Last updated: June 19, 2026
Data Processing Agreement (DPA)
This DPA forms part of the Terms of Service between Florian ALBORA ("Processor") and the Merchant ("Controller"), pursuant to Article 28 of the EU General Data Protection Regulation (GDPR) 2016/679.
1. Definitions
"Controller" means the Merchant who determines the purposes and means of processing personal data. "Processor" means WithdrawKit, which processes data on behalf of the Controller. "Personal Data" has the meaning given in GDPR Article 4(1).
2. Subject Matter & Duration
The Processor shall process Personal Data solely for the purpose of providing the WithdrawKit service as described in the Terms of Service, for the duration of the subscription and any applicable retention periods thereafter.
3. Nature & Purpose of Processing
- Receiving and recording consumer withdrawal requests
- Sending confirmation emails to consumers
- Generating and storing audit records (PDF)
- Notifying merchants of withdrawal events
4. Categories of Data Subjects & Personal Data
| Data Subjects | Categories of Personal Data |
|---|---|
| End consumers (store customers) | Name, email address, order number, withdrawal timestamp, IP address |
| Merchants | Store URL, email address, app configuration |
5. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure authorised personnel are bound by confidentiality
- Implement appropriate technical and organisational security measures (Art. 32 GDPR)
- Assist the Controller with data subject rights requests
- Delete or return Personal Data upon termination of the agreement
- Provide all information necessary to demonstrate compliance
6. Sub-processors
The Controller grants general authorisation to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| [HOSTING PROVIDER] | Infrastructure / server hosting | EU |
| [EMAIL PROVIDER] | Transactional email delivery | [LOCATION] |
| Shopify Inc. | E-commerce platform integration | Canada / USA (SCCs apply) |
The Processor will notify the Controller of any intended changes to sub-processors with at least 14 days' notice.
7. Security Measures
The Processor implements the following measures (Art. 32 GDPR):
- Encryption of data at rest (AES-256) and in transit (TLS 1.3)
- Access controls and role-based permissions
- Regular security audits and vulnerability assessments
- Incident response procedures with 72-hour breach notification
8. International Transfers
Personal data is stored in the EU. Where sub-processors are located outside the EEA, Standard Contractual Clauses (SCCs) approved by the European Commission are applied.
9. Governing Law
This DPA is governed by the laws of France and shall be interpreted in accordance with GDPR.