DATA PROCESSING AGREEMENT

Effective Date: June 13, 2025

This Data Processing Agreement (“DPA”) is entered into by and between:

Solverhood OÜ (“Processor”, “Analyzify”, “we”, “us”, “our”), a company incorporated under the laws of Estonia, with its registered address at Pärnu mnt 12, Tallinn, Estonia, Registry Number: 14383462, VAT ID: EE102030321, and

The Client (“Client”, “Merchant”, “You”, “Your”, “Controller”), who has agreed to Analyzify’s Terms of Service or other agreement relating to the provision of analytics and data processing Services.

Together with our U.S. partner entity, StatsUp, LLC, 30 North Gould Street, STE R, Sheridan, WY 82801, United States (Tax ID: 38-4336557), we operate globally to serve Shopify Merchants.

This DPA forms an integral part of the Service agreement between Analyzify and the Client (the “Agreement”) and governs the processing of personal data by Analyzify on behalf of the Client in accordance with Article 28 of the General Data Protection Regulation (GDPR) and, where applicable, the Standard Contractual Clauses adopted by the European Commission (2021/914, Module 2).

By installing the Analyzify app from the Shopify App Store, You accept this DPA which forms part of Your agreement with Analyzify for the provision of analytics and data processing Services (“Services”).

1. DEFINITIONS

1.1 GDPR Definitions Terms defined in Regulation (EU) 2016/679 (“GDPR”) have the same meaning in this DPA, including but not limited to:

• “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach”, “Supervisory Authority”

1.2 Additional Definitions

• “Services”: The Analyzify analytics, tracking, and marketing integration Services provided via the Shopify platform
• “Subprocessor”: Any third party authorized by Analyzify to process Personal Data on behalf of the Controller
• “SCCs”: Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2
• “End Users” or “Visitors”: Customers who visit or interact with the Controller’s Shopify store and whose Personal Data may be processed via the Services
• “AWS”: Amazon Web Services, Inc., the cloud infrastructure provider used by Analyzify to process and store data
• “Data Transfer”: Any transfer of personal data outside the European Economic Area (EEA) or any other jurisdiction with an adequacy decision
• “Applicable Data Protection Law”: The GDPR (EU Regulation 2016/679), and where applicable, other privacy regulations such as the UK GDPR, CCPA, and local EU laws
• “Direct Integration” means the connection between Your Shopify store and Third-Party Platforms (such as Google Analytics, Google Ads, Meta/Facebook, TikTok) through Analyzify using Shopify’s App Embed and Web Pixels API technology stack, providing automated, reliable tracking without requiring manual code implementation.
• “Customized (GTM) Integration” means the utilization of Analyzify’s enhanced data layer with Google Tag Manager for specialized tracking needs. While Analyzify provides a pre-built GTM container template, configuration of custom tracking requirements beyond the standard implementation is not included in the core plan and may be performed by the Client (self-setup) or through Professional Services.
• “Order Limit” means the maximum number of e-commerce orders that can be tracked per month under Your subscription plan.
• “Legacy Plan” or “One-time Plan” means a discontinued pricing model where Clients paid a single fee for lifetime access to specific features available at the time of purchase.
• “Material Changes” means modifications to these Terms that substantially alter Your rights, obligations, pricing, data handling practices, or core Service functionality.
• “Shopify” means Shopify Inc. and its e-commerce platform where the Analyzify App is installed and operates.
• “Client-Side Tracking” means data collection that occurs directly in the End User’s browser using JavaScript and cookies.
• “Server-Side Tracking” means data collection and processing that occurs on Analyzify’s servers rather than in the End User’s browser.

2. APPOINTMENT AND AUTHORIZATION

2.1 Appointment as Processor The Controller appoints Analyzify as a Processor to process Personal Data on the Controller’s behalf in connection with the Services. This appointment is made in accordance with Article 28(1) GDPR.

2.2 Authorization to Process Analyzify is authorized to process Personal Data only:

• To provide the Services as configured by the Controller
• In accordance with the Controller’s documented instructions
• As required by applicable EU or Member State law

This fulfills the requirements of Article 28(3)(a) GDPR and SCC Clause 8.1.

