: Shopify OAuth 2.0 for merchants; time-limited magic links for influencers
  • Authorization: Least-privilege access model; permissions enforced at database and application layers
  • Session Management: Secure session tokens with automatic expiration
  • Audit Logs: All data access logged with timestamp, user ID, and action performed

6. Measures for the Protection of Data During Transmission

  • TLS 1.3: All API requests and web traffic encrypted using modern TLS protocols
  • Certificate Pinning: (If applicable for mobile apps in the future)
  • VPN Access: (If applicable) Administrative access to production systems requires VPN connection

7. Measures for the Protection of Data During Storage

  • Encryption at Rest: Database-level encryption for all personal data
  • Secure Deletion: Cryptographic erasure of encryption keys upon data deletion requests
  • Access Logging: All database queries logged for audit purposes

8. Measures for Ensuring Physical Security

Physical security is managed by our sub-processors (Supabase, Vercel, AWS):

  • Data Centers: SOC 2 Type II and ISO 27001 certified facilities
  • Access Controls: Biometric access, 24/7 surveillance, environmental controls
  • Physical Audits: Regular third-party audits of data center security

9. Measures for Ensuring Events Logging

  • Application Logs: All user actions, API requests, and system events logged
  • Security Logs: Authentication attempts, permission changes, and data access logged
  • Retention: Logs retained for 90 days; longer for security investigations
  • Log Integrity: Logs stored in write-once storage to prevent tampering

10. Measures for Ensuring System Configuration

  • Hardening: Production servers configured according to CIS benchmarks
  • Patch Management: Security patches applied within 14 days of release (critical: within 48 hours)
  • Configuration Management: Infrastructure-as-code (Terraform/Pulumi) with version control
  • Change Control: All production changes require peer review and approval

11. Measures for Internal IT and IT Security Governance

  • Security Policies: Documented information security policy reviewed annually
  • Incident Response Plan: Defined procedures for detecting, reporting, and responding to breaches
  • Vendor Management: Due diligence conducted on all sub-processors
  • Employee Screening: Background checks for employees with access to personal data

12. Measures for Certification/Assurance of Processes and Products

  • SOC 2 Type II: [If applicable] Annual audit by independent auditor
  • ISO 27001: [If pursuing] Information Security Management System certification
  • Third-Party Audits: Penetration tests, vulnerability assessments, and security reviews

13. Measures for Ensuring Data Minimization

  • Ephemeral Processing: End-customer order data processed in-memory and not stored unless necessary
  • Purpose Limitation: Data collected only for specified, legitimate purposes
  • Retention Policies: Automated deletion of data after retention period expires
  • Data Mapping: Regular audits to identify and eliminate unnecessary data collection

14. Measures for Ensuring Data Quality

  • Validation: Input validation on all user-submitted data
  • Error Handling: Graceful error messages without exposing sensitive data
  • Data Review: Merchants can review and correct influencer data via the App dashboard

15. Measures for Ensuring Limited Data Retention

  • Automated Deletion: Data automatically deleted upon uninstallation (30-day grace period)
  • Retention Schedules: Defined retention periods for each data category (see Annex II.F)
  • Legal Holds: Process for preserving data when legally required (e.g., litigation)

16. Measures for Ensuring Accountability

  • DPO Designation: Data Protection Officer appointed and contactable at privacy@sonarseed.com
  • Documentation: Processing activities documented in Records of Processing Activities (ROPA)
  • Training Records: Employee training completion tracked and audited
  • Audit Trail: Comprehensive logs of data processing activities maintained

17. Measures for Allowing Data Portability and Erasure

  • Data Export: Merchants can export influencer data in JSON/CSV format via the App dashboard
  • Right to Erasure: Automated deletion workflows triggered by user requests or app uninstallation
  • Shopify Webhooks: Support for customers/redact and shop/redact webhooks

Docking Clause (Clause 7)

Optional Clause: The parties agree that an entity that is not a Party to these Clauses may, with the agreement of all Parties, accede to these Clauses at any time as a data exporter or data importer by completing Annexes I and II and signing the Clauses.

This allows for future expansion of the contractual chain without requiring individual SCCs for each new relationship.

Supplementary Measures

In addition to the SCCs, the data importer implements the following supplementary measures to ensure an adequate level of protection:

1. Legal Assessment

The data importer has conducted an assessment of the laws in the destination country (United States) and confirms that:

  • There are no known government access requests that would conflict with GDPR protections
  • The data importer has not received any orders under FISA 702 or Executive Order 12333
  • In the event of a government access request, the data importer will challenge the request if legally possible and notify the data exporter unless legally prohibited

2. Transparency Report

The data importer will publish an annual transparency report disclosing:

  • Number of government access requests received (if any)
  • Number of requests challenged
  • Number of user accounts affected (aggregate only)

Location: Transparency Report

3. Government Access Protocol

In the event of a government access request:

  1. Challenge: The data importer will challenge the request if there are reasonable grounds to do so
  2. Notification: The data importer will promptly notify the data exporter, unless legally prohibited
  3. Minimization: The data importer will seek to minimize the data disclosed
  4. Documentation: The data importer will document all requests and responses

4. Encryption Key Control

The data importer ensures that:

  • Encryption keys are generated and stored exclusively within the EEA or in jurisdictions with adequate protection
  • Government authorities in third countries do not have access to encryption keys
  • In the event of a lawful access request, encrypted data without keys would be unintelligible

Contact Information

For questions regarding the SCCs or data transfers:

Data Exporter (Merchant):
As provided in the Merchant's Shopify account

Data Importer (Sonar Seed):
Data Protection Officer
Email: privacy@sonarseed.com
Legal: legal@sonarseed.com
Address: Sonar Stack, c/o GAM, Pappelallee 64, 10437 Berlin, Deutschland

Amendments and Updates

These SCCs and Annexes may only be amended in writing signed by both parties, except that:

  1. The data importer may update the list of sub-processors in Annex III in accordance with the notification procedure outlined in the Data Processing Agreement.
  2. Minor corrections or clarifications that do not materially affect the parties' obligations may be made unilaterally by the data importer, with notice to the data exporter.

Acceptance:

By installing and using the Sonar Seed App, the Merchant (data exporter) acknowledges and agrees to be bound by these Standard Contractual Clauses, including all Annexes.

Electronic Signature: Acceptance is confirmed by clicking "Install" in the Shopify App Store on [Installation Date].

Sonar Seed (Data Importer)
Sonar Seed

Document Version: 1.0
Last Reviewed: 28.01.2026