Legal
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Terms of Service between [LEGAL ENTITY NAME] (“Nodal”, “Processor”) and the brand using the Service (“Client”, “Controller”). It governs Nodal’s processing of Shopper Personal Data on the Client’s behalf and applies where Data Protection Laws — including the EU GDPR, UK GDPR, India’s DPDP Act, 2023, and the CCPA/CPRA — apply.
1.Definitions
Capitalised terms not defined here have the meaning in the Terms of Service. “Data Protection Laws” means all laws applicable to the processing of personal data, including the EU GDPR, UK GDPR, the DPDP Act, 2023, and the CCPA/CPRA. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Sub-processor”, and “Personal Data Breach” have the meanings given in the GDPR (and equivalent terms — e.g. “Data Fiduciary”, “Data Processor”, “Data Principal” under the DPDP Act; “Business”, “Service Provider”, “Consumer” under the CCPA). “Shopper Personal Data” means Personal Data relating to the Client’s Shoppers that Nodal processes on the Client’s behalf through the Service, as described in Annex I. “SCCs” means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).
2.Roles of the parties
For Shopper Personal Data, the Client is the Controller and Nodal is the Processor. Nodal processes Shopper Personal Data only on the Client’s behalf. (For Client account, billing, and support data, Nodal acts as an independent Controller under its Privacy Policy; that data is outside this DPA.) The Client is responsible for the lawfulness of its instructions and for having a valid legal basis and any required notices/consents for the processing.
3.Scope & instructions
The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I. Nodal will process Shopper Personal Data only: (a) to provide the Service in accordance with the Terms; (b) on the Client’s documented instructions (the Terms, this DPA, and use of the Service’s features constitute such instructions); and (c) as required by law, in which case Nodal will inform the Client unless legally prohibited. Nodal will notify the Client if, in its opinion, an instruction infringes Data Protection Laws.
The Service’s analytics is designed to be privacy-minimising: it stores no names, accounts, or IP addresses, uses a non-persistent in-memory identifier, and respects “Do Not Track”. It retains a raw, anonymised event record (tied only to that per-page-load identifier) alongside aggregate metrics and does not build identified individual profiles (see Privacy Policy §4). The parties acknowledge much of this data may not constitute Personal Data; this DPA applies to the extent it does.
4.Processor obligations
Nodal will: process Shopper Personal Data only on documented instructions; ensure persons authorised to process it are bound by confidentiality; implement appropriate technical and organisational measures (Annex II); respect the conditions for engaging Sub-processors (§7); assist the Client with data-subject requests (§8), security, breach notification, and DPIAs (§§9–10); delete or return the data at the end of the Service (§12); and make available information necessary to demonstrate compliance and allow audits (§13).
5.Confidentiality of personnel
Nodal ensures that personnel with access to Shopper Personal Data are subject to a duty of confidentiality and are granted access only on a need-to-know basis.
6.Security measures
Taking into account the state of the art, costs, and the nature and risk of the processing, Nodal implements and maintains the technical and organisational measures described in Annex II, designed to ensure a level of security appropriate to the risk, including (as appropriate) encryption, confidentiality, integrity, availability, resilience, and regular testing of those measures.
7.Sub-processors
The Client provides general authorisation for Nodal to engage Sub-processors to process Shopper Personal Data. Current Sub-processors are listed in Annex III. Nodal will impose data-protection obligations on each Sub-processor that are substantially the same as those in this DPA, and remains liable for its Sub-processors’ performance. Nodal will give the Client notice of any intended addition or replacement of a Sub-processor (by updating Annex III and/or by reasonable means such as email or in-product notice). The Client may object on reasonable data-protection grounds within [14] days; the parties will work in good faith to resolve the objection, and if they cannot, the Client may terminate the affected part of the Service.
8.Data-subject requests
Taking into account the nature of the processing, Nodal will assist the Client by appropriate technical and organisational measures, insofar as possible, to respond to requests by Data Subjects to exercise their rights. If a Data Subject contacts Nodal directly about Shopper Personal Data, Nodal will, where lawful, refer them to the Client or forward the request to the Client without undue delay.
9.Personal data breaches
Nodal will notify the Client without undue delay after becoming aware of a Personal Data Breach affecting Shopper Personal Data, and will provide information reasonably available to it to help the Client meet its own breach-notification obligations. Nodal will take reasonable steps to mitigate and remediate the breach.
10.DPIAs & cooperation
Nodal will provide reasonable assistance to the Client with data-protection impact assessments and prior consultations with supervisory authorities, where required and relating to the Service, taking into account the nature of the processing and the information available to Nodal.
11.International transfers
Where processing of Shopper Personal Data involves a transfer out of the EEA, the UK, or India to a country without an adequacy decision, the parties agree that an appropriate transfer mechanism applies — including the EU SCCs (and the UK Addendum for UK transfers), which are deemed incorporated into this DPA by reference, with Nodal/its Sub-processor as “data importer” and the Client as “data exporter”, the relevant modules and options completed consistently with this DPA and its Annexes. For transfers subject to the DPDP Act, transfers are made consistent with that Act and any government restrictions.