3. PROCESSING INSTRUCTIONS

3.1 Documented Instructions Analyzify shall process Personal Data only on documented instructions from the Controller, which include:

• This DPA and any future amendments
• Integration settings in the Analyzify dashboard, including:
• Integration configurations (which platforms to send data to)
• Consent mode settings (Controller must configure these appropriately for their compliance needs)
• GDPR settings and preferences
• Written instructions sent to hi@analyzify.app
• Instructions required to comply with applicable law

Note: The Controller is responsible for configuring consent mode settings appropriately before collecting End User data. Analyzify processes data according to these configured settings. Learn more: Analyzify <> Consent Mode

This fulfills the requirements of Article 28(3)(a) GDPR and SCC Clause 8.1(a).

3.2 Notification

Analyzify will notify Controllers of significant Service issues that may impact data collection. However, brief interruptions or minor technical issues may be resolved without notification if they do not materially impact the Service.

If Analyzify:

• Cannot comply with an instruction due to technical limitations or legal requirements
• Experiences technical issues affecting data tracking or processing
• Is required by law to process data beyond the Controller’s instructions

Analyzify shall:

• Promptly notify the Controller of the issue via email and/or dashboard notification
• Use commercially reasonable efforts to resolve any technical issues
• Continue processing as required by applicable law (if legal obligation exists)
• Provide available workarounds or alternative solutions where feasible

Service Limitations: The Controller acknowledges that:

• Technical issues may occasionally affect data tracking and processing
• Some data loss may occur during Service interruptions or technical issues
• Analyzify will use commercially reasonable efforts to minimize any data loss
• Real-time data tracking depends on multiple factors including third-party platforms and browser technologies

3.3 Controller Obligations

The Controller shall:

• Ensure that its instructions comply with applicable data protection laws
• Determine the lawful basis for all processing activities
• Inform and obtain valid consent from data subjects where required
• Ensure that personal data transferred to Analyzify is accurate and kept up to date
• Provide documented instructions that are lawful and proportionate
• Remain solely responsible for determining whether its use of Analyzify Services complies with its legal obligations under GDPR and other applicable laws

4. PURPOSE, NATURE, AND DURATION OF PROCESSING

4.1 Subject Matter The subject matter of the processing is the provision of data tracking, analytics, and marketing integration Services through the Analyzify app, which operates on the Shopify platform.

4.2 Purpose of Processing Personal Data shall be processed exclusively for the following purposes:

• Enable accurate analytics, conversion tracking, and performance reporting for Shopify Merchants
• Facilitate the transmission of enriched event data to third-party platforms such as Google Analytics, Google Ads, Meta/Facebook, and TikTok, based on Client configuration
• Support Service operations, issue resolution, and improvements specific to the Controller’s implementation of the Services
• Enable enhanced functionalities through Client-selected integrations, including marketing attribution and browser-based data retention (cookies, local/session storage)

This fulfills the requirements of Article 28(3) GDPR and SCC Clause 8.1.

4.3 Nature of Processing Processing operations include:

• Collection via JavaScript tracking scripts placed on Shopify storefronts
• Transmission to third-party platforms configured by the Controller
• Pseudonymization (hashing) of identifiers using SHA-256
• Storage in AWS infrastructure in the United States
• Analytics and reporting generation
• Deletion upon instruction

4.4 Duration of Processing

• Processing shall continue for the duration of the Controller’s active Analyzify subscription
• Data is deleted or returned upon termination as per Section 10 of this DPA

This information is required by Article 28(3) GDPR and Annex I.B of the SCCs.

5. CATEGORIES OF DATA AND DATA SUBJECTS

5.1 Categories of Data Subjects

• End Users/Visitors: Customers and visitors of the Controller’s Shopify store
• Controller’s Personnel: Store owner and authorized team members who interact with Analyzify

This information is required by Article 28(3) GDPR and Annex I.B of the SCCs.

