Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Cassian™ ("Processor") and the Customer ("Controller"), collectively the "Parties."

This DPA applies where Cassian processes personal data on behalf of the Customer in the course of providing the Cassian platform. It reflects the Parties' commitment to comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and any applicable data protection legislation.

"Personal Data," "Data Subject," "Processing," "Controller," "Processor," and "Sub-processor" have the meanings given in the GDPR. "Customer Data" means any personal data that the Controller provides to or that Cassian accesses on behalf of the Controller through the platform.

Cassian will process Customer Data for the duration of the Customer's subscription. Processing will cease upon termination of the subscription, subject to the data deletion provisions in Section 12.

Cassian processes Customer Data for the following purposes:

• Crawling and analysing the Customer's Shopify storefront to assess technical health, content quality, translation accuracy, and platform consistency
• Generating the Cassian Score, scan reports, and prioritised findings
• Capturing and storing screenshots of storefront pages
• Processing store data through AI analysis engines for content evaluation
• Delivering email notifications including scan results and weekly digest reports
• At Guardian tier and above, making authorised changes to the Customer's Shopify store

The following categories of personal data may be processed:

• Store customer data: Names, email addresses, and other personal information present in the Customer's Shopify store (e.g., in product reviews, customer accounts, or order metadata)
• Product data: Product titles, descriptions, images, pricing, and metadata
• Page content: Text, images, and structured data from storefront pages, blogs, and collections
• Order metadata: Order counts, fulfilment status, and related metrics (where accessible via the Shopify API)

The data subjects affected by this processing include:

• Store visitors: Individuals whose information appears on the public storefront (e.g., in testimonials or reviews)
• Store customers: Individuals who have created accounts or placed orders through the Customer's Shopify store
• Store staff: Individuals listed as contributors, authors, or staff on the Customer's storefront

Cassian, as Processor, shall:

• Process Customer Data only on documented instructions from the Controller, unless required by law
• Ensure that all personnel authorised to process Customer Data are bound by confidentiality obligations
• Implement appropriate technical and organisational measures to ensure security of processing, including encryption at rest and in transit, access controls, regular security testing, and incident response procedures
• Not engage a sub-processor without prior written authorisation from the Controller (general authorisation is provided via our Subprocessors list, with 30 days' notice for changes)
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, or objection)
• Notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach
• Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required
• Make available to the Controller all information necessary to demonstrate compliance with this DPA

The Controller shall:

• Ensure that there is a lawful basis for processing the personal data provided to Cassian
• Provide clear instructions regarding the processing of Customer Data
• Ensure that data subjects have been informed about the processing of their data by Cassian, as required by applicable law
• Comply with data minimisation principles — only connect stores and grant API scopes that are necessary for the intended use of the service
• Notify Cassian promptly of any data subject requests or complaints related to data processed under this DPA

The Controller provides general authorisation for Cassian to engage sub-processors. The current list of sub-processors is maintained at getcassian.com/subprocessors.

Cassian will provide at least 30 days' advance notice before adding or replacing a sub-processor. The Controller may object to the change by contacting dpo@getcassian.com within 30 days. If the objection cannot be resolved, the Controller may terminate the affected service without penalty.

Cassian ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

Customer Data is stored in the United States (Supabase, us-east-1). EU data residency is on the roadmap.

Cassian ensures that appropriate safeguards are in place for international data transfers, including the Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) as approved by the European Commission, with supplementary measures where applicable. The Controller may request copies of the relevant SCCs by contacting dpo@getcassian.com.

Cassian implements and maintains the following security measures:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access controls with principle of least privilege
• Row-level security at the database level (Supabase RLS)
• Regular security assessments and vulnerability scanning
• Incident response procedures and breach notification protocols
• Environment separation between development, staging, and production
• Secrets management via environment variables — no API keys in source code

Upon termination of the subscription, Cassian will delete all Customer Data within 30 days, unless retention is required by applicable law. The Controller may request an export of their data prior to termination.

Cassian will confirm deletion in writing upon request. Backups containing Customer Data will be purged within 90 days of account termination.

Cassian will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct an audit, or appoint an independent auditor, upon 30 days' written notice.

Audits shall be conducted during normal business hours, no more than once per year (unless a data breach has occurred), and shall be at the Controller's expense. The Controller and its auditors shall be bound by confidentiality obligations with respect to any information accessed during the audit.

The liability of each Party under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits or excludes either Party's liability for breaches of data protection law to the extent that such limitation is not permitted by applicable law.

For questions about this DPA or to exercise rights under it, contact:

Data Protection Officer
Cassian
New Zealand
Email: dpo@getcassian.com