Last Updated
Feb 25, 2026
Browse Legal pages
Last updated: Feb 25, 2025
This Data Processing Agreement ("DPA") supplements the Terms of Service ("Agreement") between you ("Customer", "Controller") and PuppetVendors, operated by Panther Commerce Pte. Ltd. ("PuppetVendors", "Processor", "we", "us", or "our"), and governs the processing of Personal Data by PuppetVendors on behalf of the Customer in connection with the Service.
This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between this DPA and the Agreement regarding the processing of Personal Data, the terms of this DPA shall prevail.
By installing or using the Service, Customer agrees to this DPA.
1. Definitions
In this DPA, the following terms have the meanings set out below. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.
"Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), Singapore's Personal Data Protection Act 2012 ("PDPA"), and any other applicable data protection legislation.
"Controller" means the entity that determines the purposes and means of processing Personal Data. Under this DPA, the Customer is the Controller.
"Customer Data" means any Personal Data that PuppetVendors processes on behalf of the Customer as a Processor in the course of providing the Service.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
"Processing" (and "Process") means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, PuppetVendors is the Processor.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
"Sub-Processor" means any third party engaged by PuppetVendors to Process Customer Data on behalf of the Customer.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission.
2. Scope and Roles
2.1 Applicability
This DPA applies to the Processing of Customer Data by PuppetVendors in connection with the Service. This DPA does not apply to data that PuppetVendors processes as a Controller (such as Merchant account information and billing data), which is governed by the PuppetVendors Privacy Policy.
2.2 Roles of the Parties
The Customer acts as the Controller and PuppetVendors acts as the Processor with respect to Customer Data. Each party shall comply with its respective obligations under Applicable Data Protection Laws.
2.3 Customer's Obligations as Controller
Customer agrees to:
Comply with all obligations as a Controller under Applicable Data Protection Laws, including providing all required notices to Data Subjects and obtaining all necessary consents for the Processing of Personal Data through the Service.
Ensure that Customer's instructions to PuppetVendors for the Processing of Customer Data comply with Applicable Data Protection Laws.
Ensure that the collection, transfer, and Processing of Customer Data through the Service has a valid legal basis.
Be solely responsible for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired such data.
Inform PuppetVendors without undue delay if Customer becomes aware that any Processing instruction may violate Applicable Data Protection Laws.
2.4 PuppetVendors's Obligations as Processor
PuppetVendors agrees to:
Process Customer Data only in accordance with Customer's documented instructions as set out in this DPA and the Agreement, unless required to do otherwise by applicable law (in which case PuppetVendors will notify Customer before such Processing, unless prohibited by law).
Ensure that persons authorized to Process Customer Data are subject to confidentiality obligations.
Implement and maintain appropriate technical and organizational security measures as described in Section 5.
Assist Customer, taking into account the nature of Processing, in fulfilling Customer's obligations to respond to Data Subject requests under Applicable Data Protection Laws.
Assist Customer in ensuring compliance with obligations related to security of Processing, notification of Security Incidents, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of Processing and the information available to PuppetVendors.
At Customer's choice, delete or return all Customer Data upon termination of the Agreement, as described in Section 9.
Make available to Customer all information reasonably necessary to demonstrate compliance with this DPA.
3. Details of Processing
3.1 Subject Matter and Duration
PuppetVendors processes Customer Data for the purpose of providing the Service as described in the Agreement. Processing will continue for the duration of the Agreement, plus any retention period described in Section 9.
3.2 Nature and Purpose of Processing
The Processing involves the collection, storage, organization, retrieval, use, and deletion of Customer Data for the following purposes:
Multi-vendor marketplace management
Commission calculation and payout processing
Product, order, and inventory synchronization between Shopify and the vendor portal
Fulfillment management and tracking
Vendor account management and access control
Sales reporting and analytics
Consignment management
Tax reporting tool functionality (e.g., 1099-NEC generation)
3.3 Categories of Data Subjects
Customer Data may relate to the following categories of Data Subjects:
Merchants (store owners who install the App)
Merchants' vendors, sellers, and consignors
Merchants' end customers (buyers)
Merchants' employees or staff with access to the Service
3.4 Types of Personal Data
Customer Data may include the following types of Personal Data:
Identification data: Names, email addresses, phone numbers, business names
Order data: Order details, line items, quantities, pricing, discounts, shipping addresses, billing addresses
Product data: Product information, vendor assignments, pricing, images
Financial data: Commission calculations, payout amounts, payment information as configured by the Merchant, cost-per-item data
Tax data: Tax identifiers, 1099-NEC related information (if applicable)
Fulfillment data: Shipping addresses, tracking numbers, fulfillment status
Technical data: IP addresses, device information, browser type, usage logs
3.5 Sensitive Data
PuppetVendors does not intentionally collect or Process special categories of Personal Data (as defined in Article 9 of the GDPR) or sensitive Personal Data. Customer shall not submit sensitive Personal Data to the Service unless expressly agreed in writing.