5.2 Categories of Personal Data

From Store Visitors (End Users):

• User Identifiers: User ID, UID (universally unique identifiers), UUID v7, Checkout ID/Token
• User-Provided Information: Email, phone number, shipping/billing address, locale/language preferences, consent status (e.g., customer_consent)
• Device and Browser Data: Device screen resolution, user agent string, IP address (ip, ip_cf_connecting, ip_x_forwarded_for), IPv4/IPv6, request headers
• Session and Identifier Information: Session identifiers, cookie values (existing and custom), local/session storage values, advertising identifiers (e.g., ga4, fbclid, ttclid), referrer URL, UTM parameters (utm_source, utm_medium, utm_campaign, etc.)
• Event and Behavior Data: Event names (e.g., page_view, view_item), event timestamps, page URL, request body content (e.g., product data, form inputs)
• Location Data: Country code (derived from IP), approximate geolocation (inferred via IP)
• Time-Based Information: Created/updated timestamps, order date/time, event time (timestamp_micros, processed_at, etc.)

From Clients (Merchants):

• Store, Merchant and app usage information: Store URL, Store plan, Store domain, Date of installation/uninstallation, Store owner name, Email address, Country
• App usage data: Operations performed inside the app (integrations, access management, professional Services)
• Payment history: Excluding payment details (all billing is managed by Shopify)
• Contact emails: Via Support page
• Marketing API Data (if enabled): Analytics data from platforms such as GA4, Google Ads, and Meta (totally optional, based on integrations)

This fulfills the requirements of Article 28(3) GDPR and Annex I.B of the SCCs.

5.3 Special Categories of Data No special categories of data under Article 9 GDPR are intentionally collected or processed.

6. SECURITY OF PROCESSING

6.1 Technical and Organizational Measures Analyzify shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures Currently Implemented:

• Encryption at rest using AES-256
• Encryption in transit using TLS 1.2 or higher (HTTPS for all data transfers)
• Pseudonymization: Email addresses and other personal identifiers are hashed (SHA-256) before being sent to third-party platforms per their guidelines
• Access controls using AWS Identity and Access Management (IAM)
• Regular security patching and vulnerability management
• Web Application Firewall (WAF) protection
• AWS infrastructure redundancy and availability features

Note: While AWS provides built-in redundancy and data durability, Analyzify is developing additional formal backup and recovery procedures specifically for personal data as described in Annex II.

Organizational Measures:

• Personnel access on least-privilege basis
• All personnel authorized to access Personal Data are subject to confidentiality obligations
• Annual security awareness training
• Documented incident response procedures
• Regular security assessments
• Internal access is restricted to authorized personnel only

This fulfills the requirements of Article 28(3)(c) and Article 32 GDPR, and SCC Clause 8.6.

6.2 Security Updates Analyzify shall regularly review and update security measures to maintain appropriate protection levels. Full technical and organizational measures are detailed in Annex II.

6.3 Data Storage Analyzify may store certain data in the user’s browser, including existing or custom cookie values, URL parameters, and other information provided by the user, using browser-based technologies such as Cookies, Local Storage, or Session Storage. These processes are essential for maintaining data integrity, supporting necessary backend operations, and delivering core, additional, and enhanced functionalities.

7. CONFIDENTIALITY

7.1 Personnel Confidentiality Analyzify ensures that:

• All personnel authorized to process Personal Data have committed to confidentiality or are under statutory obligation of confidentiality
• Access is limited to personnel who need it for providing the Services
• All personnel receive appropriate data protection training

This fulfills the requirements of Article 28(3)(b) GDPR and SCC Clause 8.3.

7.2 Ongoing Obligations Confidentiality obligations survive termination of employment or engagement.

8. SUBPROCESSORS

8.1 General Authorization The Controller provides general written authorization for Analyzify to engage Subprocessors, subject to the requirements in this section. This implements Option 2 under SCC Clause 9(a).

