Data Processing Agreement

Introduction

This Data Processing Agreement (“DPA”) is entered into between:

This DPA is incorporated into and forms part of the Eternly Terms of Service. By accepting the Terms of Service, you also agree to the terms of this DPA.

This DPA applies to the extent that Eternly processes Personal Data on your behalf in connection with the provision of the Services.

Part 1 — Definitions

Part 2 — Details of Processing

2.1 Subject matter and nature of processing

Eternly processes Personal Data about the Controller's end-customers (Shopify customers and subscribers) for the purpose of providing the Eternly analytics and recommendations platform to the Controller. Processing activities include:

• Ingesting customer order history from Shopify (order dates, product identifiers, order values, customer identifiers)
• Ingesting subscription event data from Recharge, Loop Subscriptions, and/or Skio (subscription activations, pauses, cancellations, payment events, cancel reasons)
• Computing derived analytics (RFM segments, cohort retention grids, CLV calculations, churn rates, MRR/ARR)
• Generating anonymised, aggregated inputs for AI recommendation generation via the Anthropic Claude API
• Storing processed data in Neon Postgres databases hosted on Vercel infrastructure

2.2 Duration of processing

Processing continues for the duration of the Terms of Service between the Controller and Eternly. Upon termination, Eternly will delete or return all Personal Data in accordance with Section 6 of this DPA.

2.3 Type of Personal Data processed

The following categories of Personal Data about the Controller's end-customers are processed:

• Customer identifiers (Shopify Customer ID — a pseudonymous numeric identifier)
• Order history (dates, product identifiers, monetary values)
• Subscription events (event type, timestamps, plan identifiers, cancellation reasons)
• Derived data (computed metrics, segment assignments)

Eternly does not, by default, process names, email addresses, postal addresses, payment card data, or any special categories of Personal Data relating to the Controller's end-customers.

2.4 Categories of Data Subjects

The Data Subjects are the Controller's end-customers: individuals who have placed orders through the Controller's Shopify store and/or hold active or historical subscriptions with the Controller.

2.5 Purpose of processing

Eternly processes Personal Data solely for the purpose of providing the Services to the Controller. Eternly does not process Personal Data for its own purposes, for advertising, or for any purpose other than providing the Services to the Controller.

Part 3 — Obligations of the Processor

3.1 Instructions

Eternly shall process Personal Data only on documented instructions from the Controller. The Terms of Service and this DPA constitute the Controller's documented instructions. Eternly will inform the Controller if, in its opinion, any instruction infringes Applicable Data Protection Law.

3.2 Confidentiality

Eternly shall ensure that persons authorised to process Personal Data are bound by a duty of confidentiality and are trained on data protection obligations.

3.3 Security

Eternly shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit (TLS 1.2 or higher)
• Encryption of Personal Data at rest (AES-256 via Neon Postgres)
• Access controls ensuring that Personal Data is accessible only to authorised personnel on a need-to-know basis
• Authentication and access management via Clerk
• Regular security review of infrastructure and dependencies
• Documented incident response procedures

Full technical and organisational security measures are set out in Annex B.

3.4 Sub-processors

The Controller provides general written authorisation for Eternly to engage Sub-processors. Eternly shall inform the Controller of any intended addition or replacement of Sub-processors at least 14 days before the change takes effect. Current Sub-processors are listed in Annex A.

Eternly shall impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. Eternly remains fully liable to the Controller for the performance of each Sub-processor's obligations.

3.5 Data Subject rights

Eternly shall assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law. Where a Data Subject contacts Eternly directly regarding their rights, Eternly will forward the request to the Controller within 5 business days and assist the Controller in responding within the applicable deadline.

3.6 Shopify GDPR mandatory webhooks

Eternly shall implement and respond to all three Shopify mandatory GDPR webhooks:

• customers/data_request: Eternly will compile and return all Personal Data held for the specified Data Subject within 30 days.
• customers/redact: Eternly will permanently delete all Personal Data relating to the specified Data Subject within 30 days and provide confirmation to the Controller.
• shop/redact: Upon the Controller uninstalling the Eternly app, Eternly will delete all Personal Data associated with the Controller's store within 30 days, except billing records retained as required by law.

3.7 Security Incidents

Eternly shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Security Incident. Notification shall include, to the extent available: the nature of the incident and categories of Data Subjects affected; contact details; likely consequences; and measures taken or proposed to address the incident.

The Controller is responsible for notifying supervisory authorities and Data Subjects where required by Applicable Data Protection Law.

3.8 Data protection impact assessments

Eternly shall provide the Controller with reasonable assistance in carrying out any data protection impact assessment required by Article 35 GDPR in relation to the processing covered by this DPA.

