Merchant Data Protection Agreement

Data Processing Addendum (DPA)

Effective Date: January 2025 Last Updated: January 2025

This Data Processing Agreement (“Agreement” or “DPA”) is entered into between:

FraudFighter (“Processor”, “we”, “us”, or “our”)
The Merchant (“Controller”, “you”, or “your”) who installs and uses the FraudFighter application

By installing FraudFighter, you acknowledge that you have read, understood, and agree to be bound by this Agreement.

1. Definitions

Term	Definition
Personal Data	Any information relating to an identified or identifiable natural person, including customer email addresses and order information
Processing	Any operation performed on Personal Data, including collection, use, storage, disclosure, or deletion
Controller	The Merchant who determines the purposes and means of processing Personal Data
Processor	FraudFighter, which processes Personal Data on behalf of the Controller
Data Subject	An individual whose Personal Data is processed (e.g., your customers)
Sub-processor	Any third party engaged by FraudFighter to process Personal Data
Applicable Data Protection Law	GDPR, CCPA/CPRA, PIPEDA, and other applicable privacy regulations

2. Scope of Data Processing

2.1 Purpose of Processing

FraudFighter processes Personal Data solely to provide fraud detection and prevention services, specifically:

Detecting and blocking Amazon “Buy for Me” orders
Tagging orders identified as potentially fraudulent
Canceling and refunding fraudulent orders (when enabled)

2.2 Categories of Personal Data Processed

Category	Data Elements	Storage
Merchant Data	Shop domain, OAuth tokens, user name, email	Stored securely
Customer Data	Email addresses, order identifiers	Processed in memory only, NOT stored
Configuration Data	App settings and preferences	Stored as Shopify metafields

2.3 Processing Activities

Activity	Description	Data Retained
Email pattern matching	Check if customer email ends with `buyforme.amazon` domain	No
Order tagging	Add tags to orders via Shopify API	No
Order cancellation	Cancel orders via Shopify API	No
Session management	Maintain merchant authentication	Yes (merchant data only)

3. Roles and Responsibilities

3.1 Merchant (Controller) Responsibilities

As the Controller, you are responsible for:

Ensuring you have a lawful basis to process customer data for fraud prevention
Informing your customers about your use of fraud detection services in your privacy policy
Configuring FraudFighter settings according to your business needs and legal obligations
Responding to data subject requests from your customers
Ensuring your use of FraudFighter complies with applicable laws

3.2 FraudFighter (Processor) Responsibilities

As the Processor, we are responsible for:

Processing Personal Data only as instructed by you and as described in this Agreement
Implementing appropriate technical and organizational security measures
Assisting you in responding to data subject requests
Notifying you of any data breaches affecting your data
Deleting or returning Personal Data upon termination of services
Maintaining records of processing activities

4. Data Transfer Mechanisms

4.1 Data Location

FraudFighter may process data in the following locations:

Application hosting: Cloud infrastructure in the United States or European Union
Shopify infrastructure: Data stored as metafields remains within Shopify’s infrastructure

4.2 International Transfers

For transfers of Personal Data outside the European Economic Area (EEA), we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Other lawful transfer mechanisms as required

4.3 No Customer Data Storage

Because FraudFighter does not store customer Personal Data, the data transfer risks are minimized. Customer email addresses are:

Received via Shopify webhook
Checked against fraud patterns in memory
Immediately discarded after processing

5. Security Measures

5.1 Technical Measures

We implement the following security controls:

Encryption in Transit: All data transmitted over HTTPS/TLS 1.2+
Authentication: OAuth 2.0 for Shopify API access
Webhook Verification: Cryptographic signature validation on all incoming webhooks
Access Control: Role-based access with principle of least privilege
Secure Development: Following Shopify security best practices

5.2 Organizational Measures

Limited personnel access to production systems
Security awareness training for team members
Incident response procedures
Regular security reviews

5.3 No Customer PII Storage

The most effective security measure is our architectural decision to not store customer Personal Data. This eliminates risks associated with:

Database breaches
Unauthorized access to customer records
Long-term data exposure

6. Sub-processors

6.1 Current Sub-processors

Sub-processor	Purpose	Location
Shopify Inc.	Platform hosting, API services, metafield storage	Global (US/EU)
Cloud hosting provider	Application infrastructure	As configured

6.2 Sub-processor Changes

We will notify you of any intended changes to sub-processors. You may object to such changes within 30 days. If we cannot accommodate your objection, you may terminate your use of the service.