8.2 Current Subprocessors The Controller acknowledges that Analyzify engages multiple Sub-processors to provide the Services, including but not limited to Amazon Web Services (AWS) as our primary infrastructure provider for cloud hosting and data storage in the United States. The complete and current list of all Sub-processors, including their specific processing activities and locations, is provided in Annex III of this DPA.

8.3 Adding or Replacing Subprocessors

• Analyzify shall notify the Controller at least 15 days before adding or replacing any Subprocessor
• Notification shall be provided via email and dashboard notification
• Notification shall include the Subprocessor’s name, location, and processing activities

This fulfills the requirements of Article 28(2) GDPR and SCC Clause 9(a) Option 2.

8.4 Right to Object

• The Controller may object within the notification period on reasonable grounds relating to data protection
• If the objection cannot be resolved, either party may terminate the affected Services
• Continued use after the objection period constitutes acceptance

This fulfills the requirements of Article 28(2) GDPR and SCC Clause 9(a) Option 2.

8.5 Subprocessor Obligations Analyzify shall:

• Ensure that any Subprocessor is contractually bound by data protection obligations no less protective than those set out in this DPA
• Remain fully liable for Subprocessor performance
• Conduct appropriate due diligence before engagement
• Where a Subprocessor processes Personal Data outside the EEA, ensure appropriate transfer mechanisms are in place (such as SCCs Module 3 or adequacy frameworks)

This fulfills the requirements of Article 28(4) GDPR and SCC Clause 9(b) and (c).

9. INTERNATIONAL TRANSFERS

9.1 Transfer Mechanism Personal Data is transferred to and processed in various locations where Analyzify’s Sub-processors operate, with primary data storage in the United States through Amazon Web Services, Inc. (AWS). Additional Sub-processors may process data in other locations as specified in Annex III. All data transfers outside of Europe are protected by:

• Standard Contractual Clauses (Module 2: Controller to Processor) as incorporated in this DPA
• The technical and organizational measures described in this DPA
• AWS’s participation in the EU-U.S. Data Privacy Framework (DPF), which provides an additional adequacy mechanism recognized by the European Commission

This fulfills the requirements of Articles 44-46 GDPR and implements the SCCs.

9.2 SCC Implementation Details The parties specifically adopt Module Two: Transfer from Controller to Processor, and agree to the following selections:

• Clause 7 (Docking clause): Included
• Clause 9 (Use of Subprocessors): Option 2 - General written authorization
• Clause 11 (Redress): Not included
• Clause 17 (Governing law): Option 1 - Laws of Estonia
• Clause 18 (Choice of forum): Courts of Estonia

9.3 Transfer Frequency and Volume Transfers occur continuously during Service provision as end-user interactions are tracked and processed.

9.4 Supplementary Measures In addition to the SCCs, Analyzify implements supplementary safeguards, including:

• Pseudonymization through the hashing of personal identifiers
• Encryption in transit and at rest
• Access control and monitoring
• Geographic restriction to known AWS regions
• Personnel training and confidentiality agreements

10. DATA RETENTION AND DELETION

10.1 Deletion or Return Upon Termination Upon termination or expiry of the Services, Analyzify shall, at the choice of the Controller:

• Return all personal data processed on behalf of the Controller, or
• Delete such data, unless retention is required by applicable law

Analyzify shall inform the Controller if it is legally obligated to retain any personal data after the termination of processing activities. This fulfills the requirements of Article 28(3)(g) GDPR and SCC Clause 8.5.

10.2 Deletion on Request During Active Service During the term of Service, the Controller may request the deletion of personal data at any time through the Analyzify App or by written instruction. Analyzify shall delete such data without undue delay, unless retention is required by applicable law. If immediate deletion is not technically feasible, Analyzify shall inform the Controller of the reason and the expected timeline. This fulfills the requirements of Article 28(3)(f) GDPR and SCC Clause 8.5.

10.3 Deletion Timing and Method Unless otherwise agreed in writing, Analyzify shall delete personal data:

• Within 30 days following Service termination or final instruction from the Controller
• Using secure deletion methods appropriate to the nature and format of the data

10.4 Data Export During Service To exercise data access rights, Controllers can go to Analyzify App > Settings > Account or contact

📩 hi@analyzify.app.