4. Customer Instructions
4.1 Documented Instructions
Customer instructs PuppetVendors to Process Customer Data to the extent necessary to provide the Service in accordance with the Agreement, this DPA, and any applicable Order Forms. The Agreement (including this DPA) constitutes Customer's complete and final documented instructions to PuppetVendors regarding the Processing of Customer Data.
4.2 Additional Instructions
Any additional or alternative instructions must be agreed upon in writing between the parties. PuppetVendors is not obligated to follow instructions that would violate Applicable Data Protection Laws or that fall outside the scope of the Service.
4.3 Notification of Non-Compliance
If PuppetVendors reasonably believes that a Customer instruction infringes Applicable Data Protection Laws, PuppetVendors will notify Customer without undue delay. PuppetVendors may suspend the relevant Processing until the instruction is confirmed or modified by Customer.
5. Security Measures
5.1 Technical and Organizational Measures
PuppetVendors implements and maintains commercially reasonable technical and organizational measures designed to protect Customer Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, or disclosure. These measures include:
Access Controls:
Role-based access controls limiting access to Customer Data to authorized personnel
Authentication requirements for all system access
Principle of least privilege for internal access to production systems
Data Protection:
Encryption of data in transit using TLS/SSL
Encryption of data at rest
Secure backup procedures
Infrastructure Security:
Hosting on reputable infrastructure providers (DigitalOcean, AWS, MongoDB Atlas) with their own security certifications
Network security controls and monitoring
Regular software updates and security patching
Organizational Measures:
Confidentiality obligations for all personnel with access to Customer Data
Security awareness practices for team members
Incident response procedures
5.2 No Certification Warranty
Customer acknowledges that PuppetVendors does not currently hold SOC 2, ISO 27001, or equivalent security certifications. The security measures described in this section represent commercially reasonable measures appropriate to the nature of the Processing and the size of PuppetVendors's operations. PuppetVendors will update its security measures from time to time to reflect evolving threats, industry practices, and business growth, provided that such updates do not materially decrease the overall level of protection.
5.3 Customer Responsibility
Customer acknowledges that security is a shared responsibility. Customer is responsible for maintaining the security of its own Shopify store, user credentials, vendor accounts, and any integrations configured through the Service.
6. Sub-Processors
6.1 Authorization
Customer provides general authorization for PuppetVendors to engage Sub-Processors to Process Customer Data on behalf of Customer, subject to the requirements of this section.
6.2 Current Sub-Processors
The following Sub-Processors are currently engaged by PuppetVendors:
Sub-ProcessorPurposeLocationDigitalOceanApplication hostingUnited States / GlobalAmazon Web Services (AWS)File storage, CDNUnited States / GlobalMongoDB AtlasDatabase managementUnited States / Global
6.3 Obligations Imposed on Sub-Processors
PuppetVendors shall:
Enter into written agreements with each Sub-Processor imposing data protection obligations no less protective than those set out in this DPA.
Remain liable to Customer for the acts and omissions of its Sub-Processors to the same extent PuppetVendors would be liable if performing the Processing directly, subject to the limitations of liability set out in the Agreement.
6.4 Changes to Sub-Processors
PuppetVendors reserves the right to add, replace, or remove Sub-Processors at any time in order to improve, maintain, or enhance the Service. PuppetVendors will provide at least sixty (60) days' prior notice before engaging a new Sub-Processor by updating the Sub-Processor list on its website or notifying Customer via email.
If Customer has a reasonable objection to a new Sub-Processor on legitimate data protection grounds, Customer shall notify PuppetVendors in writing within the 60-day notice period, specifying the reasonable grounds for the objection. The parties shall work in good faith to resolve the objection. If no mutually acceptable resolution is reached within thirty (30) days of PuppetVendors's receipt of the objection, Customer may terminate the Agreement by providing written notice, and such termination shall be Customer's sole and exclusive remedy with respect to the Sub-Processor objection.
7. Data Subject Rights
7.1 Assistance with Data Subject Requests
PuppetVendors shall, taking into account the nature of the Processing, assist Customer by implementing appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).
7.2 Direct Requests
If PuppetVendors receives a request directly from a Data Subject regarding Customer Data, PuppetVendors will promptly redirect the Data Subject to Customer, unless otherwise required by applicable law. PuppetVendors will not respond to such requests directly without Customer's prior authorization, unless legally required to do so.
