Data Processing Agreement
Last updated: March 7, 2026
Need a signed DPA?
Contact us to receive a countersigned copy
1. Definitions
- "Controller" means you, the merchant using our Service, who determines the purposes and means of processing personal data of your store visitors and customers
- "Processor" means North Star Metric, which processes personal data on behalf of the Controller
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1)
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction
- "Data Subject" means the individual whose Personal Data is processed
- "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller
- "Customer Data" means all Personal Data processed by North Star Metric on behalf of the Controller through the Service
2. Scope and Purpose of Processing
This DPA applies to the processing of Personal Data by North Star Metric on behalf of the Controller in connection with the provision of analytics, attribution, and server-side event forwarding services.
2.1 Categories of Data Subjects
- Visitors to the Controller's online store(s)
- Customers who make purchases from the Controller
2.2 Types of Personal Data Processed
- Device and browser attributes (hashed into pseudonymous fingerprints)
- IP addresses (hashed at CIDR-level at ingestion; raw IPs are never stored)
- Browsing behavior (pages visited, time on site, referrer URL, landing page)
- Marketing attribution data (UTM parameters, click identifiers)
- Order and conversion information (via Shopify webhooks)
- Email addresses and phone numbers (hashed with SHA-256 for attribution matching and ad platform event forwarding)
- Pseudonymous visitor identifiers (generated by our tracking script)
- Shopify customer IDs (pseudonymous)
2.3 Purpose of Processing
- Providing analytics and attribution services as described in the Terms of Service
- Identity resolution (associating sessions and devices with visitor profiles)
- Server-side event forwarding to advertising platforms (only when activated by Controller)
- Generating aggregated reporting and dashboards for the Controller
3. Processor Obligations
North Star Metric shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Section 8
- Assist the Controller in responding to Data Subject requests within 72 hours of receiving the request
- Assist the Controller in ensuring compliance with GDPR Articles 32-36 (security, breach notification, impact assessments)
- Delete or return all Personal Data within 60 days of termination of services, unless legally required to retain it
- Make available all information necessary to demonstrate compliance with this DPA
- Not process Personal Data for any purpose other than providing the Service to the Controller
- Not combine Customer Data with data from other controllers or with the Processor's own data
4. Controller Obligations
The Controller shall:
- Ensure a lawful basis exists for the processing of Personal Data under applicable law
- Provide required privacy notices to Data Subjects disclosing the use of North Star Metric as a data processor
- Obtain any required consents for tracking and analytics, including device fingerprinting
- Configure and maintain an appropriate cookie consent management platform (CMP)
- Not transmit sensitive or special category data (as defined in GDPR Article 9) through the Service, including health data, biometric data, financial account credentials, government identification numbers, criminal records, or data relating to children under 16
- Notify the Processor promptly of any Data Subject requests received directly
5. Sub-Processors
The Controller authorizes the Processor to engage the following sub-processors. The Processor shall inform the Controller at least 30 days in advance of any intended additions or replacements of sub-processors, giving the Controller an opportunity to object.
5.1 Infrastructure Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure (servers, ClickHouse database, Redis) | Germany (EU) |
| Supabase Inc. | Authentication, merchant configuration, store management | EU region (AWS Frankfurt) |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | Global (SCCs in place) |
| Stripe, Inc. | Payment processing and billing | USA (SCCs in place) |
5.2 Conditional Sub-Processors (Merchant-Activated)
The following sub-processors are only activated when the Controller explicitly enables the corresponding integration:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Meta Platforms, Inc. | Conversions API event forwarding | USA (SCCs in place) |
| Google LLC | Enhanced Conversions event forwarding | USA (SCCs in place) |
| TikTok Inc. | Events API event forwarding | USA (SCCs in place) |
6. International Data Transfers
Personal Data is primarily processed within the European Economic Area (EEA). For any transfers outside the EEA, appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
- Module Two (Controller to Processor) for transfers to infrastructure sub-processors
- Supplementary measures including encryption in transit and at rest
When the Controller activates advertising platform integrations, hashed conversion data is transmitted to those platforms' servers which may be located outside the EU. This transfer occurs under the Controller's instructions and the Controller's own legal basis for that transfer.
7. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests within the following timeframes:
- Deletion requests — Data removed from all systems (ClickHouse, Redis, identity graph) within 72 hours of receiving the Controller's instruction
- Access requests — Data export provided within 15 business days
- Rectification requests — Corrections applied within 5 business days
- Portability requests — Machine-readable export (JSON) within 15 business days
- Restriction requests — Processing restricted within 24 hours
Merchants can submit Data Subject requests through their dashboard (Settings > GDPR Data Requests) or via email to privacy@northstarmetric.io.
8. Security Measures
The Processor implements the following technical and organizational measures:
8.1 Encryption
- TLS 1.3 for all data in transit
- Encrypted storage for sensitive data at rest
- IP addresses hashed at CIDR-level at the point of ingestion
- PII (email, phone) hashed with SHA-256 before storage and before transmission to advertising platforms
8.2 Access Control
- JWT-based authentication with RS256 digital signatures
- Per-store write keys for tracking endpoint authentication
- Role-based access control for merchant dashboard
- Store-level data isolation (merchants cannot access other merchants' data)
8.3 Application Security
- SQL injection protection with parameterized queries
- HMAC verification on all incoming webhooks
- Rate limiting on all public-facing endpoints
- CORS origin validation
- Idempotency guards (24-hour TTL) to prevent duplicate event processing
- Regular security audits and penetration testing
8.4 Operational Security
- Automated monitoring and alerting
- Incident response procedures
- Regular backups with tested restoration procedures
- Security-aware development practices
9. Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33
- Provide all information necessary for the Controller to fulfill its breach notification obligations, including the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
- Maintain a record of all Personal Data breaches, including facts, effects, and remedial actions taken
10. CCPA/CPRA Addendum
To the extent the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) apply to the processing of Personal Data under this DPA:
- North Star Metric acts as a Service Provider as defined under CCPA Section 1798.140(ag)
- We shall not sell or share Personal Information received from the Controller
- We shall not retain, use, or disclose Personal Information for any purpose other than the business purposes specified in this DPA and the Terms of Service
- We shall not combine Personal Information received from the Controller with Personal Information received from other sources or collected from our own interactions, except as permitted by the CCPA
- We certify that we understand and will comply with these restrictions
- We grant the Controller the right to take reasonable and appropriate steps to ensure compliance, and to stop and remediate unauthorized use of Personal Information
11. Identity Resolution and Device Profiling
The Processor performs identity resolution as part of the attribution service. This involves:
- Processing device and browser signals to create pseudonymous fingerprint hashes
- Associating multiple sessions and devices with a common visitor profile when technical signals indicate common ownership
- Matching visitor profiles with order data to calculate attribution
This processing is performed solely for the purpose of providing attribution services to the relevant Controller. Device profiles are:
- Not shared across Controller accounts
- Not used for purposes unrelated to the Controller's attribution and analytics
- Retained for the duration specified in the data retention schedule
- Deleted upon termination of the Controller's subscription
12. Term and Termination
This DPA shall remain in effect for the duration of the processing of Personal Data by the Processor. Upon termination:
- The Controller has a 60-day window to export their data through the dashboard
- After the 60-day window, all Personal Data will be permanently deleted
- Deletion covers all storage systems: ClickHouse (analytics), Redis (cache), Supabase (configuration), and identity graph data
- Billing records may be retained for up to 7 years as required by law
- Aggregated, anonymized data that cannot identify any individual may be retained
13. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the Netherlands. For Data Subjects in the EU/EEA, the applicable provisions of GDPR shall prevail in case of conflict with these terms.
14. Contact
For DPA-related inquiries, contact our Data Protection team at privacy@northstarmetric.io