Data Processing Addendum 

1.  Roles and Regulatory Compliance; Authorization

Customers can use the Services to process Personal Data of their customers or contacts for marketing and related customer relationship management purposes. GemPages stores Personal Data on its servers and processes such Personal Data only for the purposes of, and in accordance with, the instructions of Customers and does not make any decisions itself as to the use, updating, or deletion of Personal Data. If the Global Data Protection Legislation applies to the processing of Customer Personal Data, the parties acknowledge and agree that:

2.  Scope of Processing

By entering into this Addendum, Customer instructs GemPages to process Customer Personal Data only in accordance with applicable law to provide the Services as authorized by the Agreement, including this Addendum and its Annexes or as further documented in any other written instructions given by Customer and acknowledged in writing by GemPages as constituting instructions for purposes of this Addendum.

GemPages will only process Customer Personal Data in accordance with the Customer’s documented instructions, unless the applicable data protection laws to which we are subject require us to further process Customer Personal Data, in which case GemPages will notify Customer (unless such notification is prohibited by applicable law on grounds of public interest).

Where Customer acts as a Processor under the Global Data Protection Legislation, Customer represents that it has obtained all necessary authorizations from the relevant Controller to appoint GemPages as a Sub-processor.

1.  Security Measures

GemPages shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from Security Incidents and to preserve its security and confidentiality, in accordance with GemPages’ security standards described in Annex 3.

2.  Updates to Security Measures

You acknowledge that the Security Measures are subject to technical progress and development and that GemPages may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially reduce the overall level of security of the Services.

3.  Confidentiality of Processing

GemPages shall ensure that any individual or entity authorized by GemPages to process Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.  Security Incident Response

Upon becoming aware of an Information Security Incident, GemPages shall notify Customers without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by you.

5.  Company Responsibilities

Notwithstanding the above, you agree that except as provided by this DPA, you are responsible for safeguarding and securing your use of our Services, including securing its account authentication credentials, protecting the security of your Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or back up any Customer Personal Data to the Services.

1.  Customer’s Responsibility for Requests

During the Agreement, if GemPages receives any request from a Data Subject in relation to Customer Personal Data, GemPages will, at its sole discretion, (i) advise the Customer of the request, (ii) advise the Data Subject to submit his or her request to Customer, and/or (iii) notify the Data Subject that his or her request has been forwarded to the Customer. Customers will be responsible for responding to any such request.

GemPages or the Customer may reasonably require additional information to verify the identity of the Data Subject or to clarify the scope of the request. In such circumstances, the applicable time period for responding to the request shall be suspended until the requested information has been provided.

2.  GemPages’ Data Subject Request Assistance

GemPages will (taking into account the nature of the processing of Customer Personal Data) provide Customer with self-service functionality through the Services or other reasonable assistance as necessary for Customer to fulfill its obligation under the applicable Global Data Protection Legislation to respond to requests by Data Subject, including if applicable, Customer’s obligation to respond to requests for exercising the Data Subject’s rights set out in Global Data Protection Legislation. Customer shall reimburse GemPages for any such assistance beyond providing self-service features included as part of the Services at GemPages’ then-current professional services rates, which shall be made available to Customer upon request.

1.  Datacenter locations

GemPages may transfer and process Personal Data anywhere in the world where GemPages, its Affiliates, or its Sub-processors maintain data Processing operations. GemPages shall at all times provide an adequate level of protection for the Personal Data collected, transferred, processed, or retained in accordance with the requirements of the applicable Global Data Protection Legislation.

2.  Transfer Mechanism

The parties will comply with the applicable Global Data Protection Law and use the appropriate data transfer mechanism to transfer or access Personal Data internationally. GemPages makes available SCCs that enable transfers of Personal Data from the US to other jurisdictions. Customers can exercise their rights and submit a request to inquire about required personal data and data under the GDPR by contacting us at support@gempages.help.

1.  Authorized Sub-processors

GemPages uses sub-processors to perform processing activities that are essential to provide quality user experiences. A sub-processor is a third-party data processor who agrees to receive personal data from GemPages intended for processing activities to be performed (i) on behalf of GemPages Customers; (ii) and in accordance with Customer instructions as communicated by GemPages.

GemPages uses the following sub-processors for customer data:

Updates

We may update this list from time to time for operational, legal, or other reasons. Please revisit this list regularly to stay informed.

The date at the top of this addendum indicates when it was last updated.

