Legal

Data Processing Agreement

This DPA is incorporated into and forms part of the Shopreviews Terms of Service. It governs how we process personal data on your behalf as your data processor.

Last updated 6 May 2026 GDPR Art. 28 EU Standard Clauses

This DPA is automatically in effect for all Shopreviews customers. You do not need to sign a separate document. If your organisation requires a countersigned copy, email legal@shopreviews.com.

1. Definitions and Parties

For the purposes of this Data Processing Agreement, the following terms have the meanings set out below:

  • "Controller" means the customer (you) — the legal entity that determines the purposes and means of processing personal data of your end customers and website visitors.
  • "Processor" means Gearlab B.V. (trading as Shopreviews), Gonnetstraat 26, 2011 KA Haarlem, Netherlands.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • "Personal Data", "Processing", and "Data Subject" each have the meaning ascribed to them in Article 4 of the GDPR.
  • "Services" means the Shopreviews review aggregation platform as described in the Terms of Service.

2. Subject Matter and Duration

The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Services described in the Terms of Service. This DPA is incorporated into and forms part of the Terms of Service and comes into effect on the date the Controller first accesses or uses the Services.

This DPA remains in force for as long as the Processor processes Personal Data on behalf of the Controller. It terminates automatically upon termination or expiry of the Terms of Service, subject to the data deletion obligations set out in Section 10.

3. Nature and Purpose of Processing

The Processor carries out the following processing activities on behalf of the Controller:

  • Collection and display of end-customer review data fetched from connected third-party review platforms;
  • Storage of widget configuration data and connected-source credentials;
  • Delivery of review content via the embed widget or native integration to the Controller's website;
  • Generation of structured data (schema markup) for use on the Controller's web pages.

The purpose of these processing activities is to enable the Controller's website to display aggregated reviews from multiple platforms in a unified widget or native integration.

4. Categories of Personal Data Processed

Data fetched from connected review platforms may include the following categories of Personal Data relating to reviewers:

  • Reviewer name (first name or display name);
  • Review text content;
  • Star rating;
  • Review date;
  • Profile photo URL (where provided by the source platform).

Shopreviews acts as a pass-through for this data. We do not enrich, combine or cross-reference review data with any other personal data held by the Processor.

With respect to account-level data processed on behalf of the Controller: end-customer names and email addresses are not stored by Shopreviews unless explicitly submitted by the data subject via a support or contact form directed to Shopreviews.

5. Categories of Data Subjects

The Personal Data processed under this DPA relates to the following categories of Data Subjects:

  • End customers of the Controller who have left reviews on connected third-party review platforms;
  • The Controller's website visitors (only anonymous, aggregated analytics data is processed — no personal data attributable to individual visitors is collected or stored by Shopreviews).

6. Obligations of the Processor (Shopreviews)

In accordance with Article 28(3) of the GDPR, the Processor shall:

  1. Process Personal Data only on documented instructions from the Controller — namely, the configuration of the Services as set by the Controller — and shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other applicable Union or Member State data protection provisions;
  2. Ensure that all persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Section 8;
  4. Respect the conditions referred to in Article 28(2) and (4) of the GDPR for engaging sub-processors, as described in Section 7;
  5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising Data Subjects' rights under Chapter III of the GDPR;
  6. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security of processing, notification of breaches, data protection impact assessments, and prior consultations with supervisory authorities), taking into account the nature of processing and the information available to the Processor;
  7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data; and
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice and confidentiality obligations.

7. Sub-Processors

The Controller provides general written authorisation for the Processor to engage the sub-processors listed below. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 14 days before any such change takes effect, thereby giving the Controller the opportunity to object to such changes.

If the Controller reasonably objects to a new sub-processor and no agreement can be reached within 7 days, the Controller may terminate the relevant Services by written notice, without penalty. Continued use of the Services after the 14-day notice period constitutes acceptance of the new sub-processor.

