Data Processing Addendum

Effective Date: March 2, 2026

This Enterprise Data Processing Addendum (“DPA”) is entered into between the Merchant (“Controller”) and devteam (“Processor”) in connection with Wishlist Stack.

1. Scope and Purpose

Processor processes Personal Data solely to provide wishlist API functionality for the Merchant.

2. Categories of Data

Merchant Data: staff name and email (via Shopify OAuth), store identifiers, authentication tokens.

Customer Data: Shopify Customer ID, wishlist contents, wishlist names/descriptions, item notes, JSON properties, product metadata, timestamps.

3. Processor Obligations

Processor shall process data only on instructions, ensure confidentiality, implement security measures, and not use data for advertising or resale.

4. Subprocessors

Authorized subprocessors: Netlify, Neon, Redis/Upstash (United States).

5. International Transfers

Processor will implement Standard Contractual Clauses or equivalent safeguards upon request where required.

6. Data Subject Rights Assistance

Processor will reasonably assist Controller in fulfilling GDPR requests.

7. Deletion

All Personal Data is deleted upon uninstall or termination, without persistent backups.

8. Breach Notification

Processor will notify Controller without undue delay upon becoming aware of a breach.

9. Contact

For DPA inquiries: wishlist-stack@sdg.la