12.Return & deletion
On expiry or termination of the Service, Nodal will, at the Client’s choice, delete or return Shopper Personal Data and delete existing copies, unless retention is required by law. Aggregated or anonymised data that no longer identifies a Data Subject may be retained. Routine deletion timelines are described in the Privacy Policy.
13.Audits
Nodal will make available to the Client information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Client or an auditor it mandates. To minimise disruption, Nodal may satisfy audit requests by providing relevant documentation, certifications, or summaries of its Sub-processors’ audits, and audits are at the Client’s expense, on reasonable notice, no more than once per year (absent a regulator requirement or a breach), and subject to confidentiality.
14.CCPA service-provider terms
Where the CCPA/CPRA applies and the Client is a “Business”, Nodal acts as a “Service Provider”. Nodal: will not sell or share Shopper Personal Data; will not retain, use, or disclose it except to provide the Service (or as otherwise permitted by the CCPA); will not combine it with personal information from other sources except as permitted by the CCPA; and certifies it understands and will comply with these restrictions. Nodal will assist the Client in responding to verifiable consumer requests.
15.DPDP Act terms
Where the DPDP Act, 2023 applies, the Client is the “Data Fiduciary” and Nodal is a “Data Processor” engaged under a valid contract. Nodal will process personal data only as instructed by the Client to provide the Service, will implement reasonable security safeguards, and will assist the Client in meeting its obligations to Data Principals (including access, correction, erasure, and grievance redressal) and in reporting personal-data breaches as required.
16.Liability & precedence
Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. In the event of a conflict between this DPA and the Terms regarding the processing of Shopper Personal Data, this DPA prevails; where the SCCs are incorporated and conflict with this DPA, the SCCs prevail to the extent of the conflict.
17.Term
This DPA takes effect when the Client accepts the Terms (or begins using the Service) and continues until Nodal ceases processing Shopper Personal Data on the Client’s behalf. Provisions that by their nature should survive (e.g. confidentiality, deletion, transfers) survive termination.
18.Annexes
Annex I — Details of processing
| Subject matter | Provision of the Nodal embedded 3D virtual-store and spatial-analytics service to the Client. |
|---|---|
| Duration | For the term of the Service. Raw event records are anonymised and, in that anonymised form, retained indefinitely (Privacy Policy §9) — permitted for anonymised data under §12; aggregates likewise. |
| Nature & purpose | Collecting Shopper interaction data to produce store analytics (heatmaps, gaze/visibility, product view/inspect counts, add-to-cart intent, movement friction) for the Client, to develop and improve placement and behavioural models on anonymised/aggregated data, and to serve the embedded store experience. Includes retaining a raw, anonymised event record. |
| Categories of Data Subjects | Shoppers / visitors who interact with the Client’s embedded virtual store. |
| Categories of Personal Data | Anonymous behavioural/spatial-interaction data tied to a non-persistent, in-memory per-page-load identifier: movement/dwell within the store, camera orientation (gaze), product impressions (in-view), product views/inspections, add-to-cart events, and movement friction; plus coarse (country-level) location and device-type/technical signals. No names, account identifiers, contact details, or stored IP addresses. |
| Special-category data | None intended or knowingly processed. |
| Frequency | Continuous, while Shoppers use the embedded store. |
Annex II — Technical & organisational measures
Nodal maintains measures appropriate to the risk, including:
- Encryption — TLS/HTTPS in transit; encryption at rest for sensitive credentials; hashing of passwords and verification codes.
- Data minimisation — analytics collects no direct identifiers or IP addresses and uses a non-persistent identifier; “Do Not Track” is respected.
- Access control — role-based access, least-privilege, signed short-lived tokens for protected assets, and domain-locking of the embed.
- Network & application security — edge protection, rate-limiting, bot mitigation, and isolation of the analytics datastore.
- Resilience — managed, redundant cloud infrastructure with automated backups appropriate to the data.
- Operational — logging of pipeline events for reliability, confidentiality obligations on personnel, and incident-response procedures.
(Update this list to reflect your current measures; a lawyer/security reviewer can help finalise it.)
Annex III — Authorised sub-processors
This list mirrors the sub-processors in the Privacy Policy. Keep both in sync.
| Sub-processor | Function | Location |
|---|---|---|
| Cloudflare | Hosting, edge network, database, object storage, bot protection | [REGION] |
| World Labs | AI 3D-world generation | [REGION] |
| Tripo AI | AI 3D-model generation | [REGION] |
| Razorpay | Billing & payments (Client account data) | [REGION] |
| Resend | Transactional email (Client account data) | [REGION] |
| Authentication (Client account data) | [REGION] | |
| Shopify / WooCommerce / BigCommerce | Catalog & live inventory, where connected by the Client | [REGION] |
Acceptance. This DPA is accepted automatically when the Client accepts the Terms of Service or uses the Service. Enterprise Clients who require a counter-signed copy may request one at [[email protected]].