2.  Sub-processor obligations

GemPages shall enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor. Where the Sub-processor fails to fulfill its data protection obligations, GemPages shall remain fully liable to the Customer for the performance of that Sub-processor's obligations and for any acts or omissions of such Sub-processor that cause a breach of this DPA.

1. Subject Matter of the Processing

The subject matter of the processing is the provision of the GemPages Services to the Customer in accordance with the Agreement and the Data Processing Addendum (DPA).

2. Duration of the Processing

The processing shall commence upon the Effective Date of the Agreement and continue for the duration of the Agreement, and thereafter until deletion or return of all Customer Personal Data in accordance with the DPA.

3. Nature and Purpose of the Processing

The processing activities include the collection, storage, organization, retrieval, consultation, transmission, and deletion of Customer Personal Data.

The purpose of the processing is to enable GemPages to provide website-building, landing page optimization, analytics, customer support, and related services to the Customer.

4. Categories of Data Subjects

Depending on the Customer’s use of the Services, Data Subjects may include:

• The Customer’s personnel and representatives;
• The Customer’s end users and website visitors;
• The Customer’s customers and prospective customers;
• Business Partners, Affiliates, and Service Providers of the Customer.

5. Types of Personal Data

Depending on the Customer’s implementation and use of the Services, Personal Data may include:

• Identifiers (such as name, email address, IP address, account ID);
• Online identifiers and usage data;
• Transaction and billing information;
• Customer support communications;
• Technical data relating to website interaction and analytics.

GemPages does not intentionally collect or process special categories of data (as defined under applicable data protection laws), unless explicitly instructed by the Customer.

GemPages shall provide the Customer information according to the Agreement and the DPA. GemPages shall process information sent by Customers’ end users identified through Customers’ implementation of the Application Services.

As an Official Shopify App Developer, please refer to the full list of Customer properties in the Shopify API.

1. List of Parties

• Data Exporter: The Data Exporter is the entity identified as “Customer” or “Controller” in the Agreement.
• Data Importer: The Data Importer is GemCommerce Co., Ltd (“GemPages”), a company providing hosted business software applications and processing Personal Data on behalf of the Data Exporter in accordance with the Agreement and the DPA.

2. Description of transfer

• Categories of Data Subjects: The transfer concerns the categories of Data Subjects described in Annex 1 to the DPA.
• Categories of Personal Data: The transfer concerns the categories of Personal Data described in Annex 1 to the DPA.
• Special Categories of Personal Data: Special categories of data are not intentionally processed unless explicitly instructed by the Customer.
• Processing Operations: The transferred Personal Data will be subject to the processing operations described in Annex 1 to the DPA.
• Duration of the Processing: The duration of the processing shall be as specified in Annex 1 to the DPA.

3. Competent supervisory authority

Evidence of Technical and Organizational Security Measure

Measures of pseudonymisation and encryption of personal data

GemPages implements industry-standard encryption protocols to ensure that all personal data is rendered unreadable to unauthorized parties. We apply encryption both when data is being stored (at rest) and when it is being moved between systems (in transit). Additionally, we use pseudonymization techniques where possible to ensure that data cannot be attributed to a specific individual without the use of additional, securely stored information.
- Data at Rest Encryption: All sensitive data stored in our AWS RDS (Postgres) databases and S3 buckets is encrypted using AES-256 (Advanced Encryption Standard).Data at Rest Encryption: All sensitive data stored in our AWS RDS (Postgres) databases and S3 buckets is encrypted using AES-256 (Advanced Encryption Standard).
- Data in Transit Encryption: All communication between the user's browser, Shopify, and our servers is strictly protected using TLS 1.2/1.3 (HTTPS).
- Encryption of API Credentials: Sensitive integration keys, such as Shopify API access tokens, are encrypted using strong cryptographic algorithms (e.g., RSA) before being stored.
- Pseudonymization via Unique Identifiers: We use internal unique identifiers (such as Shop ID) to manage data. This allows us to process store information without constantly exposing direct personal identifiers in our primary processing logs.
- Key Management: We utilize AWS Key Management Service (KMS) to securely manage and rotate encryption keys, ensuring that access to keys is strictly controlled and audited.

