Data Processing Agreement

The short version

This Data Processing Agreement (the "DPA") describes how AfterMKT processes the merchant data you (the merchant) entrust to us when you use the AfterMKT Shopify app to issue digital receipts. It is the contract that EU, UK, and Swiss merchants need under Article 28 of the GDPR (and the corresponding UK and Swiss laws) before AfterMKT can lawfully process your data.

It says four things in plain English:

• We process your data only to deliver the AfterMKT service to you, never for our own marketing or any other purpose.
• We do not collect personal information about your buyers — none of that data ever reaches our servers.
• We secure what we do hold using TLS in transit, AWS-managed encryption at rest, and least-privilege access.
• We will help you respond to data-subject requests (access, deletion) within the timelines GDPR and CCPA require.

If you need this DPA in countersigned form, email rastaar@aftermkt.io. The published version on this page is the template; we counter-sign on request.

DRAFT — pending counsel review (2026-05-04). This document was prepared by AfterMKT internal review and has not been validated by external counsel. It is intended as a good-faith framework that a merchant's legal team can review and a future counsel pass can validate. Substantive obligations (security measures, breach timelines, sub-processor commitments) are intended to be binding; legal-form language is provisional.

1. Parties and applicability

This DPA is between AfterMKT, LLC, a Delaware limited liability company with an office at 4244 Duquesne Ave, Culver City, CA 90232 ("AfterMKT", "we", "us"), and the Shopify merchant identified in our records as the controller of the Shopify shop on which AfterMKT has been installed ("Merchant", "you").

This DPA forms part of, and is incorporated by reference into, the AfterMKT Terms of Service. If there is a conflict between this DPA and the Terms of Service on a data-protection question, this DPA controls.

This DPA applies whenever AfterMKT processes Personal Data on your behalf in connection with the AfterMKT service, including data about your customers that Shopify sends to us via webhooks or the Admin API.

2. Definitions

The following terms have the meanings given to them in the GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss Federal Act on Data Protection, or the California Consumer Privacy Act (as amended by the CPRA), as applicable:

• Personal Data — any information relating to an identified or identifiable natural person.
• Data Subject — the natural person to whom Personal Data relates. In this DPA, the Data Subject is most often a buyer purchasing from your Shopify store.
• Processing — any operation performed on Personal Data, including collection, recording, storage, retrieval, transmission, deletion.
• Controller — the party that determines the purposes and means of the Processing. For the data covered by this DPA, the Merchant is the Controller.
• Processor — the party that processes Personal Data on behalf of the Controller. For the data covered by this DPA, AfterMKT is the Processor.
• Sub-processor — any third party engaged by AfterMKT to process Personal Data on AfterMKT's behalf.
• Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• Standard Contractual Clauses or SCCs — the European Commission's standard contractual clauses for the transfer of Personal Data to third countries, set out in Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (Controller to Processor).
• UK IDTA — the United Kingdom International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner's Office.

3. Subject matter and details of processing

The full description of the Processing — its subject matter, duration, nature, purpose, categories of Data Subjects, and types of Personal Data — is set out in Annex I at the end of this DPA. Annex I is incorporated by reference and is binding.

In summary: AfterMKT processes commercial order data and a small set of merchant business information for the purpose of issuing on-chain digital receipts for each line item in your paid Shopify orders. AfterMKT does not collect, receive, or store buyer Personal Data — buyer-identifying fields in Shopify webhooks are stripped at ingestion before any storage occurs.

