Data Processing Agreement (DPA) — Codixio EU Withdrawal Button
DRAFT — FOR LEGAL REVIEW BEFORE PUBLICATION
The legally binding version of this DPA is the German version at
https://legal.codixio.com/apps/eu-withdrawal-button/dpa. This English translation is provided for convenience only. Professional legal review is mandatory before publication.
Last updated: 24 April 2026
§ 1 Parties
Controller (within the meaning of Art. 4(7) GDPR; the "Merchant"): The owner of the Shopify shop where the Codixio EU Withdrawal Button App is installed (see Shopify account data).
Processor (within the meaning of Art. 4(8) GDPR; "Codixio"):
Matthias Jakisch
Freelance software developer
Hauptstr. 34, OT Etingen
39359 Oebisfelde-Weferlingen
Germany
Phone: +49 39059 974988
Email: legal@codixio.com
§ 2 Preamble and conclusion
(1) This agreement specifies the data-protection obligations of the parties arising from the usage agreement between the Merchant and Codixio for the Shopify App "Codixio EU Withdrawal Button" ("Main Agreement"). It covers all activities in which Codixio processes personal data on behalf of the Merchant (Art. 28 GDPR).
(2) The agreement takes effect upon installation of the App by the Merchant in the Shopify App Store.
§ 3 Subject matter, duration and processing location
(1) Subject matter: Codixio processes personal data of consumers and of the Merchant exclusively to fulfil EU Consumer Rights Directive 2011/83/EU and its amending Directive 2023/2673 (Art. 11a withdrawal function) as well as the German §§ 355-357 BGB on behalf of the Merchant.
(2) Duration: starts with App installation, ends with uninstallation or termination of the Main Agreement, whichever comes first.
(3) Location: Germany (Hetzner data centres Falkenstein and Nuremberg). Third-country transfers take place exclusively under § 12.
§ 4 Nature and purpose of processing
- Capture of withdrawal requests via the storefront form
- Anti-fraud matching of the consumer email against the Shopify order
- Storage of withdrawal data for audit and evidence purposes
- Delivery of the legally required durable-medium confirmation email
- Notification of the Merchant about new withdrawal requests
- Optional from v0.2.0: AI-assisted workflow features (categorisation, sentiment analysis, translation, draft replies) — only with anonymised data
- Optional from v0.3.0 (Max tier): SMS and WhatsApp confirmations — only with double opt-in
§ 5 Categories of personal data
- Consumer: email, name, shipping address, optional phone number (Max tier with double opt-in only), withdrawal reason (free-form), timestamp
- Pseudonymised data: SHA-256 hash of IP address with per-shop salt (never in plaintext)
- Merchant: shop domain, merchant email, shop configuration, OAuth token (encrypted), credit balance from v0.2.0
§ 6 Categories of data subjects
- End consumers (customers of the Merchant) who declare a withdrawal under Directive 2011/83/EU
- Merchant staff using the App in the Shopify Admin
§ 7 Obligations of the Processor (Codixio)
Codixio undertakes to:
- a) Process personal data only on documented instructions from the Merchant. Instructions arise from this DPA, the Main Agreement and the App configuration by the Merchant.
- b) Ensure that all persons authorised to process the data are bound by confidentiality or subject to an appropriate statutory duty of confidentiality (Art. 28(3)(b) GDPR).
- c) Implement the TOMs described in § 9 and Annex 1 in accordance with Art. 32 GDPR.
- d) Inform the Merchant immediately if an instruction violates GDPR or other EU/Member State data-protection law (Art. 28(3) sentence 3 GDPR).
- e) Assist the Merchant in fulfilling obligations under Art. 32-36 GDPR (security, breach notification within 72 hours, DPIA where applicable).
- f) Assist the Merchant in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection), in particular via the Shopify
customers/data_requestandcustomers/redactwebhooks. - g) Delete or, upon the Merchant's request, return all personal data within 48 hours of termination of the Main Agreement, unless a statutory retention obligation applies.
- h) Provide the Merchant with all information necessary to demonstrate GDPR compliance and allow audits by the Merchant or an auditor mandated by the Merchant (see § 13).
§ 8 Obligations of the Controller (Merchant)
The Merchant undertakes to:
- a) Ensure a proper lawful basis for the data processing (in particular informing consumers pursuant to Art. 13 GDPR in its own shop).
- b) Inform Codixio about data-subject access, deletion or rectification requests.
- c) Configure the App (in particular the retention period and AI feature activation) in line with its own legal requirements.
- d) Inform consumers about the processing in its own privacy policy, including the use of Codixio as external processor.
