Data Processing Addendum

Last updated: 2024.01.01

This Data Processing Addendum (“DPA”) forms part of the agreement between TinyBackup (“Processor”, “we”, “us”) and the merchant installing or using the TinyBackup application (“Controller”, “you”).

This DPA applies where TinyBackup processes Personal Data on behalf of the Controller and is intended to comply with the EU General Data Protection Regulation (“GDPR”) and other applicable data protection laws.

1. Definitions

  • Controller: The merchant using the TinyBackup application.
  • Processor: TinyBackup.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on Personal Data, including storage, backup, and restoration.

Terms not defined here have the meaning given in the GDPR.

2. Roles and responsibilities

  • The Controller determines the purposes and means of processing Personal Data.
  • TinyBackup acts solely as a Data Processor and processes Personal Data only on documented instructions from the Controller.
  • TinyBackup does not determine how or why Personal Data is processed outside the scope of providing backup and restore services.

3. Scope and purpose of processing

TinyBackup processes data exclusively to provide Shopify store backup, restore, and change-tracking services.

Processing activities include:

  • Creating automatic daily backups
  • Creating periodic full backups
  • Storing backup data securely
  • Restoring data upon request
  • Displaying change history and logs
  • Sending operational backup notifications

TinyBackup does not use store data for marketing, analytics, or advertising purposes.

4. Categories of data processed

Depending on store configuration, TinyBackup may process:

  • Products
  • Collections
  • Pages
  • Blogs and articles
  • Navigation and content
  • Orders
  • Customers (including names and email addresses, if enabled)
  • Store metadata and configuration

TinyBackup does not intentionally process special categories of personal data.

5. Duration of processing

  • Data is processed for the duration that TinyBackup is installed and active.
  • Backup data is retained according to configured retention periods.
  • Upon uninstallation, backup data is deleted within a reasonable period, unless retention is required by law.

6. Security measures

TinyBackup implements appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of data in transit and at rest
  • Logical separation of customer data
  • Restricted access based on role and necessity
  • Secure hosting infrastructure
  • Monitoring and logging of system activity

These measures are designed to prevent unauthorized access, loss, or alteration of data.

7. Sub-processors

TinyBackup may engage sub-processors to support service delivery, including:

  • Cloud hosting and infrastructure providers
  • Database and storage services
  • Email delivery providers for backup notifications

All sub-processors are required to meet GDPR-equivalent security and data protection obligations.

A current list of sub-processors is available upon request.

8. International data transfers

Where Personal Data is transferred outside the European Economic Area (EEA), TinyBackup ensures appropriate safeguards are in place, including standard contractual clauses or equivalent lawful mechanisms.

9. Data subject rights

TinyBackup assists Controllers in responding to requests from data subjects, including:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Data portability

Requests should be submitted through TinyBackup support. TinyBackup will respond without undue delay.

10. Personal data breach notification

In the event of a Personal Data breach affecting Controller data:

  • TinyBackup will notify the Controller without undue delay after becoming aware of the breach.
  • The notification will include available information to support regulatory and user notifications.

11. Deletion and return of data

Upon termination of services or app uninstallation:

  • Backup data will be deleted from active systems within a reasonable timeframe.
  • Encrypted residual backups may be retained temporarily for disaster recovery purposes only and are automatically purged.

12. Audits and compliance

  • TinyBackup makes reasonable information available to demonstrate compliance with this DPA.
  • Formal audits may be agreed upon request for enterprise or Shopify Plus customers, subject to reasonable notice and scope.

13. Governing law

This DPA is governed by applicable data protection laws, including the GDPR.

Where conflicts exist, this DPA takes precedence over other agreements regarding Personal Data processing.

14. Acceptance

By installing or using the TinyBackup application, you acknowledge and agree to this Data Processing Addendum.