Data Processing Agreement
This Data Processing Agreement (“DPA”) governs the processing of personal data by AdTrench on behalf of clients where AdTrench acts as a data processor under GDPR and UK GDPR. It forms part of the service relationship between AdTrench and the Client.
The individual or business that engages AdTrench for services. As data controller, the Client determines the purposes and means of processing personal data related to their Shopify store and customers.
AdTrench processes personal data strictly on behalf of and under the instructions of the Client. Contact: adtrenchofficial@gmail.com
1. Definitions
- “GDPR” — General Data Protection Regulation (EU) 2016/679 and, where applicable, UK GDPR as defined in the Data Protection Act 2018
- “Personal Data” — any information relating to an identified or identifiable natural person
- “Processing” — any operation performed on personal data
- “Data Controller” — the Client, who determines purposes and means of processing
- “Data Processor” — AdTrench, who processes data on behalf of the Controller
- “Sub-Processor” — any third party engaged by AdTrench to process personal data
- “Data Breach” — a breach of security leading to accidental or unlawful destruction, loss, or unauthorised disclosure of personal data
2. Scope & Purpose
This DPA applies where AdTrench processes personal data on behalf of the Client in the course of providing the Services. It supplements the Service Agreement and, in the event of conflict, this DPA takes precedence on matters of data protection.
AdTrench processes personal data solely to deliver the Services and in accordance with the Client’s documented instructions.
3. Details of Processing
| Detail | Description |
|---|---|
| Subject matter | Performance marketing and store development services for the Client’s Shopify store |
| Duration | For the term of the Service Agreement, plus any legally required retention period |
| Nature of processing | Access to ad accounts, analytics platforms, and Shopify admin to manage campaigns and deliver development work |
| Purpose | Delivery of Google Ads, Meta Ads, Shop Campaigns, SEO, and/or Shopify store development services |
| Types of personal data | Customer names, email addresses, purchase history, browsing behaviour, device identifiers, IP addresses — as contained in the Client’s Shopify, Google Ads, and/or Meta Ads accounts |
| Categories of data subjects | The Client’s customers and website visitors |
4. Processor Obligations
Instructions
- Process personal data only on documented instructions from the Client
- Notify the Client if any instruction appears to infringe GDPR
- Not process data for any purpose beyond the Services without written consent
Confidentiality
- Ensure all personnel are bound by confidentiality obligations
- Limit access to personal data to those who need it to deliver the Services
Security
- Implement and maintain appropriate technical and organisational measures (see Section 8)
Sub-processors
- Not engage sub-processors without prior written authorisation from the Client, except as set out in Section 6
- Impose equivalent obligations on all sub-processors by written contract
- Remain fully liable to the Client for the acts of sub-processors
Assistance
- Assist the Client in responding to data subject rights requests
- Assist with obligations under Articles 32–36 of the GDPR
- Make available all information necessary to demonstrate compliance
5. Controller Obligations
As data controller, the Client agrees to:
- Ensure there is a valid lawful basis for processing
- Provide clear documented instructions to AdTrench
- Ensure all personal data provided is accurate
- Comply with all applicable data protection laws
- Ensure appropriate privacy notices are provided to data subjects
- Notify AdTrench promptly of any changes to instructions
6. Sub-Processors
The Client provides general written authorisation for AdTrench to engage the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google LLC | Google Ads management, Google Analytics, Google Workspace | USA (EU-US Data Privacy Framework) |
| Meta Platforms, Inc. | Facebook & Instagram Ads management | USA (Standard Contractual Clauses) |
| Shopify Inc. | Access to Client’s Shopify admin for development and SEO | Canada (Adequacy Decision) |
| FormSubmit | Contact form processing on adtrench.com | USA |
AdTrench will notify the Client of any intended changes to sub-processors with at least 14 days’ notice. The Client may object within that period. No objection constitutes approval.
7. Data Subject Rights
AdTrench will promptly forward any data subject requests directly to the Client — ordinarily within 3 business days of receipt — and will not respond to the data subject directly unless instructed or required by law.
The Client remains responsible as data controller for responding within GDPR’s one-month deadline.
8. Security Measures
Technical measures
- Strong, unique passwords and password management tools for all platform access
- Two-factor authentication (2FA) on all accounts with access to client data
- Access limited to personnel who require it
- Secure, encrypted communication channels for sensitive information
- Regular review and revocation of access permissions
Organisational measures
- Confidentiality obligations for all personnel
- Internal policies for handling and disposing of personal data securely
- Prompt internal reporting of suspected security incidents
9. Data Breach Notification
In the event of a confirmed or suspected personal data breach, AdTrench will:
- Notify the Client without undue delay — and where feasible, within 48 hours
- Provide sufficient information for the Client to fulfil its own notification obligations under Articles 33 and 34
- Cooperate fully in investigating, containing, and remediating the breach
The Client remains responsible for notifying the relevant supervisory authority within 72 hours (Article 33) and, where required, notifying data subjects (Article 34).
10. International Data Transfers
Where personal data is transferred outside the EEA or UK, AdTrench ensures appropriate safeguards are in place including:
- Adequacy decisions
- Standard Contractual Clauses (SCCs)
- UK International Data Transfer Agreements (IDTAs)
- Participation in recognised frameworks (e.g. EU-US Data Privacy Framework)
11. Audits & Compliance
AdTrench will make available all information reasonably necessary to demonstrate compliance. Audit requests must be made in writing with at least 30 days’ notice, at the Client’s expense, and limited to processing activities relevant to the Client’s data.
12. Termination & Return of Data
Upon termination, AdTrench will, within 30 days:
- Return all personal data in a commonly used format
- Securely delete all copies, including data held by sub-processors (unless retention is legally required)
- Confirm deletion in writing
13. Governing Law
This DPA is governed by applicable law and interpreted in accordance with the GDPR and, where applicable, UK GDPR. Disputes will be resolved in accordance with the dispute resolution provisions of the Service Agreement.
14. Contact & Execution
This DPA takes effect upon execution of the Service Agreement. Engagement of AdTrench’s services constitutes acceptance. Clients requiring a separately signed DPA may request one:
- Email: adtrenchofficial@gmail.com
- Website: adtrench.com/contact
Need a Signed DPA?
If your organisation requires a separately executed DPA for compliance purposes, get in touch.
Request a Signed DPA →