Data Processing Addendum.

This Data Processing Addendum ("DPA") forms part of the Terms of Service between NC Digital Limited (Company No. 16413452), trading as OneCampaign ("Processor", "we", "us"), and you ("Controller", "Merchant", "you").

This DPA sets out the terms under which the Processor processes personal data on behalf of the Controller, in accordance with UK GDPR Article 28(3) and the Data Protection Act 2018.

By installing the OneCampaign Shopify app or using any part of the service, you agree to the terms of this DPA.

1. Definitions

• "UK GDPR" means the General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
• "Personal Data", "Processing", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given in UK GDPR Article 4.
• "Controller Personal Data" means the personal data described in Schedule 1 that the Processor processes on behalf of the Controller under this DPA.
• "Sub-Processor" means any third party appointed by the Processor to process Controller Personal Data.

2. Scope and Roles

• The Controller (Merchant) determines the purposes and means of processing end-customer personal data.
• The Processor (OneCampaign / NC Digital Limited) processes end-customer personal data solely on behalf of and under the documented instructions of the Controller.
• This DPA applies to all personal data processed by the Processor on behalf of the Controller through the OneCampaign service.

3. Processor Obligations

The Processor shall:

• Process Controller Personal Data only on documented instructions from the Controller (including as configured through the OneCampaign dashboard and settings), unless required to do so by law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless the law prohibits this on important grounds of public interest).
• Ensure that persons authorised to process the Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Schedule 2.
• Not engage another processor (Sub-Processor) without prior general written authorisation of the Controller, as described in Section 5.
• Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under UK GDPR Chapter III.
• Assist the Controller in ensuring compliance with Articles 32 to 36 of UK GDPR (security, breach notification, impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor.
• At the choice of the Controller, delete or return all Controller Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data. See Section 8 for details.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and UK GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. See Section 7 for details.
• Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes UK GDPR or other applicable data protection provisions.

4. Controller Obligations

The Controller shall:

• Ensure that it has a lawful basis for the processing of personal data as instructed to the Processor, including valid marketing consent from end customers.
• Provide the Processor with documented instructions regarding the processing of Controller Personal Data (including through configuration of the OneCampaign service settings).
• Comply with its own obligations under UK GDPR as data controller, including providing appropriate privacy notices to Data Subjects and responding to Data Subject rights requests.
• Ensure that the content provided to the service (brand voice settings, product data, broadcast content) does not infringe any third-party rights or applicable laws.

5. Sub-Processors

• General authorisation: The Controller provides general written authorisation for the Processor to engage Sub-Processors. The current list of authorised Sub-Processors is set out in the Privacy Policy (Section 7).
• Notification of changes: The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes. The Processor will provide at least 30 days' notice before engaging a new Sub-Processor.
• Objection: If the Controller objects to a new Sub-Processor on reasonable data protection grounds within 14 days of notification, the Processor shall either: (a) not appoint the proposed Sub-Processor for processing of Controller Personal Data, or (b) take corrective steps requested by the Controller and proceed with the appointment. If neither option is feasible, either party may terminate the affected service with 30 days' notice.
• Flow-down obligations: Where the Processor engages a Sub-Processor, the Processor shall impose data protection obligations no less protective than those set out in this DPA on the Sub-Processor by way of a contract. The Processor remains fully liable to the Controller for the performance of the Sub-Processor's obligations.

6. Personal Data Breach

• The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller Personal Data, and in any event within 48 hours.
• The notification shall include, to the extent reasonably available:
  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
  • The name and contact details of the Processor's point of contact for further information
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
• The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

7. Audit Rights

• The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and UK GDPR Article 28.
• The Controller (or a mandated third-party auditor bound by confidentiality) may conduct audits of the Processor's processing activities, no more than once per year, with at least 30 days' prior written notice.
• Audits shall be conducted during normal business hours, shall not unreasonably disrupt the Processor's operations, and the Controller shall bear its own costs of any audit.
• The Processor may satisfy audit requests by providing relevant certifications, audit reports, or other evidence of compliance, where available.