4. AfterMKT's obligations as Processor

AfterMKT will:

• (a) Process Personal Data only on documented instructions from the Merchant. The Merchant's instructions are recorded in (i) the AfterMKT Terms of Service, (ii) this DPA, and (iii) any further written instructions the Merchant provides through the AfterMKT admin app or by email to rastaar@aftermkt.io. AfterMKT will not process Personal Data for any other purpose, including any marketing or analytics use.
• (b) Ensure that personnel authorized to process Personal Data are bound by written confidentiality obligations.
• (c) Implement and maintain the technical and organizational security measures set out in Annex II, designed to ensure a level of security appropriate to the risk.
• (d) Engage Sub-processors only in accordance with Section 5 of this DPA.
• (e) Taking into account the nature of the Processing, assist the Merchant by appropriate technical and organizational measures, insofar as possible, in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under applicable data-protection law.
• (f) Assist the Merchant in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data-protection impact assessments, prior consultation), taking into account the nature of the Processing and the information available to AfterMKT.
• (g) At the Merchant's choice, return or delete all Personal Data processed under this DPA at the end of the Term, except to the extent retention is required by applicable law (see Section 11).
• (h) Make available to the Merchant all information necessary to demonstrate compliance with the obligations in this Section 4 and allow for and contribute to audits, including inspections, conducted by the Merchant or another auditor mandated by the Merchant (see Section 9).

5. Sub-processors

The Merchant gives AfterMKT general written authorization to engage Sub-processors, subject to the following conditions:

• AfterMKT will keep an up-to-date list of Sub-processors at Annex III of this DPA.
• AfterMKT will impose on each Sub-processor data-protection obligations no less protective than those set out in this DPA, by written contract.
• AfterMKT will provide notice to the Merchant of any intended addition or replacement of a Sub-processor at least thirty (30) days before the change takes effect, by updating Annex III on this page and emailing the Merchant's contact on file.
• The Merchant may object to a proposed Sub-processor change in writing within fourteen (14) days of receiving notice. If the Merchant reasonably objects on data-protection grounds, AfterMKT will use reasonable efforts to make the AfterMKT service available to the Merchant without engaging the objected-to Sub-processor; if AfterMKT cannot, the Merchant may terminate this DPA and the Terms of Service for that affected portion of the service.
• AfterMKT remains fully liable to the Merchant for the performance of each Sub-processor's data-protection obligations.

6. International transfers

When AfterMKT or one of its Sub-processors transfers Personal Data outside the European Economic Area, the United Kingdom, or Switzerland to a country that has not been the subject of an adequacy decision, the transfer will be subject to one of the following safeguards:

• The European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module 2 (Controller to Processor), with AfterMKT as data importer and the Merchant as data exporter. The SCCs are incorporated into this DPA by reference. The optional clauses are populated as follows: Clause 7 (docking) — applicable; Clause 9(a) (Sub-processors) — Option 2, general written authorization, with the 30-day notice period in Section 5; Clause 11(a) (independent dispute resolution) — not selected; Clause 17 (governing law) — Irish law; Clause 18 (forum and jurisdiction) — courts of Ireland.
• For UK transfers, the UK International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner's Office, in its current form. The UK IDTA is incorporated into this DPA by reference. Tables 1, 2, and 3 of the IDTA are populated by reference to the corresponding fields of the SCCs above; Table 4 — neither party may end the IDTA unilaterally except as provided in the SCCs.
• For Swiss transfers, the EU SCCs apply with the following adaptations: references to the GDPR are read as references to the Swiss Federal Act on Data Protection; references to "Member State" are read as references to Switzerland; the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

If the Court of Justice of the European Union, a competent supervisory authority, or any other competent body invalidates or amends the SCCs or the UK IDTA, AfterMKT will work with the Merchant in good faith to implement an alternative valid transfer mechanism within a reasonable period.

7. Personal Data Breach notification

If AfterMKT becomes aware of a Personal Data Breach affecting Personal Data Processed under this DPA, AfterMKT will:

• Notify the Merchant without undue delay and in any event within seventy-two (72) hours of becoming aware, by email to the Merchant's contact on file and by a notice in the AfterMKT admin app.
• Provide the Merchant with the information reasonably required to meet the Merchant's own GDPR Article 33 / 34 notification obligations, to the extent that information is available to AfterMKT, including: the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures AfterMKT has taken or proposes to take.
• Cooperate with the Merchant's reasonable investigation and remediation requests.