§ 9 Technical and organisational measures (TOMs)
Codixio implements the TOMs under Art. 32 GDPR. The full list is in Annex 1. Core points:
- AES-256-GCM encryption of all PII fields at rest under per-shop DEK; DEK master-key-wrapped
- TLS 1.2+ for all data in transit, HSTS header
- Multi-factor authentication for all production access
- Rate limiting and scanner blocker on API endpoints
- Daily backups, quarterly recovery tests
- Audit log of all production access and relevant actions
- Automated daily retention sweeps
- Quarterly master-key rotation
§ 10 Sub-processors and AI special clauses
10.1. General authorisation
By concluding this DPA, the Merchant grants general authorisation to engage the sub-processors listed in Annex 2 (Art. 28(2) sentence 1 GDPR).
10.2. Change procedure
Codixio will inform the Merchant about intended changes to the sub-processor list with at least 30 days' notice by email. Within this period, the Merchant may object. In case of objection, both parties are entitled to terminate the Main Agreement with 30 days' notice if no agreement can be reached.
10.3. AI special clauses (from v0.2.0)
When AI features are activated by the Merchant, the following additional clauses apply:
- a) Deployer status under EU AI Act: Codixio is a deployer of a General-Purpose AI Model (GPAI, Claude by Anthropic, PBC) within the meaning of Art. 3(4) Regulation (EU) 2024/1689. The deployed AI features are not high-risk systems per Annex III. Applicable obligations for Codixio are therefore Art. 4 (AI Literacy, effective since 02 February 2025) and Art. 50 (transparency obligations). The deployer obligations for high-risk systems under Art. 26 and the Fundamental Rights Impact Assessment under Art. 27 are not applicable.
- b) Anonymisation guarantee: Codixio operates a code-level anonymisation layer (
app/services/ai-sanitize.server.ts) that replaces every PII field with a token placeholder before any outbound AI request. The layer is covered by unit tests asserting no plaintext PII can leak through. The Merchant relies on Codixio's anonymisation layer for PII protection, not on the AI provider. - c) Anthropic training clause: According to Anthropic, PBC, models are not trained on Codixio API traffic (Anthropic Commercial Terms as of 2026-04-24). Codixio verifies this clause against the then-current Anthropic terms at signature time.
- d) AI log retention at Anthropic: governed by Anthropic's Data Usage Policy at the time of processing. Codixio documents this period in the sub-processor profile.
- e) Right to switch provider: Codixio reserves the right to change the AI provider without separate Merchant approval, as long as TOMs (anonymisation, no plaintext PII) and SCCs (or an equivalent protection mechanism) remain equivalent. The new provider will be notified per § 10.2.
§ 11 Liability
Note: this clause requires legal review before publication.
The liability of the parties is governed by the Main Agreement. This DPA does not amend those provisions. Both parties are directly liable to data subjects for damages suffered as a result of processing in breach of GDPR obligations, in accordance with Art. 82 GDPR, irrespective of the internal allocation of liability between the parties.
§ 12 Third-country transfers and Standard Contractual Clauses
In v0.1.0 there is no third-country transfer: all active sub-processors (Hetzner Online GmbH, Germany; Sendinblue SAS / Brevo, France) are based in the EU.
From v0.2.0, Anthropic, PBC (USA) is additionally engaged for AI inference. Where personal data are then transferred to sub-processors in third countries, the EU Standard Contractual Clauses per Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module 2 „Controller to Processor") apply between Merchant, Codixio and the respective sub-processor. The SCCs form an integral part of the respective sub-processor DPA.
A Transfer Impact Assessment (TIA) under the ECJ ruling C-311/18 ("Schrems II") is held internally at Codixio and can be reviewed on request at legal@codixio.com. Methodological basis: EDPB Recommendations 01/2020 on measures that supplement transfer tools.
§ 13 Audit and inspection rights
(1) Right to information: The Merchant may at any time request information from Codixio about the TOMs and compliance with this DPA. On request, Codixio provides TOM documentation (Annex 1) and audit reports.
(2) On-site inspection: The Merchant may carry out an on-site inspection at Codixio after reasonable advance notice (at least 30 days) during normal business hours. The cost is borne by the Merchant unless a breach of duty by Codixio is identified.
(3) Standardised audit reports: In lieu of an on-site inspection, Codixio may provide an up-to-date audit report by an independent auditor (e.g. ISO 27001), provided it covers the areas requiring review.
§ 14 Term and termination
(1) This DPA runs synchronously with the Main Agreement. Termination of the Main Agreement also terminates this DPA.
(2) Codixio fulfils the deletion or return obligation under § 7(g) within 48 hours of termination of the Main Agreement.
§ 15 Final provisions
(1) Applicable law: German law, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).
(2) Place of jurisdiction: Magdeburg, to the extent permitted by law.
(3) Written form: amendments and supplements require written form. Written form is also satisfied by electronic form (qualified electronic signature or documented email confirmation by both parties).
§ 16 Severability
If individual provisions of this DPA are invalid, the validity of the remaining provisions remains unaffected. The invalid provision is replaced by a valid one that comes closest to the economic intent.