10.5 Retention Periods

Retention Periods In accordance with the Terms of Service Section 11.4.2, Analyzify retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected and processed. Specifically:

• Merchant data (including Store and app usage information) is retained for the duration of the Service agreement
• Visitor data (End User analytics data) is retained only for the necessary duration to fulfill analytics purposes as configured by the Controller
• Clients may request deletion of their data at any time via the Analyzify Settings. All data retention is subject to legal obligations, dispute resolution needs, enforcement of agreements, security requirements, or legitimate business interests (including backups, audit logs, and fraud prevention).

11. ASSISTANCE WITH DATA SUBJECT RIGHTS

11.1 Assistance Obligation Analyzify shall provide reasonable assistance to the Controller in fulfilling its obligations to respond to data subject requests regarding:

• Access to Personal Data (Article 15 GDPR)
• Rectification (Article 16 GDPR)
• Erasure (Article 17 GDPR)
• Restriction of processing (Article 18 GDPR)
• Data portability (Article 20 GDPR)
• Objection to processing (Article 21 GDPR)

This fulfills the requirements of Article 28(3)(e) GDPR and SCC Clause 8.4.

11.2 Procedure for Requests

• If Analyzify receives a request directly from a data subject, it shall promptly inform the Controller without undue delay and not respond to the request itself unless instructed in writing by the Controller
• Store visitors in Europe or California: Merchants can configure consent and data collection preferences through Analyzify Settings > Consent Mode
• Analyzify complies with GDPR/CCPA by respecting the preferences provided via consent management tools

11.3 Technical Assistance Analyzify provides tools and technical measures to enable the Controller to respond to data subject requests in a timely and legally compliant manner.

12. SECURITY BREACH NOTIFICATION

12.1 Notification Timeline Analyzify shall notify the Controller without undue delay, and in any case within 48 hours, after becoming aware of a Personal Data Breach. The notification will be delivered via email. This fulfills the requirements of Article 28(3)(f) and Article 33 of the GDPR, as well as SCC Clause 8.6(c).

12.2 Initial Notification Content The initial breach notification shall include, to the extent known:

• A description of the breach, including the type of incident, categories of data subjects, and estimated number of records affected
• The likely consequences of the breach
• Measures taken or planned to address the breach and mitigate potential harm
• Contact information for follow-up

This fulfills the requirements of Article 33(3) GDPR and SCC Clause 8.6(c).

12.3 Ongoing Cooperation Analyzify shall:

• Cooperate fully with the Controller in fulfilling any regulatory notification duties
• Document all breaches regardless of notification requirement
• Implement measures to prevent recurrence

This fulfills the requirements of Article 28(3)(f) GDPR.

12.4 Exclusions: Analyzify is not required to notify the Controller of:

• Failed login attempts or port scans that do not compromise personal data
• Internal testing or security exercises
• Minor incidents that do not affect personal data or fall below regulatory reporting thresholds

13. AUDIT AND INSPECTION RIGHTS

13.1 Audit Rights The Controller has the right to conduct audits or inspections of Analyzify’s data processing activities and relevant systems, as required under Article 28(3)(h) GDPR and SCC Clause 8.9.

13.2 Audit Procedures Audits shall be:

• Limited to once per year (unless legally required more frequently)
• Conducted with 30 days’ written notice, during normal business hours
• Performed in a manner that does not unreasonably disrupt Analyzify’s operations
• Subject to appropriate confidentiality obligations

13.3 Documentation Analyzify shall maintain appropriate records of processing activities and make them available to the Controller or competent supervisory authority upon request. This fulfills the requirements of Article 28(3)(h) GDPR and SCC Clauses 8.9(b) and 8.9(e).