8. Data Return and Deletion

• During the service: The Controller may export Controller Personal Data at any time using the export features available in the OneCampaign dashboard (including customer CSV export and message history).
• On termination: Upon uninstall of the OneCampaign Shopify app, sending is paused and Shopify access is revoked. Controller Personal Data is deleted when Shopify compliance webhooks require deletion (including shop redaction) and in accordance with applicable law.
• Exceptions: The Processor may retain personal data to the extent required by applicable law, in which case the Processor shall inform the Controller and ensure that the data is only processed for the purpose required by law.
• Certification: Upon written request following deletion, the Processor shall confirm in writing that Controller Personal Data has been deleted.

9. International Transfers

• The Processor shall not transfer Controller Personal Data outside the United Kingdom unless appropriate safeguards are in place in accordance with UK GDPR Articles 44-49.
• Where transfers to the United States are necessary (see Sub-Processors in the Privacy Policy), the Processor has implemented UK International Data Transfer Agreements (IDTAs) or UK Addenda to EU Standard Contractual Clauses with each relevant Sub-Processor.
• Transfer Risk Assessments have been documented for each international transfer.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of UK GDPR to Data Subjects, which cannot be excluded or limited by contract.

11. Term and Termination

This DPA shall remain in effect for the duration of the Processor's processing of Controller Personal Data. It shall automatically terminate when the Processor no longer processes Controller Personal Data on behalf of the Controller (including after the post-termination deletion described in Section 8).

Schedule 1: Details of Processing

Subject Matter

The processing of end-customer personal data to provide the OneCampaign lifecycle email automation service, including customer evaluation, intent selection, AI copy generation, email delivery, engagement tracking, and analytics.

Duration

For the duration of the Controller's use of the OneCampaign service, plus any post-termination retention period as described in Section 8.

Nature and Purpose of Processing

• Syncing customer, order, and product data from the Controller's Shopify store
• Classifying customers into lifecycle stages and computing engagement signals
• Evaluating lifecycle intents and selecting appropriate email types for each customer
• Generating personalised email content using AI language models
• Delivering marketing emails via transactional email infrastructure
• Tracking email engagement (opens, clicks, bounces, complaints, unsubscribes)
• Computing product recommendations and purchase pattern analysis
• Creating automated discount codes via the Shopify API
• Providing analytics, reporting, and explainability to the Controller

Types of Personal Data

• Contact information: email address, first name, last name
• Marketing consent status
• Purchase history: products purchased, order values, dates, financial status
• Abandoned checkout data: cart contents, checkout timestamps
• Email engagement data: opens, clicks, deliveries, bounces, complaints
• Derived behavioural signals: preferred send hours, intent responsiveness, engagement trends, optimal frequency
• Derived commercial data: lifecycle stage, discount sensitivity, product affinity, replenishment predictions
• Product interest registrations (back-in-stock notifications)
• Recommendation tracking: recommendations shown, clicked, and converted
• Discount code data: code, percentage, expiry, redemption status

Categories of Data Subjects

• End customers of the Controller's Shopify store who have provided marketing consent

Schedule 2: Technical and Organisational Security Measures

The Processor implements the following measures to protect Controller Personal Data:

• Encryption: All data encrypted at rest and in transit (TLS 1.2+)
• Row-level security: Database access restricted at the row level, ensuring each merchant can only access their own data
• Role-based access control: Team members assigned roles (owner, member, viewer) with appropriate permissions
• Authentication: Secure authentication via Supabase Auth with httpOnly, secure, sameSite cookies
• Rate limiting: API endpoints rate-limited to prevent abuse
• Input sanitisation: User inputs validated and sanitised to prevent injection attacks
• HMAC verification: Webhook payloads verified using HMAC signatures; unsubscribe links use cryptographically signed tokens
• Automated safeguards: Deliverability auto-pause on bounce/complaint spikes, warm-up tiers for new accounts, fatigue controls
• Data minimisation: AI models receive only the minimum data required for generation (no email addresses, order histories, or financial data)
• Audit trail: Full explainability trail for every automated sending decision
• Breach detection: Monitoring for anomalous processing activity, with alert systems for operational issues