Data Processing Agreement
Last updated: 11 June 2026
1. Parties and scope
This Data Processing Agreement ("DPA") forms part of the Limelite Platform Terms of Service between the merchant operating a store on the Platform (the "Controller") and [RIVIERA TECH LEGAL NAME] (the "Processor"). It governs the processing of personal data of the Controller's customers carried out by the Processor on the Controller's behalf, as required by Article 28 GDPR.
2. Subject matter of processing
- Categories of data subjects: the Controller’s customers and storefront visitors.
- Categories of data: account data (name, email, password hash), order and delivery data (addresses, purchased items), payment status metadata, support messages, technical logs.
- Purpose: operating the Controller’s online store — accounts, checkout, order fulfilment, transactional email, analytics where consented.
- Duration: the term of the platform subscription plus the wind-down period in Section 8.
3. Processor obligations
- Process personal data only on documented instructions from the Controller, including with regard to international transfers.
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational measures (Section 6).
- Assist the Controller with data subject requests (the Platform provides self-service export and deletion for shoppers) and with Articles 32–36 GDPR.
- Make available information necessary to demonstrate compliance and allow audits as described in Section 7.
4. Sub-processors
The Controller grants general authorisation for the following sub-processors. The Processor will give prior notice of changes, giving the Controller the opportunity to object:
- [HOSTING PROVIDER] — infrastructure hosting, [REGION].
- Stripe Payments Europe Ltd — payment processing.
- [EMAIL/SMTP PROVIDER] — transactional email delivery.
- MongoDB hosting provider [PROVIDER/REGION] — database hosting.
- Google (Analytics, AdSense) — only where the Controller enables them and the data subject consents.
5. International transfers
Personal data is processed within the EU/EEA where possible. Where a sub-processor processes data outside the EU/EEA, the transfer is protected by an adequacy decision or EU Standard Contractual Clauses.
6. Security measures (Art. 32)
- Encryption in transit (TLS) for all storefront, admin and API traffic.
- Password hashing, session security and role-based access control (merchant/staff roles, step-up checks for privileged actions).
- Tenant isolation between stores, with automated boundary tests.
- Backups with restoration verification, audit logging, and centralised error telemetry with PII redaction.
7. Audits
The Processor provides documentation evidencing compliance on request, no more than once per year unless a supervisory authority requires otherwise or a personal data breach has occurred.
8. Data breach and termination
- The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data.
- On termination of the subscription, the Processor deletes or returns all personal data within 30 days, unless EU or member-state law requires longer storage.
Template notice: this document is a starting point provided by the Limelite platform. Text in [BRACKETS] must be completed by the store operator, and the final wording should be reviewed by a qualified legal adviser before relying on it.