§ 17 Co-signature
This DPA is designed as an e-signature document. Signing is done electronically (e.g. via DocuSign or a comparable provider, or by documented email confirmation by both parties). A PDF download for local archiving is offered in the Codixio admin.
Date of Codixio signature: ________________________ Date of Merchant signature: ________________________
Annex 1 — Technical and organisational measures (TOMs) under Art. 32 GDPR
A1.1. Pseudonymisation and encryption (Art. 32(1)(a) GDPR)
- Encryption at rest: AES-256-GCM of all PII fields (customerEmail, customerName, reason, customerNotes, customerAddress) under per-shop Data Encryption Key (DEK); DEK master-key-wrapped; master key in Coolify secrets, rotated quarterly.
- Encryption in transit: TLS 1.2+ mandatory, HSTS header
max-age=31536000; includeSubDomains; preload. - Pseudonymisation: per-shop SHA-256 hashing of all IP addresses (never in plaintext).
A1.2. Confidentiality, integrity, availability and resilience (Art. 32(1)(b) GDPR)
Physical access control: Hetzner data centres Falkenstein and Nuremberg are ISO-27001 certified (access systems, video surveillance, alarms); Codixio has no physical access.
Logical access control: multi-factor authentication for all production access (SSH with key + TOTP). Least-privilege principle. No shared accounts.
Data access control: shop-id-scoped queries at the application layer; physical separation of the credits database from the withdrawal database.
Separation: logical separation per shop at the application layer.
Integrity protection:
- Database constraints and application validation (Zod) at all input boundaries
- Webhook HMAC signature verification for all Shopify inputs
- AES-GCM auth tag prevents tampering of encrypted data
Availability and resilience:
- Rate limiting (10 POST/IP/h, 60 GET/IP/min on storefront endpoints)
- Scanner blocker middleware for known scan patterns
- CSP, HSTS, X-Content-Type-Options, Referrer-Policy headers
- Baseline DDoS protection via Hetzner network infrastructure
- Service monitoring and alerting
- Health-check endpoint for uptime monitoring
A1.3. Restoration (Art. 32(1)(c) GDPR)
- Daily redundant database backups on Hetzner Object Storage
- Quarterly recovery tests
- Restore runbook in
docs/deployment/backup-restore.md(TODO before go-live)
A1.4. Procedure for regular review (Art. 32(1)(d) GDPR)
- Periodic security reviews per Codixio Security Hardening Plan
- Dependency CVE monitoring via npm audit
- OWASP Top 10 (2025) applied as baseline
- Annual review of this Annex 1 and adjustments as needed
A1.5. Deletion and redaction
- Configurable retention period per merchant (default 24 months, range 6-60)
- Daily automated retention sweep
- Full data deletion within 48 hours of uninstallation or
shop/redactwebhook - AI request/response artefacts (from v0.2.0): anonymised prompts up to 90 days cache, raw request logs up to 7 days, then auto-purged
A1.6. Incident response
- Data breaches reported to the supervisory authority within 72 hours of becoming aware (Art. 33 GDPR)
- Data subjects notified without undue delay in case of a high risk (Art. 34 GDPR)
- Documentation of all incidents in
docs/legal/incident-response-policy.md
Annex 2 — Sub-processor list
A2.1. Active sub-processors (v0.1.0)
| Name | Seat | Activity | Third-country transfer | Protection mechanism |
|---|---|---|---|---|
| Hetzner Online GmbH | DE (Falkenstein, Nuremberg) | Hosting (app server, Postgres DB, object storage) | No (EU-internal) | n/a |
| Sendinblue SAS / Brevo | FR (Paris) | Delivery of transactional emails | No (EU-internal) | n/a |
A2.2. Future sub-processors (from v0.2.0)
| Name | Seat | Activity | Third-country transfer | Protection mechanism |
|---|---|---|---|---|
| Anthropic, PBC | US | AI inference from v0.2.0 (receives only anonymised payloads) | Yes (US) | EU SCCs Module 2 (2021/914) |
A2.3. Codixio-own infrastructure
- credits.codixio.com — Codixio-own infrastructure, DE (Hetzner/Coolify). Does not process customer PII, only shop domain + credit balance + transaction metadata. Technically not a sub-processor within the meaning of Art. 28 GDPR; listed for transparency.
- Coolify — open-source software run on the Hetzner server itself. No external service provider.
Annex 3 — Standard Contractual Clauses (SCCs)
In v0.1.0 there are no third-country transfers — all active sub-processors are based in the EU. From v0.2.0, the transfer to Anthropic, PBC (USA) is governed by the Standard Contractual Clauses per Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 „Controller to Processor". The clauses are included in the DPA with Anthropic and can be reviewed on request at legal@codixio.com.
Original text of the SCCs: https://eur-lex.europa.eu/eli/dec_impl/2021/914.
A Transfer Impact Assessment (TIA) under the ECJ "Schrems II" ruling (C-311/18) is documented in docs/legal/tia-us-subprocessors.md and updated regularly.