Skip to content

Legal · StorePack

Data Processing Agreement

Last updated: 2026-05-11

This DPA forms part of the Terms of Service and applies whenever StorePack processes personal data on your behalf as a processor under Article 28 of the GDPR.

1. Parties

"Controller" — the merchant operating one or more WooCommerce stores connected to StorePack.
"Processor" — StorePack.

2. Subject matter and duration

The Processor processes personal data on the Controller's instructions in order to provide the StorePack Service. Processing continues for as long as the Controller has an active account; upon termination, data is deleted within 30 days unless retention is required by law.

3. Categories of data and data subjects

  • Data subjects:the Controller's customers and store contacts.
  • Personal data: name, email, billing address, shipping address, phone, order history, IP address, device fingerprint.

4. Processor obligations

  • Process only on documented instructions from the Controller.
  • Ensure persons authorized to process data are under appropriate confidentiality obligations.
  • Implement the security measures described in our Security overview, including encryption at rest, RLS-isolated tenancy, audit logging, and SSRF protections.
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction).
  • Notify the Controller without undue delay (and within 72 hours) of any confirmed personal data breach affecting their data.

5. Sub-processors

Current sub-processors are listed in the Privacy Policy. We will notify Controllers of any new or replaced sub-processor with at least 30 days' notice and provide a reasonable mechanism to object.

6. International transfers

Production data is hosted in the EU. Any transfer outside the EEA relies on Standard Contractual Clauses (Commission Decision 2021/914) and supplementary technical measures.

7. Audit rights

The Controller may, on reasonable written request and no more than once per year, request a copy of our most recent third-party security audit summary or perform a reasonable on-site audit under mutually agreed terms and confidentiality.

8. Deletion and return of data

On termination, the Controller may export their data via the GDPR export endpoint or request its return. Within 30 days of termination we delete all personal data unless retention is required by law.

9. Counterpart for signature

This DPA is automatically incorporated into the Terms of Service. If your procurement process requires a signed counterpart, email legal@storepack.app with your DPA template.

Questions? hello@storepack.app