Measures for ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services

GemPages leverages high-availability cloud infrastructure to ensure that our services remain resilient against technical failures, traffic spikes, or localized outages. We implement a multi-layered defense strategy to maintain service continuity and protect the integrity of the data processing environment at all times.
- AWS Infrastructure: We host our entire infrastructure on Amazon Web Services (AWS), utilizing their world-class security and availability zones.
- Auto-Scaling: Our system is configured to auto-scale based on real-time traffic. This ensures that GemPages remains responsive even during high-traffic events like Black Friday or Cyber Monday.
- Web Application Firewall (WAF): We use AWS WAF to protect our application from common web exploits and bots that could affect availability or consume excessive resources.
- VPC Isolation: Our backend services operate within a Virtual Private Cloud (VPC) with restricted entry points, isolating our critical systems from the public internet.
- Load Balancing: We utilize Elastic Load Balancing (ELB) to distribute incoming traffic evenly across multiple healthy servers, preventing any single point of failure.

3

Measures for ensuring the ability to restore the availability and access to personal data promptly in the event of a physical or technical incident

GemPages leverages the advanced infrastructure of Amazon Web Services (AWS), Relational Database Service (RDS) to implement a high-availability and disaster recovery architecture. This ensures that in the event of a physical or technical incident (such as a hardware failure, natural disaster, or system corruption), data can be restored rapidly with minimal downtime, thereby maintaining seamless business continuity for our Users and preventing data loss.
- Multi-AZ (Availability Zone) Deployment: Our production databases are deployed in a Multi-AZ configuration. RDS automatically provisions and maintains a synchronous standby replica in a different, physically isolated data center (Availability Zone). In the event of a physical incident (e.g., power outage, cooling failure, or fire in one zone), an automatic failover occurs to the standby instance. This ensures that data access is typically restored within minutes without requiring any manual intervention.
- Automated Backups and Point-in-Time Recovery (PITR): AWS RDS is configured to perform daily full snapshots and continuously capture transaction logs. This robust backup mechanism allows GemPages to perform a "Point-in-Time Recovery," enabling us to restore the database to any specific second within our defined retention period, ensuring maximum data integrity even after complex technical errors.

4

Measures for User identification and authorization

GemPages enforces a rigorous Access Control Policy based on the Principle of Least Privilege (PoLP) and Role-Based Access Control (RBAC). This ensures that only authenticated and authorized individuals or system components have access to the specific data and tools required to perform their designated functions. We implement a "Zero Trust" approach where no user or system is trusted by default, regardless of whether they are inside or outside the network perimeter.
- Role-Based Access Control (RBAC): Access to internal systems (dashboards, databases, server consoles) is granularly assigned based on job roles (e.g., Support, DevOps, Engineering). Permissions are audited quarterly to ensure that employees who change roles or leave the company have their access revoked immediately.
- Multi-Factor Authentication (MFA): MFA is mandatory for all employee accounts accessing our production infrastructure (AWS Console, GitHub, Database Management Tools). This adds a critical layer of security, ensuring that stolen passwords alone are insufficient for unauthorized access.
- Identity Provider (IdP) Integration: We utilize centralized Identity Providers to manage user lifecycles, allowing for "Single Sign-On" (SSO) which enables centralized logging and instant "Kill-switch" capabilities for any compromised account.

5

Measures for the protection of data during transmission

GemPages ensures that all data moving between the User’s browser, the Shopify platform, and our internal backend infrastructure is protected against interception, tampering, or "man-in-the-middle" (MITM) attacks. We mandate the use of secure, industry-standard cryptographic protocols for all data in transit, ensuring that even if data packets are captured, they remain unreadable and mathematically secure.
- Mandatory HTTPS/TLS Encryption: All web traffic and API communications are strictly enforced via HTTPS (Hypertext Transfer Protocol Secure) using TLS 1.2 or TLS 1.3 (Transport Layer Security). We disable older, insecure protocols (like SSLv3 or TLS 1.0) to prevent downgrade attacks.
- Strong Cipher Suites: We utilize high-strength cipher suites (e.g., AES-256-GCM) and secure key exchange mechanisms (such as Elliptic Curve Diffie-Hellman) to provide perfect forward secrecy, meaning that even if a long-term key is compromised, past communications remain secure.
- HSTS (HTTP Strict Transport Security): GemPages implements HSTS headers to instruct browsers to only interact with our application using secure HTTPS connections, eliminating the risk of accidental unencrypted redirects.
- Validated SSL/TLS Certificates: We use certificates issued by trusted, world-class Certificate Authorities (CAs). These certificates are monitored and automatically renewed to prevent service interruptions or security warnings that could confuse Users.
- Internal Network Security: Even within our internal AWS environment, sensitive data moving between microservices is encrypted or travels through isolated, private network peering to ensure end-to-end protection.