14. COMPLIANCE ASSISTANCE

14.1 General Assistance Taking into account the nature of the processing, Analyzify shall assist the Controller, upon request, in ensuring compliance with:

• Implementing appropriate technical and organizational security measures (Article 32 GDPR)
• Notifying the supervisory authority and data subjects in the event of a personal data breach (Articles 33 and 34 GDPR)
• Conducting data protection impact assessments (Article 35 GDPR)
• Consulting the supervisory authority prior to processing where required (Article 36 GDPR)

This assistance shall be provided in accordance with SCC Clauses 8.6, 8.7, 10(b), and 10(c), and Article 28(3)(f) GDPR.

14.2 Information Provision Analyzify shall provide all information necessary to demonstrate compliance with Article 28 GDPR obligations. This fulfills the requirements of Article 28(3)(h) GDPR.

15. PROHIBITED USES

15.1 Restrictions on Processing Analyzify shall not:

• Use personal data for its own purposes
• Sell, license, or share personal data with third parties except as necessary to perform the Services in accordance with this DPA and the Controller’s instructions
• Combine or enrich data in a way that violates data protection laws
• “Sell” or “share” Personal Data as those terms are defined under U.S. Privacy Laws, including the California Consumer Privacy Act (CCPA)

16. LIABILITY AND INDEMNIFICATION

16.1 Statutory Liability Each Party shall be liable for the damages it causes through an infringement of this DPA, Applicable Data Protection Laws, or the Standard Contractual Clauses (SCCs). Nothing in this DPA limits either party’s liability under Articles 82 and 83 GDPR.

16.2 Responsibility Allocation

• The Controller shall be responsible for obtaining a valid legal basis for processing and for ensuring that its instructions are lawful
• The Processor shall be responsible for processing personal data in accordance with the Controller’s instructions and with the obligations set forth in this DPA

This allocation reflects Article 82 GDPR and SCC Clause 12.

17. TERM AND TERMINATION

17.1 Term This DPA:

• Takes effect upon installation of the Analyzify app
• Continues for the duration of the Services
• Supersedes any previous data processing terms

17.2 Survival The following sections survive termination:

• Data deletion obligations (Section 10)
• Confidentiality (Section 7)
• Liability provisions (Section 16)
• Any terms that by nature should survive

17.3 Termination Termination Termination of this DPA shall be governed by the termination provisions in the Terms of Service (Section 11). Specifically:

• For breach of terms, security risks, or legal requirements: Immediate termination without prior notice
• For termination without cause: 30 days’ written notice as specified in Terms of Service Section 11.3.2 Upon termination, data deletion obligations in Section 10 of this DPA shall apply.

18. MISCELLANEOUS

18.1 Governing Law This DPA shall be governed by the laws of Estonia, without regard to its conflict of law principles. This implements SCC Clause 17, Option 1.

18.2 Jurisdiction Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Estonia.

This selection satisfies Clause 17 of the Standard Contractual Clauses, which requires the law of an EU Member State that allows for third-party beneficiary rights under the SCCs.

18.3 Modification Analyzify will provide 30 days advance notice for any material changes to this DPA via email or dashboard notification. Non-material changes (such as clarifications, typo corrections, or formatting updates) may be made without advance notice. Material changes require Your acceptance through continued use of the Services after the notice period. If You do not agree to the modified DPA, You must discontinue use of the Services before the effective date of the changes.

18.4 Links to Other Websites Our Service may contain links to third-party websites or Services that are not owned or controlled by Analyzify. Analyzify has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party websites or Services.

18.5 Order of Precedence For matters related to data protection and privacy, the following order of precedence shall apply:

1. Mandatory provisions of applicable data protection law (including GDPR)
2. Standard Contractual Clauses (where applicable)
3. This DPA
4. Terms of Service (for data protection matters specifically addressed therein)
5. Any other agreement between the parties This order of precedence applies only to data protection matters. For all other matters, the order of precedence in Section 14.13 of the Terms of Service shall apply.

