This Data Processing Agreement (“DPA”) forms an integral part of the Gatekeeper Terms of Service (the “Agreement”) between HoneyWired (“Data Processor”) and the Merchant (“Data Controller”) who installs the Gatekeeper Shopify application (“the Service”).
This DPA satisfies the requirements of Article 28 of the General Data Protection Regulation (GDPR) and the UK GDPR, and governs the processing of Personal Data by HoneyWired on behalf of the Merchant.
1.1 Data Roles: The parties acknowledge that for the processing of Merchant Data (as defined in Annex I), the Merchant acts as the Data Controller and HoneyWired acts as the Data Processor.
1.2 Transparency Regarding Non-Processor Data: For the avoidance of doubt, the Gatekeeper architecture ensures that Visitor Personal Data (such as dates of birth and IP addresses) never reaches HoneyWired’s servers. Furthermore, HoneyWired acts as an independent Data Controller for limited, anonymous system telemetry. Because HoneyWired does not process these datasets on behalf of the Merchant, they are governed by the Gatekeeper Privacy Policy and fall strictly outside the processor obligations of this DPA.
1.3 Documented Instructions: HoneyWired shall process Personal Data only on documented instructions from the Merchant, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. The Agreement, this DPA, and the Merchant’s configuration of the Service constitute the Merchant’s complete and final documented instructions.
HoneyWired shall ensure that all personnel, employees, and contractors authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and have received appropriate training on data protection.
3.1 General Authorization: The Merchant grants HoneyWired general authorization to engage the sub-processors listed in Annex III. HoneyWired intentionally excludes third-party advertising networks and data brokers from its sub-processor list.
3.2 Onward Transfers and Liability: HoneyWired shall enter into a written agreement with each sub-processor imposing data protection obligations no less protective than those set out in this DPA. HoneyWired remains fully liable to the Merchant for the performance of the sub-processor’s obligations.
3.3 Notice and Objection: HoneyWired will notify the Merchant (via email or in-app notice) of any intended changes concerning the addition or replacement of sub-processors at least thirty (30) days in advance. The Merchant may object to the change by notifying HoneyWired in writing (e.g., to support@honeywired.com) within this 30-day window. If HoneyWired cannot accommodate the objection, the Merchant’s sole remedy is to terminate the Agreement and uninstall the Service without penalty.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, HoneyWired shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These specific measures are detailed in Annex II (Technical and Organizational Measures).
5.1 Assistance: HoneyWired shall, to the extent legally permitted, promptly notify the Merchant if it receives a request from a Data Subject to exercise their rights under applicable data protection law regarding Merchant Data. HoneyWired shall not respond to such requests directly, except to confirm that the request has been forwarded to the Merchant.
5.2 Operational Support: HoneyWired will assist the Merchant in fulfilling its obligations to respond to data subjects’ requests by utilizing Shopify’s mandatory GDPR webhooks (customers/redact, customers/data_request). This assistance is provided free of charge.
5.3 Direct Visitor Requests: In the event a Visitor contacts HoneyWired directly regarding their data, and the identity of the relevant Merchant cannot be reasonably determined, HoneyWired will respond directly to the Visitor confirming that no identifying records or Visitor Personal Data are held on HoneyWired infrastructure.
6.1 Notification: In the event HoneyWired becomes aware of a Personal Data Breach affecting the Merchant’s Personal Data, HoneyWired shall notify the Merchant without undue delay, and in any event within seventy-two (72) hours of such awareness.
6.2 Information to be Provided: The notification will describe, to the extent possible, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to mitigate the breach. HoneyWired will provide reasonable assistance to the Merchant to satisfy the Merchant’s own regulatory notification obligations.
7.1 Compliance Documentation: Upon written request, HoneyWired shall make available to the Merchant all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA (e.g., security questionnaires or summaries of third-party audits).
7.2 Audit Rights: If the documentation provided is insufficient to demonstrate compliance, the Merchant may, at its own expense and no more than once annually, conduct an audit or inspection. Such audits must be requested with at least thirty (30) days’ written notice, conducted during standard business hours, and subject to strict confidentiality agreements. Notwithstanding the annual limit, additional audits may be conducted at HoneyWired’s expense if a prior audit has revealed material non-compliance.
8.1 Deletion Protocol on Redaction Webhook: Upon termination of the Service (via app uninstallation), Shopify issues a shop/redact webhook following an approximate 48-hour delay. HoneyWired shall automatically delete the Merchant’s configuration data, display email, store owner name, other direct identifiers on the shop row, and any remaining raw event ping records for the shop without undue delay, and no later than thirty (30) days after receiving the shop/redact webhook.
8.2 Residual Retention of Anonymized Records: Anonymous aggregate counts and internal install and trial history are retained for up to twelve (12) months following the last active subscription, after which all remaining account data associated with the uninstalled shop is purged. Raw event ping records are independently capped at a maximum retention of ninety (90) days, regardless of subscription status.
8.3 Order Tags Stored by Shopify: When the Service tags a verified order with age-verified-{age}, the tag is written to and stored by Shopify on the Shopify Order resource. These tags are governed by Shopify’s data-retention policies and the Merchant’s data-controller responsibility for their own order data, not by this DPA. HoneyWired does not maintain an independent copy of which specific orders were tagged. The only related figure HoneyWired retains is a non-identifying numeric count of tags applied per shop per day, which contains no order ID, customer ID, or PII and is governed by Section 8.2.
8.4 Abuse Prevention Exception: Notwithstanding Sections 8.1 and 8.2, HoneyWired will securely retain cryptographic one-way hashes of the Merchant’s email address and payment method fingerprints indefinitely, relying on its legitimate interests to prevent systemic billing abuse, as detailed in Annex I. These hashes cannot be reversed into personal data.
8.5 Certification of Deletion: Upon written request, HoneyWired will provide the Merchant with a certification confirming that deletion has been completed in accordance with this section.
Where the processing of Personal Data involves a transfer outside the European Economic Area (EEA), the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of protection, the following mechanisms apply:
9.1 Standard Contractual Clauses (EU): For transfers from the EEA, the Standard Contractual Clauses (Module 2: Controller to Processor) annexed to European Commission Decision 2021/914 shall apply and are deemed incorporated by reference.
9.2 UK Addendum: For transfers from the UK, the UK International Data Transfer Addendum to the Standard Contractual Clauses, issued by the Information Commissioner’s Office (ICO), shall apply.
The Merchant, authorized store operators, and any individuals acting on behalf of the Merchant with administrative access to the Shopify store.
HoneyWired processes the Personal Data for the following purposes:
The duration of the Merchant’s active installation of the Service, plus any applicable webhook delay windows, or until data is deleted in accordance with Section 8.
HoneyWired implements the following measures to protect Personal Data in accordance with GDPR Article 32:
| Sub-processor | Role | Region | Data Categories |
|---|---|---|---|
| Shopify Inc. | Platform host, OAuth, billing, webhooks | US / Canada | All Merchant Account Data and configurations |
| Fly.io, Inc. | Application runtime | United States (ORD — Chicago, IL) | All Merchant Data described in Annex I |
| Neon, Inc. | Managed PostgreSQL database hosting | United States (AWS us-east-2 — Ohio) | All persisted Merchant Data described in Annex I |
For merchants accepting these terms via digital click-through during the installation of the Gatekeeper application, this Agreement is legally binding upon installation without physical signature. For merchants requiring a counter-signed agreement, please contact support@honeywired.com to request a signable PDF.