1. Introduction
This Data Processing Addendum (“DPA”) forms part of the Agreement between Shapo (“Processor”) and the Client (“Controller”). This document ensures compliance with Art. 28 of the GDPR and other applicable data protection laws.
2. Processing and Confidentiality
Shapo shall only process Personal Data to provide the testimonial services and strictly under the Client's documented instructions. Shapo ensures that all personnel authorized to process data are subject to a strict duty of confidentiality.
3. Standard Contractual Clauses (SCCs) & Precedence
For transfers of Personal Data to countries outside the EEA, the 2021 Standard Contractual Clauses (Module Two) are incorporated by reference. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.
4. Sub-processors & Right to Object
The Client provides a general authorization for Shapo to engage the sub-processors listed in Annex III. Shapo shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 15 days in advance, providing the Controller the opportunity to object on reasonable grounds.
5. Assistance & Data Subject Rights
Taking into account the nature of the processing, Shapo shall:
- Assist the Controller in responding to data subject requests (access, deletion, etc.).
- Notify the Controller without undue delay (within 48-72 hours) after becoming aware of a Personal Data Breach.
- Assist the Controller in meeting its obligations regarding Data Protection Impact Assessments (DPIAs) and consultations with supervisory authorities.
6. Audits
Shapo shall make available all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits conducted by the Controller or a mandated auditor.
7. Return or Deletion of Data
Upon termination of the Services or at the Controller’s request, Shapo shall, at the choice of the Controller, delete or return all Personal Data and delete existing copies unless applicable law requires storage.
ANNEX I: Details of Processing
- Subject Matter: Collection, management, and display of testimonials.
- Nature of Processing: Collection, storage, hosting, display, and deletion.
- Duration: Until account deletion.
- Data Subjects: Customers of the Client (individuals who provide testimonials) and users of the Client’s website.
- Data Categories: Name, email, profile photos, video recordings, IP addresses, and social media handles.
ANNEX II: Technical & Organizational Measures (Security)
Shapo implements the following security measures:
- Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
- Access Control: Production access restricted to authorized personnel via 2FA.
- Data Integrity: Daily automated backups, multi-zone database redundancy, and incident response procedures.
- Isolation: Logical separation of customer data within our architecture.
ANNEX III: Authorized Sub-processors
The following third parties are used to provide the Shapo service:
AWS: Cloud Infrastructure & Storage (USA / EU)
SendGrid: Transactional Email Delivery (USA)
MailerLite: Marketing & Product Communications (EU (Germany))
PostHog: Product Analytics & Event Tracking (USA / EU)
Google Analytics: Website Usage Analytics (USA)
Mixpanel: Advanced Product Analytics (USA)
Intercom: Customer Support & Communication (USA)
Stripe: Payment Processing (USA)
