This DPA forms part of the Terms of Service between you (“Controller”) and WordCat Edutech (“Processor”) operating the Udeely service. It applies whenever Processor processes personal data on Controller's behalf, including processing of affiliate and customer data through the Udeely application.
If GDPR (Regulation (EU) 2016/679) applies to your processing, this DPA satisfies the Article 28 requirements for a written agreement between controller and processor.
1. Roles
- Controller: the merchant operating the Shopify store on which Udeely is installed.
- Processor: WordCat Edutech (Y-tunnus: 3460399-3), Finland.
Where the merchant is itself acting on behalf of another controller (e.g., a brand operating multiple sub-stores), the merchant warrants that it is contractually authorised to bind that other controller to this DPA.
2. Subject matter, duration, nature, purpose
| Item | Detail |
|---|---|
| Subject matter | Provision of the Udeely affiliate-tracking service |
| Duration | The period during which Udeely is installed on Controller's store, plus the retention periods in the Privacy Policy |
| Nature | Storage, hashing, attribution computation, transactional messaging, payout-export file generation |
| Purpose | Operation of Controller's affiliate program |
3. Categories of data subjects and personal data
Data subjects: Controller's affiliates, Controller's customers (limited to hashed email only).
Categories of personal data:
| Category | Source | Stored as |
|---|---|---|
| Affiliate identifiers (name, email) | Affiliate self-signup or Controller import | Plaintext (email hashed for fraud check) |
| Affiliate payout details (PayPal email, Wise ID, bank instructions) | Affiliate self-entry | Plaintext (encryption middleware in development; see Privacy §3) |
| Customer email | Shopify order webhook | HMAC-SHA256 hash only; raw value discarded within request |
| Order metadata | Shopify order webhook | Plaintext (financial records) |
No special-category data (Article 9 GDPR) is processed.
4. Controller's instructions
Processor will process personal data only on documented instructions from Controller, including those given through Controller's configuration of the Udeely application. Controller's installation and configuration of Udeely constitute documented instructions for the categories of processing described in Section 2.
5. Confidentiality
Processor will ensure that any person authorised to process the personal data is bound by a duty of confidentiality. As of the date of this DPA, the only person authorised is the operator of WordCat Edutech.
6. Security measures
Processor maintains the technical and organisational measures described in the Privacy Policy, Section 3. These include:
- Encryption in transit (TLS 1.2+ on the database, TLS 1.3 on the public application);
- Encryption at rest (AES-256 on the database; encryption middleware for sensitive affiliate fields is being deployed);
- Production credentials stored only in Fly.io's encrypted secrets store;
- Sentry configured with
sendDefaultPii: false; - Customer email never persisted in raw form (HMAC hash only).
Processor will update Controller through the in-app inbox if these measures change materially.
7. Sub-processors
Controller authorises the sub-processors listed in the Privacy Policy, Section 4. Processor will give Controller at least 30 days' notice via the in-app inbox before adding a new sub-processor that processes affiliate or customer personal data. Controller may object in writing within that 30-day period; if Processor cannot accommodate the objection, Controller may terminate the service without penalty by uninstalling Udeely.
Each sub-processor is bound by data-protection terms substantially similar to those in this DPA.
8. International transfers
Some sub-processors are located outside the EEA (notably US-based providers). Where personal data is transferred outside the EEA, the transfer is made on the basis of the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), incorporated by reference into the agreements between Processor and each affected sub-processor.
9. Data subject rights
Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures, in fulfilling Controller's obligations to respond to requests for exercising data subject rights (Articles 12–22 GDPR). For affiliate data, Controller has direct access through the Udeely admin interface to view, edit, and delete affiliate records. For customer email hashes, requests are handled via the customers/redact Shopify webhook.
10. Breach notification
Processor will notify Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal-data breach affecting Controller's data. The notification will include, to the extent known:
- The nature of the breach and the categories and approximate number of records affected;
- The likely consequences;
- The measures taken or proposed to address the breach.
Notification will be sent to the email address on file for Controller's Shopify account.
11. Audits
Processor will make available to Controller, on reasonable request, the information necessary to demonstrate compliance with this DPA. Controller may, at its own expense and with at least 30 days' written notice, conduct an audit (or appoint an independent third-party auditor bound by confidentiality) of Processor's facilities and records, no more than once per calendar year, and subject to reasonable confidentiality and security constraints.
Sub-processor audit reports (e.g., SOC 2 reports for Shopify, Neon, Fly.io, where available) will be provided in lieu of on-site audits of those sub-processors.
12. Return or deletion
Within 48 hours of Udeely being uninstalled from Controller's Shopify store, Shopify dispatches the shop/redact webhook. Upon receiving that webhook, Processor cascade-deletes all personal data tied to Controller's shop, except for records Processor is required to retain by law (e.g., financial records for tax purposes), which are anonymised to the extent feasible.
Controller may request earlier deletion in writing; Processor will comply within 30 days.
13. Liability
Liability under this DPA is subject to the limitations in Section 11 of the Terms of Service, except where mandatory law (including Article 82 GDPR) provides otherwise.
14. Conflict
If this DPA conflicts with the Terms of Service, this DPA prevails for matters concerning the processing of personal data.
15. Governing law
This DPA is governed by the laws of Finland.