The Processor shall impose data protection obligations equivalent to those set out in this DPA on any sub-processor by way of a contract.

Sub-processor Service Location DPA / Privacy reference
Amazon Web Services EMEA SARL Cloud infrastructure (hosting, storage, compute) EU-West-1, Ireland aws.amazon.com/compliance/gdpr-center
Stripe, Inc. Payment processing USA (SCCs) stripe.com/privacy
Postmark (ActiveCampaign) Transactional email delivery USA (SCCs) postmarkapp.com/privacy-policy
Intercom, Inc. Customer support platform USA (SCCs) intercom.com/legal/privacy
Plausible Analytics Website analytics (cookieless) EU (Germany) plausible.io/data-policy

Where a sub-processor is located outside the European Economic Area in a country not recognised as providing an adequate level of protection, transfers are carried out on the basis of Standard Contractual Clauses adopted by the European Commission (SCCs), as indicated in the table above.

8. Technical and Organisational Security Measures

In accordance with Article 32 of the GDPR, the Processor maintains the following technical and organisational measures to ensure a level of security appropriate to the risk:

  • Encryption in transit: TLS 1.2 or higher is enforced for all data transmitted between the Controller's website and Shopreviews infrastructure;
  • Encryption at rest: AES-256 encryption is applied to all stored Personal Data;
  • Access controls: Role-based access controls with the principle of least privilege are applied to all internal systems; access is reviewed quarterly;
  • Authentication: Multi-factor authentication is mandatory for all staff with access to production systems;
  • Security assessments: Annual security assessments and penetration testing are conducted by qualified third-party specialists;
  • Incident response: A documented incident response plan is maintained, with 72-hour breach notification capability in compliance with Article 33 of the GDPR;
  • Backups: Automated backups are performed daily with a 30-day retention period and regular restoration testing;
  • Operational procedures: SOC 2-aligned operational procedures govern change management, vulnerability management and access provisioning.

The Processor shall keep these measures under regular review and shall implement improvements as technological developments and the nature of the risks evolve.

9. Data Subject Rights and Breach Notification

Data Subject Requests

The Processor will promptly forward to the Controller any requests received directly from Data Subjects that relate to Personal Data processed on the Controller's behalf, and shall do so within 5 business days of receipt. The Processor will not respond substantively to any such request without prior written authorisation from the Controller, except where required to do so by applicable law.

The Processor will provide such reasonable assistance as the Controller requires to respond to Data Subject requests in accordance with Chapter III of the GDPR, including requests for access, rectification, erasure, restriction, portability and objection.

Personal Data Breach Notification

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay and in any event no later than 48 hours after becoming aware of the breach. Such notification will include, to the extent available at the time:

  • A description of the nature of the Personal Data breach;
  • The categories and approximate number of Data Subjects concerned;
  • The categories and approximate number of Personal Data records concerned;
  • The likely consequences of the Personal Data breach; and
  • The measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide all of the above information simultaneously, the information may be provided in phases without undue further delay.

10. Return and Deletion of Data

Upon termination or expiry of the Services for any reason, the Controller may export their data (including widget configurations and connected source details) for a period of 30 days via the Shopreviews dashboard.

After that 30-day export window, or upon the Controller's written request at any time, the Processor will securely delete all Personal Data processed on the Controller's behalf within 30 days, using industry-standard deletion methods that render the data unrecoverable. Existing backups containing such data will be purged within the same period in the normal course of backup rotation.

Notwithstanding the above, the Processor may retain Personal Data for longer where retention is required by applicable Union or Member State law — including, without limitation, financial and transactional records which must be retained for 7 years under Dutch law (Article 2:10 of the Dutch Civil Code and the Dutch General Tax Act).

A certificate of deletion can be provided to the Controller upon written request to legal@shopreviews.com.

For a countersigned DPA, specific contractual amendments or enterprise data protection questions, contact legal@shopreviews.com — we typically respond within 2 business days.