3.9 Audit rights

Eternly shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and shall allow for audits, including inspections, conducted by the Controller or a mandated auditor, with reasonable notice and no more than once per year unless required by a supervisory authority.

Part 4 — Obligations of the Controller

4.1 Lawful basis

The Controller shall ensure it has a valid lawful basis under Applicable Data Protection Law for sharing its end-customers' Personal Data with Eternly. This will typically be one of:

• Legitimate interests (Article 6(1)(f) GDPR) — using a third-party analytics tool to improve business operations and retention
• Contract performance (Article 6(1)(b) GDPR) — where analytics are necessary to fulfil the subscription contract
• Consent (Article 6(1)(a) GDPR) — where the Controller relies on consent for analytics in its privacy policy

4.2 Privacy notice

The Controller shall ensure its privacy policy accurately discloses to end-customers that their data may be processed by third-party analytics service providers.

4.3 Data accuracy

The Controller is responsible for the accuracy and completeness of the data it authorises Eternly to access through the Shopify and subscription platform integrations.

4.4 Instruction compliance

The Controller shall only issue instructions to Eternly that are compliant with Applicable Data Protection Law.

Part 5 — International Data Transfers

5.1 Transfers to the United States

Eternly's Sub-processors include entities based in the United States. Where Personal Data originating from the EEA or UK is transferred to these Sub-processors, Eternly ensures the transfer is subject to appropriate safeguards under Article 46 GDPR, including:

• Standard Contractual Clauses (Module 3: Processor to Processor) with each relevant US-based Sub-processor
• The EU-US Data Privacy Framework, where the Sub-processor is certified

5.2 Standard Contractual Clauses

To the extent that SCCs are required for transfers of Personal Data under this DPA, the Controller and Eternly agree that the SCCs (Controller to Processor, Module 2) are hereby incorporated by reference. In the event of any conflict between the SCCs and this DPA, the SCCs shall prevail.

A copy of the SCCs is available on request from hello@anchersenco.com.

Part 6 — Return and Deletion of Data

6.1 Upon termination

Following termination of the Terms of Service, Eternly shall, at the Controller's choice:

• Delete all Personal Data processed under this DPA within 30 days of termination, and provide written confirmation; or
• Return all Personal Data in a machine-readable format within 30 days, and then delete all copies

6.2 Backup retention

Eternly uses automated backup systems. Backed-up Personal Data that cannot be selectively deleted will be isolated and protected until the next backup rotation cycle, at which point it will be permanently deleted.

6.3 Legal retention exceptions

Eternly may retain billing records relating to the Controller's account for the period required by Danish and EU tax and accounting law (up to 7 years). These records do not contain end-customer Personal Data.

Part 7 — Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability for breach of obligations under Applicable Data Protection Law to the extent such liability cannot be limited by law.

Part 8 — Miscellaneous

8.1 Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters. In the event of any conflict between this DPA and the Standard Contractual Clauses, the SCCs shall prevail.

8.2 Updates to this DPA

Eternly may update this DPA from time to time to reflect changes in Applicable Data Protection Law or Eternly's processing activities. Eternly will notify Controllers of material changes at least 14 days before they take effect.

8.3 Governing law

This DPA is governed by the laws of Denmark. For Controllers based in the EEA, any disputes shall be resolved in the courts of Copenhagen, Denmark. For Controllers based in the UK, English law applies to any UK GDPR-specific elements of this DPA.

Annex A — Approved Sub-Processors

Current as of: March 25, 2026

Eternly will provide at least 14 days' notice before adding or replacing any Sub-processor listed above.

Annex B — Technical and Organisational Security Measures

Encryption

• All data in transit is encrypted using TLS 1.2 or higher
• All data at rest is encrypted using AES-256 via Neon Postgres
• Database credentials and API keys are stored encrypted, not in plain text

Access controls

• Access to production systems is restricted to authorised personnel only
• Access is granted on a least-privilege, need-to-know basis
• Authentication is enforced via Clerk with multi-factor authentication for administrative access

Infrastructure security

• Production infrastructure hosted on Vercel with DDoS protection and edge security
• Dependencies are regularly reviewed for vulnerabilities
• Automated security scanning integrated into deployment pipeline

Incident response

• Documented incident response procedure in place
• Security incidents are classified and escalated based on severity
• Notifications to Controllers issued within 72 hours of confirmed Security Incident

Data minimisation

• Eternly accesses only the minimum data necessary to provide the Services
• End-customer identifiers (Shopify Customer IDs) are used in preference to names or email addresses
• Data that is not required for analytics is not stored

Backup and recovery

• Daily automated backups of all production databases
• Backup data is encrypted and stored separately from production systems
• Recovery procedures are tested regularly