Effective date: May 22, 2026
Parties: (a) K1 Apps LLC, 30 N Gould St, STE R, Sheridan, WY 82801, USA ("K1"); and (b) the Shopify merchant that installs or uses the K1 Upload Files application (the "Merchant"). For purposes of this DPA and solely with respect to Customer Personal Data (including the contents of Files uploaded by End‑Customers), Merchant acts as the Controller and K1 acts as the Processor. With respect to Merchant/admin data, each party acts as an independent controller as described in the Privacy Policy; such processing is outside the scope of this DPA.
This DPA forms part of and is subject to the K1 Upload Files Terms & Conditions (the "Agreement"). Capitalized terms not defined here have the meaning in the Agreement. In case of conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict on matters of data protection. By installing or using the App (or otherwise accepting the Agreement), the parties are deemed to have executed this DPA, including the SCCs/UK Addendum incorporated in Annex III, by electronic means, without the need for wet‑ink signatures.
1.1 Roles and scope. This DPA applies only to Customer Personal Data and File contents processed by K1 on behalf of Merchant. For that data, Merchant is the Controller and K1 is the Processor. For the avoidance of doubt, with respect to Merchant/admin data, each party acts as an independent controller; this DPA does not apply to that processing, which is governed by the Privacy Policy and the Agreement.
1.2 Subject matter & duration. Processing is limited to providing the App and related support during the term of the Agreement, until deletion/return under §10.
1.3 Documented instructions. K1 will process Customer Personal Data and File contents only on Merchant's documented instructions, including via App configurations (Upload Rules, allowed file types, size limits, Magic Link parameters) and the Agreement, and as required to comply with law. K1 will promptly inform Merchant if an instruction infringes data protection law.
1.4 Prohibited purposes. K1 will not sell, share for cross‑context behavioral advertising, train artificial intelligence or machine‑learning models on, or otherwise process Customer Personal Data or File contents for its own purposes or for profiling unrelated to the App.
Provide, secure, and support App features that enable file‑upload workflows, including: accepting resumable uploads from End‑Customers; storing Files in encrypted object storage (Cloudflare R2); validating file size and type; scanning Files with antivirus (ClamAV) and quarantining malicious content; linking Files to Shopify orders via webhooks; generating and validating Magic Links for order‑level upload requests; producing temporary ZIP archives for bulk download; logging, diagnostics, and honouring Shopify privacy webhooks.
3.1 Data subjects. End‑customers of the Merchant's Shop (including individuals who upload via the storefront widget or a Magic Link); Merchant staff acting in the Shop admin.
3.2 Categories of Customer Personal Data. The categories depend entirely on Merchant's configuration of the App and the content End‑Customers upload. They typically include:
3.3 Special categories. The App is not intended to process special categories of personal data (GDPR Art. 9, such as health, biometric, racial, religious, or trade‑union data), criminal‑offence data, or children's data (data of children under the applicable age of consent). Merchant shall not configure the App to solicit such data, and shall not knowingly accept Files that contain such data, without an explicit legal basis and prior written notice to K1. Merchant is responsible for informing End‑Customers about what they may and may not upload.
K1 ensures that persons authorized to process Customer Personal Data and File contents are bound by confidentiality, receive appropriate training, and access only what is necessary under the least‑privilege principle.
K1 implements and maintains appropriate technical and organizational measures to protect Customer Personal Data and File contents, as described in Annex II (Security Measures), taking into account the state of the art, costs, nature, scope, context and purposes of processing, and the risks for data subjects.
6.1 Authorization. Merchant authorizes K1 to engage sub‑processors reasonably necessary to provide the App. K1 shall impose data protection terms on sub‑processors no less protective than this DPA (including SCCs/UK Addendum where applicable).
6.2 List & notice. K1's current sub‑processors are listed in the Appendix — Subprocessor List to the Privacy Policy. K1 will notify at least 30 days in advance of any material change (add/replace) and provide Merchant an opportunity to object on reasonable grounds. If the parties cannot resolve an objection within a reasonable time, Merchant may suspend the affected feature or terminate only the affected portion of the services. Any credits, refunds, or alternatives are at K1's discretion, and an objection does not entitle Merchant to terminate the Agreement as a whole.
6.3 Flow‑down. Where K1 engages a sub‑processor for processing subject to the EU/UK transfer rules, K1 will execute Module 3 SCCs and/or the UK Addendum/IDTA with that sub‑processor, as applicable.