ANNEX I - DESCRIPTION OF THE PROCESSING

A. List of Parties

Data Exporter (Controller):

• Identity: The Merchant or Client installing and using Analyzify’s Shopify app
• Contact: As provided in Analyzify account
• Role: Controller

Data Importer (Processor):

• Identity: Solverhood OÜ
• Address: Pärnu mnt 12, Tallinn, Estonia
• Registration: 14383462
• VAT ID: EE102030321
• Contact: hi@analyzify.app
• Data Protection Contact: hi@analyzify.app
• Role: Processor

B. Description of Processing

1. Categories of Data Subjects
• Customers of the Controller (“Visitors” or “End Users”)
• Users interacting with the Controller’s Shopify store
• The Controller’s staff (e.g., store owner or team members who are logged into Shopify and the Analyzify app)
2. Categories of Personal Data Processed The categories of personal data processed are comprehensively detailed in Section 5.2 of this DPA, which includes:
• From Store Visitors (End Users): User identifiers, user-provided information, device and browser data, session information, event data, location data, and time-based information
• From Clients (Merchants): Store and merchant information, app usage data, payment history (excluding payment details), contact information, and optional marketing API data Please refer to Section 5.2 for the complete and detailed list of data categories within each group.
3. Sensitive Data (Special Categories) Analyzify does not require or intend to process special categories of data under Article 9 GDPR
4. Nature and Purpose of Processing Analyzify processes personal data strictly for:
• Enabling web analytics and marketing attribution
• Transmitting events to third-party platforms (e.g., Google Analytics, Meta, TikTok) where such integrations are enabled and configured by the Controller
• Assisting in reporting, conversion optimization, and remarketing
• Data mapping for server-side tracking (if applicable)
• Debugging and performance monitoring
• Providing Marketing Analytics reports
5. Duration of Processing
• For the duration of the Controller’s active use of Analyzify
• Data is deleted or returned upon termination as per Section 10 of this DPA
6. Frequency of Processing
• Continuous, real-time processing of web events and e-commerce activity
• On-demand processing (e.g., when reports or platform syncs are triggered)
7. Transfers to Third Countries Personal data may be transferred to subprocessors (e.g., AWS in the United States) under:
• Standard Contractual Clauses (Module 3: Processor to Subprocessor), or
• Adequacy mechanisms (e.g., EU-U.S. Data Privacy Framework)

C. Competent Supervisory Authority

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

Analyzify implements the following technical and organizational measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and Services, in accordance with Article 32 of the GDPR:

1. Access Control and Authentication

• Role-based access control (RBAC) is applied to internal systems and databases.
  
  
• Unique user accounts are assigned to all team members; shared logins are prohibited.
  
  
• Multi-factor authentication (MFA) is enforced via Shopify’s secure login system, with optional two-factor authentication (2FA) for Merchants.
  
  
• Access rights are reviewed regularly and revoked promptly upon role change or offboarding.
  
  
• The principle of least privilege (PoLP) is enforced across all systems.
  
  

2. Data Encryption

• All data in transit is protected using TLS 1.2 or higher (HTTPS).
  
  
• Data at rest is encrypted using AES-256 encryption within the AWS infrastructure.
  
  
• Access to cryptographic keys is strictly limited, monitored, and logged.
  
  

3. Infrastructure and Hosting Security

• Analyzify is hosted on Amazon Web Services (AWS), which complies with GDPR and holds certifications such as SOC 2 and ISO 27001.
  
  
• AWS provides encryption in transit and at rest, and uses AWS Identity and Access Management (IAM) for granular access control.
  
  
• Regular infrastructure updates and vulnerability patching are performed.
  
  
• Security updates are deployed promptly following vendor advisories or internal risk assessments.
  
  

4. Data Processing Security

• Personal identifiers (e.g., email addresses) are hashed using SHA-256 prior to transmission to advertising platforms.
  
  
• Hashing methods are compliant with Meta and Google standards.
  
  
• Data minimization principles are applied by default, collecting only the data necessary for the stated processing purpose.
  
  

5. Organizational Security Measures

• All employees are bound by confidentiality agreements and access control policies.
  
  
• Employees undergo onboarding and recurring GDPR and data protection training.
  
  
• Access to personal data is limited to authorized personnel only on a need-to-know basis.
  