7.3 Shopify Compliance Webhooks
PuppetVendors implements Shopify's mandatory compliance webhooks, including:
Customer data request: Upon receiving a request from Shopify, PuppetVendors will provide the relevant Customer Data held in its systems.
Customer data erasure: Upon receiving an erasure request from Shopify, PuppetVendors will delete the relevant Personal Data from its systems.
Shop data erasure: Upon a Merchant's uninstallation and Shopify's erasure request, PuppetVendors will delete all related shop data within thirty (30) days.
8. Security Incidents
8.1 Notification
PuppetVendors will notify Customer without undue delay (and in any event within seventy-two (72) hours of becoming aware) of any confirmed Security Incident affecting Customer Data. Notification will be made via email to the address associated with Customer's account.
8.2 Content of Notification
The notification will include, to the extent reasonably available:
A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected
The name and contact details of PuppetVendors's point of contact for further information
A description of the likely consequences of the Security Incident
A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its adverse effects
8.3 Cooperation
PuppetVendors will cooperate with Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident. PuppetVendors will also assist Customer in fulfilling any notification obligations to supervisory authorities and Data Subjects under Applicable Data Protection Laws.
8.4 Limitations
PuppetVendors's obligation to notify and assist does not constitute an acknowledgment of fault or liability. PuppetVendors shall not be liable for Security Incidents caused by Customer, Customer's vendors, third-party infrastructure providers, or the Shopify platform, or for incidents that occur despite PuppetVendors's commercially reasonable security measures. The notification obligation in this section applies to confirmed Security Incidents only and does not apply to unsuccessful attempts or activities that do not compromise the security of Customer Data (such as failed login attempts, port scans, or denial-of-service attacks that do not result in data exposure).
9. Data Retention and Deletion
9.1 Retention During the Agreement
PuppetVendors will retain Customer Data for the duration of the Agreement as necessary to provide the Service.
9.2 Deletion Upon Termination
Upon termination of the Agreement (including uninstallation of the App from Customer's Shopify store), PuppetVendors will delete Customer Data from its active systems within thirty (30) days, except:
Where retention is required by applicable law, regulation, or legal process.
Aggregated or anonymized data from which no individual or Customer can be identified, which may be retained indefinitely.
Residual copies in backup systems, which will be overwritten in the ordinary course of backup rotation.
9.3 Customer Export Responsibility
Customer is responsible for exporting any Customer Data it wishes to retain prior to termination of the Agreement or uninstallation of the App. PuppetVendors is not obligated to maintain Customer Data after the 30-day deletion period and shall have no liability for Customer Data that is not exported prior to deletion.
9.4 Shopify Data Erasure
PuppetVendors will process shop data erasure requests received from Shopify in accordance with Shopify's compliance requirements and the timelines specified in Section 7.3.
10. International Data Transfers
10.1 Transfer Locations
Customer acknowledges that Customer Data may be transferred to and Processed in countries outside Customer's jurisdiction, including Singapore, the United States, and other locations where PuppetVendors and its Sub-Processors operate.
10.2 Transfer Safeguards
Where Customer Data originating from the EEA, United Kingdom, or Switzerland is transferred to a country that has not been recognized as providing an adequate level of data protection, PuppetVendors will ensure that appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), incorporated by reference into this DPA
Any additional safeguards required by applicable law
10.3 Standard Contractual Clauses
To the extent that the Processing of Customer Data involves a transfer of Personal Data from the EEA, UK, or Switzerland to a third country, the parties agree that the SCCs shall apply as follows:
Module Two (Controller to Processor) applies where Customer is the Controller and PuppetVendors is the Processor.
For Clause 9 (Use of Sub-Processors): Option 2 (General written authorization) applies, with the notice period set at sixty (60) days.
For Clause 17 (Governing Law): The SCCs shall be governed by the laws of Ireland (for EEA transfers) or the laws of England and Wales (for UK transfers).
For Clause 18 (Choice of Forum and Jurisdiction): Disputes shall be resolved before the courts of Ireland (for EEA transfers) or the courts of England and Wales (for UK transfers).
10.4 UK International Data Transfer Addendum
For transfers of Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, as issued by the UK Information Commissioner under S119A(1) of the Data Protection Act 2018) is incorporated by reference and shall apply to the extent required.
11. Audits and Compliance
11.1 Information and Verification
PuppetVendors will make available to Customer, upon reasonable written request and no more than once per twelve (12) month period, information reasonably necessary to demonstrate PuppetVendors's compliance with its obligations under this DPA. Such information may be provided in the form of documentation, certifications (if and when obtained), or written responses to Customer's reasonable questions.
11.2 Audits
Customer may request an audit of PuppetVendors's compliance with this DPA no more than once per twelve (12) month period, subject to the following conditions:
Customer shall provide at least thirty (30) days' prior written notice.