7.1 Mechanisms. To the extent Customer Personal Data or File contents are transferred outside the EEA/UK, K1 will ensure a valid transfer mechanism, including: EU Standard Contractual Clauses (2021) Module 2 (Controller→Processor) and Module 3 (Processor→Sub‑processor); the UK Addendum/IDTA for UK transfers; and, where applicable, reliance on the EU‑US/UK‑US Data Privacy Framework for certified providers.
7.2 Supplementary measures. K1 maintains supplementary technical and organizational measures (e.g., TLS in transit; encryption at rest for stored Files and database volumes; access control; audit logging; data minimization). K1 will perform transfer risk assessments where appropriate.
7.3 Hosting and storage locations. Hosting and storage locations and primary infrastructure providers are disclosed in the Privacy Policy (Subprocessor Appendix). K1 may update hosting regions/providers pursuant to §6 (Sub‑processors).
8.1 Assistance. Taking into account the nature of processing, K1 will assist Merchant by appropriate technical and organizational measures in fulfilling Controller's obligations to respond to data subject requests under applicable law, including requests to access or delete Files uploaded by a specific End‑Customer.
8.2 Requests received by K1. If K1 receives a request directly from a data subject, K1 will promptly forward it to Merchant and will not respond except on documented instructions or where required by law.
K1 will notify Merchant without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data or File contents. K1 will provide the information reasonably available at the time of notice and will update Merchant as further details become available. K1 will promptly take steps to mitigate the effects and assist Merchant in meeting any notification obligations to authorities and data subjects.
Upon termination or upon Merchant's written request, K1 will delete or return Customer Personal Data and File contents (at Merchant's choice) and delete existing copies within 30 days, unless retention is required by law. In addition, automated retention applies during normal operation:
Backups are encrypted and retained on a rolling basis for 30 days; deletion cascades within that window.
K1 will assist Merchant with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to K1. K1 maintains records of processing activities as required by law.
K1 will subscribe to and process Shopify's mandatory privacy webhooks (customers/data_request, customers/redact, shop/redact) to assist Merchant in meeting obligations to data subjects. For customers/redact, K1 deletes Files and metadata associated with the affected End‑Customer. For shop/redact, K1 erases shop‑level data, including all stored Files, within 30 days (sooner where possible).
13.1 Liability. The limitations and exclusions of liability in the Agreement apply to this DPA, except to the extent prohibited by law.
13.2 Order of precedence. If the SCCs (as incorporated below) apply, they prevail over this DPA and the Agreement to the extent of any conflict.
13.3 Governing law. This DPA is governed by the law specified in the Agreement; however, for the EU SCCs, the governing law for contractual claims shall be the law of Ireland, and the competent supervisory authority shall be the Irish Data Protection Commission, unless Merchant designates another competent EU authority in writing.
13.4 Severability. If any provision of this DPA is invalid, the remainder remains in effect.
A. Parties
B. Description of transfer
C. Competent supervisory authority
K1 maintains an information security program appropriate to the risk, which includes (without limitation):
K1 may update these TOMs from time to time to reflect evolving practices and threats, provided such updates do not materially reduce the overall level of security.
EU SCCs (2021/914). The parties incorporate the Controller→Processor (Module 2) clauses between Controller (exporter) and Processor (importer), and Processor→Sub‑processor (Module 3) for onward transfers, with the following selections:
UK Addendum (ICO) / IDTA. For transfers subject to UK GDPR, the parties incorporate the UK Addendum to the EU SCCs (or the IDTA), with the information in Tables 1–4 taken from this DPA and Annexes; UK law governs and the UK ICO is the competent authority.
Switzerland. For transfers subject to Swiss FADP, references to the GDPR are to the FADP where appropriate; the competent authority is the FDPIC; references to EU Member State shall be read to include Switzerland.
This DPA is incorporated into and becomes effective upon acceptance of the Agreement (e.g., by installing or using the App). The parties agree that (a) no wet‑ink signatures are required; (b) this DPA, including its Annexes and the SCCs/UK Addendum incorporated in Annex III, is concluded by electronic acceptance; and (c) an electronic copy of this DPA constitutes an original.
Affiliates. Merchant's Affiliates may accede to this DPA by instructing Processor to process Customer Personal Data for their Shop(s) via the App or by written notice to Processor. In such case, the Affiliate shall be deemed a Merchant for purposes of this DPA, and the original Merchant remains responsible for its Affiliates' compliance.
Countersigned copy (optional). If your organization requires a signed copy for its records, contact privacy@k1apps.com to obtain a countersignature cover page referencing your legal entity name and Shop domain.