Data Processing Agreement.
This DPA governs Trooply's processing of personal data on your behalf under GDPR Art. 28 and analogous laws. It forms part of the Terms of Service. A countersigned PDF version is available on request — email [email protected] with subject "DPA".
1. Roles
The Customer is the controller of the personal data processed through the Trooply platform. Trooply Inc. is the processor. Where Trooply uses sub-processors (see §7), Trooply remains liable to the Customer for their acts and omissions.
2. Subject-matter and duration of processing
- Subject-matter: provision of the Trooply Visual Search platform as described in the Terms of Service.
- Duration: the term of the subscription, plus any retention period required by law.
- Nature: storage, indexing, querying, and presentation of product catalog data and search traffic generated by the Customer's end users.
- Purpose: enabling visual and text search functionality on the Customer's storefront.
3. Categories of data and data subjects
| Category | Typical content | Data subjects |
|---|---|---|
| Account data | Name, email, company, billing country | Customer's employees / contractors using the portal |
| Shopper-query data | Search query text, image upload (transient), top result IDs, timestamp | Customer's end-user shoppers |
| Catalog data | Product ID, image URL, metadata supplied by the Customer | N/A (product records, not personal data unless the Customer chooses to include it) |
| Usage logs | API request metadata (endpoint, status, request ID, duration, IP) | Customer's employees and end-user shoppers indirectly, via IP |
4. Customer obligations
- The Customer warrants that it has a lawful basis under GDPR Art. 6 for the processing instructed.
- Where indexed content includes personal data (e.g. a product photo depicting an identifiable model), the Customer warrants that the depicted person consented or the processing falls under another lawful basis.
- The Customer is responsible for responding to end-user data-subject requests in the first instance. Trooply will assist where the request concerns data Trooply holds.
5. Trooply obligations
- Process personal data only on the Customer's documented instructions (set by configuration, API calls, and this DPA).
- Ensure that personnel authorised to process the personal data are under a contractual or statutory confidentiality obligation.
- Implement the technical and organisational measures described in Security and summarised in Annex A below.
- Assist the Customer in responding to data-subject rights requests within 30 days.
- Notify the Customer of any personal-data breach within 72 hours of becoming aware, with the information required by GDPR Art. 33.
- On termination, delete or return all personal data within 30 days unless law requires retention.
6. Technical and organisational measures (Annex A)
Summary — see Security for detail:
- TLS 1.3 in transit; AES-256 at rest.
- Per-tenant data isolation (dedicated Qdrant collection, row-level tenant scoping in Postgres).
- OAuth 2.0 with signed JWTs; Origin-bound public keys for widget search.
- Role-based access control inside the portal; 2FA available.
- Centralised logging with 30-day retention; access-control decisions auditable.
- Daily backups, 14-day retention, point-in-time recovery; quarterly restore drills.
- Documented vulnerability-disclosure process and incident-response runbook.
7. Sub-processors
The current sub-processors are:
| Sub-processor | Role | Data | Region |
|---|---|---|---|
| Stripe, Inc. | Payments, subscription management | Billing contact, billing country, card tokens (no PAN) | EU + US (SCCs) |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | IP addresses, request metadata | Global edge network |
| Primary hosting provider | Compute and database hosting | All categories in §3 | Region specified in contract (default: EU) |
| Transactional email provider | Account verification, billing receipts, breach notifications | Email address, message content | EU |
We will notify the Customer by email at least 14 days before engaging a new sub-processor that would process personal data, giving the Customer an opportunity to object. If the Customer reasonably objects, the parties will work to agree on an alternative; failing agreement, the Customer may terminate the affected portion of the service.
8. International transfers
Where Trooply transfers personal data outside the EEA / UK, the transfer is covered by the European Commission's Standard Contractual Clauses (2021/914) or, for UK transfers, the ICO International Data Transfer Addendum. These are deemed incorporated into this DPA where applicable.
9. Audit rights
The Customer may, at its own cost and with at least 30 days' written notice, audit Trooply's compliance with this DPA no more than once per 12 months, or additionally following a personal-data breach. Trooply may satisfy audit requests by providing its most recent independent audit report (e.g. SOC 2 Type II when available) instead of an on-site audit.
10. Return or deletion
On termination of the Terms of Service, or earlier at the Customer's written request, Trooply will — at the Customer's choice — return all personal data in a machine-readable format (JSON export) or delete it, within 30 days. Copies retained solely in encrypted backups are deleted on the next backup rotation (within 14 days) and remain inaccessible in the meantime.
11. Liability
The liability of each party under this DPA is subject to the limitation-of-liability clause in the Terms of Service.
12. Governing law
This DPA is governed by the same law as the Terms of Service.
Contact
DPA questions, countersigned copy requests, sub-processor change notifications: [email protected].