The audit shall be conducted during normal business hours and shall not unreasonably interfere with PuppetVendors's operations.
The audit shall be conducted at Customer's sole expense.
Customer shall ensure that any third-party auditor is bound by confidentiality obligations.
The scope of the audit shall be limited to PuppetVendors's Processing of Customer Data and compliance with this DPA.
11.3 Alternative Verification
PuppetVendors may, at its discretion, satisfy audit requests by providing Customer with a summary report prepared by an independent third-party auditor or by providing relevant documentation demonstrating compliance.
12. Liability
12.1 Limitation of Liability
Each party's total aggregate liability arising out of or related to this DPA shall be subject to the limitations of liability set out in the Agreement. Nothing in this DPA shall be construed to limit or exclude either party's liability to the extent that such limitation or exclusion is not permitted under Applicable Data Protection Laws.
12.2 Customer Liability for Controller Obligations
Customer shall be solely liable for any claims, damages, or losses arising from Customer's failure to comply with its obligations as a Controller under Applicable Data Protection Laws, including but not limited to:
Failure to obtain necessary consents from Data Subjects
Failure to provide required privacy notices
Processing Customer Data without a valid legal basis
Failure to respond to Data Subject requests in a timely manner
Inaccurate, incomplete, or unlawful Customer Data
12.3 Indemnification
Customer shall indemnify and hold harmless PuppetVendors from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising from Customer's breach of its obligations under this DPA or Applicable Data Protection Laws.
13. Term and Termination
13.1 Term
This DPA shall remain in effect for the duration of the Agreement. This DPA shall automatically terminate upon termination of the Agreement, subject to PuppetVendors's obligations regarding data retention and deletion as set out in Section 9.
13.2 Survival
The provisions of this DPA that by their nature should survive termination shall survive, including Sections 9 (Data Retention and Deletion), 10 (International Data Transfers, to the extent transfers remain pending), 11 (Audits and Compliance, for a period of twelve months following termination), and 12 (Liability).
14. General
14.1 Governing Law
This DPA shall be governed by and construed in accordance with the laws of Singapore, except to the extent that Applicable Data Protection Laws require otherwise (in which case the relevant provisions of this DPA shall be governed by the applicable data protection law).
14.2 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.
14.3 Amendments
PuppetVendors may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, Processing activities, or Sub-Processors. Material changes will be communicated to Customer via email or through the Service. Continued use of the Service after such changes constitutes acceptance of the updated DPA.
14.4 Entire Agreement
This DPA, together with the Agreement, the Privacy Policy, and any applicable SCCs, constitutes the complete agreement between the parties regarding the Processing of Customer Data and supersedes all prior agreements, representations, and understandings relating to the subject matter of this DPA.
Annex A: Sub-Processor List
Sub-ProcessorProcessing ActivityData ProcessedLocationDigitalOcean, LLCApplication hosting, computeAll Customer Data processed through the ServiceUnited States / GlobalAmazon Web Services, Inc.File storage, CDN, asset deliveryFiles, images, documents uploaded through the ServiceUnited States / GlobalMongoDB, Inc. (Atlas)Database management, data storageAll Customer Data stored by the ServiceUnited States / Global
This list is maintained by PuppetVendors and updated in accordance with Section 6.4 of this DPA.
Annex B: Technical and Organizational Measures
The following describes the technical and organizational security measures implemented by PuppetVendors as of the date of this DPA:
1. Access Control
Role-based access control (RBAC) for internal systems
Individual user authentication required for all production system access
Principle of least privilege applied to all system access
Regular review of access permissions
2. Data Encryption
TLS/SSL encryption for all data in transit
Encryption at rest for stored data via infrastructure provider capabilities (AWS, MongoDB Atlas, DigitalOcean)
3. Application Security
Secure development practices
Input validation and output encoding
Protection against common web application vulnerabilities (XSS, CSRF, SQL injection)
API authentication and authorization controls
4. Infrastructure Security
Hosting on infrastructure providers with established security programs (DigitalOcean SOC 2, AWS SOC 2/ISO 27001, MongoDB Atlas SOC 2/ISO 27001)
Network-level access controls and firewalls
Regular software updates and security patching
Automated monitoring and alerting
5. Data Management
Data deletion procedures upon account termination
Backup and recovery procedures
Data minimization practices - only collecting data necessary for the Service
6. Organizational Controls
Confidentiality obligations for all personnel
Incident response procedures
Vendor security assessment for Sub-Processors
7. Shopify Compliance
Implementation of mandatory compliance webhooks (customer data request, customer data erasure, shop data erasure)
Compliance with Shopify API Terms and Partner Program data requirements