  

6. Incident Detection and Response

• An internal incident response plan is maintained and regularly reviewed.
  
  
• Post-incident reviews and root cause analyses are documented to prevent recurrence.
  
  
• Any personal data breaches are reported to the Controller without undue delay, in accordance with Article 33 of the GDPR.
  
  

7. Data Segregation

• Only the data necessary for analytics and tracking is collected and processed.
  
  
• Merchant-specific data is logically segregated within multi-tenant systems.
  
  

8. Payment Security

• All payment processing is handled via Shopify, which is PCI DSS compliant.
  
  
• Analyzify does not process, store, or access payment card information.
  
  

9. Data Backup and Recovery

• AWS infrastructure provides built-in redundancy, durability, and availability for all stored data
• All data is encrypted at rest and in transit
• Analyzify is in the process of establishing a formal data backup and recovery system.
  
  

In Development:

• Formal documented backup and recovery procedures specifically for personal data
• Scheduled backup testing protocols

10. Audit and Testing Procedures

• Analyzify is in the process of implementing formal security audit and testing procedures.
  
  
• Internal systems and processes are reviewed periodically to identify potential vulnerabilities and areas for improvement.
  
  
• As part of our ongoing commitment to security, we are working to establish a regular schedule for vulnerability scanning, penetration testing, and evaluation of technical and organizational measures.

11. Subprocessor Security Oversight

Analyzify ensures that all Subprocessors implement equivalent technical and organizational measures to protect personal data. Our Subprocessor management includes:

Due Diligence and Selection

• All Subprocessors undergo security assessment prior to engagement, evaluating their compliance certifications, security practices, and data protection measures
• Priority is given to Subprocessors with recognized certifications (SOC 2, ISO 27001, ISO 27018, or equivalent)
• Subprocessors must demonstrate GDPR compliance and provide appropriate contractual guarantees






ANNEX III - LIST OF Subprocessors

Authorized Subprocessors as of June 2025:

Processor Name	Description of Processing	Location
Amazon Web Services, Inc. (AWS)	Cloud infrastructure, hosting, data storage and processing of Client Data	United States
Clickhouse, Inc.(if reporting feature enabled)	Marketing analytics reporting database for Client Data	United States
Google Cloud Platform (Google LLC)(if this Service purchased by Client)	Server-side tracking infrastructure provisioned for Client-specific deployments under Professional Service	Client-selected region (EU or US)
MailerSend (The Remote Company, Inc.)	Transactional email delivery for Client communications (e.g. onboarding, notifications)	United States
Zoho Corporation Pvt. Ltd. (Zoho Desk)	Customer support ticketing system for handling Client inquiries	United States
PostHog, Inc.	Product analytics, surveys, experiments, session recordings for Client’s data	United States

Analyzify will provide advance notice of any intended additions or replacements, allowing the Controller to object in accordance with Section 8 of this DPA.

ANNEX IV - STANDARD CONTRACTUAL CLAUSES

Commission Implementing Decision (EU) 2021/914 of 4 June 2021

Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679

Module selected: Module 2 (Controller → Processor)

The following standard clauses apply without modification:

• Clause 8 (Data processing) – Including all sub-clauses 8.1 through 8.9
  
  
• Clause 10 (Data subject rights)
  
  
• Clause 12 (Liability)
  
  
• Clause 13 (Supervision)
  
  
• All other standard clauses not requiring selection
  
  

By installing the Analyzify app, You acknowledge that You have read, understood, and agree to be bound by this Data Processing Agreement.

Contact us

Analyzify is developed and maintained by two partner entities:

Solverhood OÜ
Parnu Mnt 12, Tallinn, Estonia
Registry Number: 14383462
VAT ID: EE102030321

StatsUp, LLC
30 North Gould Street, STE R, Sheridan, WY 82801, United States
Tax ID: 38-4336557

Together, we operate globally to serve Shopify merchants while complying with data protection laws.

If you have any questions about Terms of Service or privacy documents, you can reach us at:

📩 hi@analyzify.app

Last Updated: June 13, 2025