7. Data Subject Rights

7.1 Your Obligations

As the Controller, you must:

Provide your customers with information about their data protection rights
Respond to data subject requests (access, deletion, portability, etc.)
Forward any requests received by us to the appropriate parties

7.2 Our Assistance

We will assist you in responding to data subject requests by:

Providing information about our processing activities
Confirming that no customer data is stored in our systems
Implementing technical measures to support data subject rights

7.3 Compliance Webhooks

We have implemented Shopify’s mandatory compliance webhooks:

Webhook	Response
`customers/data_request`	Confirmation that no customer data is stored
`customers/redact`	Confirmation that no customer data exists to delete
`shop/redact`	Deletion of merchant session data

8. Data Retention

8.1 Customer Data

Retention Period: None (0 seconds)

Customer Personal Data is processed in real-time and immediately discarded. We do not retain customer email addresses, order details, or any other customer information.

8.2 Merchant Data

Data Type	Retention Period
Session/OAuth tokens	Until app uninstallation + 48 hours
User information	Until app uninstallation + 48 hours
App configuration	Managed by Shopify (metafields)

8.3 Logs

Server logs containing operational data are retained for a maximum of 30 days for debugging and security purposes. Customer email addresses are masked in production logs.

9. Data Breach Notification

9.1 Notification Timeline

In the event of a data breach affecting your Personal Data, we will:

Notify you without undue delay (within 72 hours of becoming aware)
Provide details of the breach, including nature, scope, and potential impact
Describe measures taken or proposed to address the breach
Cooperate with your notification obligations to supervisory authorities

9.2 Contact for Breach Notification

Data breaches will be communicated to the email address associated with your Shopify account.

10. Audit Rights

10.1 Documentation

Upon reasonable request, we will provide:

Documentation of our security measures
Summaries of relevant third-party audits or certifications
Answers to security questionnaires

10.2 Audits

You may request an audit of our data processing practices with reasonable notice. We will cooperate with such audits, subject to reasonable confidentiality requirements.

11. Termination and Data Deletion

11.1 Upon Uninstallation

When you uninstall FraudFighter:

All processing of your data ceases immediately
Your session data is deleted within 48 hours
App configuration (metafields) is retained by Shopify unless you delete them

11.2 Customer Data

Because we do not store customer data, no customer data deletion is required upon termination.

11.3 Certification

Upon request, we will certify in writing that all your data has been deleted in accordance with this Agreement.

12. Governing Law

This Agreement is governed by:

For EU merchants: The laws of the European Union and the GDPR
For California merchants: The laws of California and the CCPA/CPRA
For all other merchants: The laws applicable in your jurisdiction

13. Agreement Acceptance

By installing and using FraudFighter, you:

Confirm you have read and understood this Data Protection Agreement
Agree to the processing of Personal Data as described herein
Acknowledge your responsibilities as a Data Controller
Accept FraudFighter as your Data Processor for the stated purposes

14. Contact Information

For questions about this Agreement or our data protection practices:

FraudFighter Data Protection Email: support@fraudfighter.pro

For EU-specific inquiries, you may also contact your local supervisory authority.

15. Updates to This Agreement

We may update this Agreement to reflect changes in:

Our processing activities
Applicable data protection laws
Sub-processors

Material changes will be communicated via the email associated with your Shopify account. Continued use of FraudFighter after such updates constitutes acceptance of the revised Agreement.

This Data Protection Agreement is part of the FraudFighter Terms of Service and should be read in conjunction with our Privacy Policy.