8. Data Subject requests

If AfterMKT receives a request directly from a Data Subject (for example, a buyer) to exercise a right of access, rectification, erasure, restriction, portability, or objection in relation to Personal Data Processed under this DPA, AfterMKT will not respond directly except to acknowledge receipt and direct the Data Subject to the Merchant. AfterMKT will forward the request to the Merchant's contact on file without undue delay.

For the avoidance of doubt, AfterMKT does not collect or store buyer Personal Data, so most buyer-directed requests can be answered by the Merchant from the Merchant's own Shopify records without any data being held by AfterMKT.

For requests concerning the Merchant's own business contact information held by AfterMKT (the data described in Annex I, Section 4(a)), the Merchant may exercise its rights directly by emailing rastaar@aftermkt.io. AfterMKT will respond within one calendar month, as required by GDPR Article 12(3).

9. Audits

AfterMKT will make available to the Merchant, on reasonable written request and no more than once per twelve-month period (except where the Merchant has documented reasonable cause to suspect non-compliance), the information necessary to demonstrate AfterMKT's compliance with this DPA. This may include current security documentation, sub-processor lists, and reasonable answers to written questions.

If, after reviewing AfterMKT's documentation, the Merchant determines an on-site audit or inspection is necessary, the Merchant may, at its own expense, mandate an independent third-party auditor (subject to confidentiality obligations and approval not unreasonably withheld) to conduct an audit during AfterMKT's normal business hours, with thirty (30) days' written notice. The auditor's scope must be limited to AfterMKT's Processing under this DPA and may not access the Personal Data of any other AfterMKT customer.

10. Return and deletion

On termination of the AfterMKT service for the Merchant (whether by uninstall, expiration, or termination under the Terms of Service), AfterMKT will, at the Merchant's choice expressed within thirty (30) days of termination:

• Return to the Merchant a copy of all Merchant Personal Data Processed under this DPA in a structured, commonly used, machine-readable format; or
• Delete all Merchant Personal Data Processed under this DPA.

In the absence of an instruction from the Merchant within thirty (30) days of termination, AfterMKT will retain Merchant Personal Data for up to twenty-four (24) months for audit and dispute-resolution purposes, then delete. If Shopify's shop/redact GDPR webhook fires for the shop earlier than that 24-month window, AfterMKT will purge the Merchant record on receipt of the webhook.

On-chain receipts are out of scope. The compressed NFTs minted on the Solana blockchain by AfterMKT in connection with paid Shopify orders contain only the public commercial fields described in Annex I, Section 4(c) — they do not contain Personal Data. Because of the append-only nature of public blockchains, on-chain receipts cannot be deleted by AfterMKT or any other party. If the Merchant believes an on-chain record contains Personal Data about a Data Subject, AfterMKT will investigate in good faith.

11. Order of precedence

In the event of a conflict between this DPA, the AfterMKT Terms of Service, and the SCCs / UK IDTA incorporated by reference, the order of precedence is: (1) the SCCs / UK IDTA; (2) this DPA; (3) the Terms of Service.

12. Governing law and jurisdiction

This DPA is governed by the laws of the State of California, USA, without regard to conflict-of-laws principles, except that the SCCs and UK IDTA are governed by Irish law and the law of England and Wales respectively (or as set out in those instruments). Disputes arising out of or in connection with this DPA that are not subject to the SCCs or UK IDTA dispute-resolution provisions will be resolved in accordance with Section 14 (Dispute Resolution) of the AfterMKT Terms of Service.

13. Term and termination

This DPA is effective on the date the Merchant accepts the AfterMKT Terms of Service and remains in effect for as long as AfterMKT processes Personal Data on the Merchant's behalf, plus any retention window described in Section 10.

14. How to execute

The published version of this DPA on aftermkt.io/legal/dpa is the template that applies to all merchants by reference, as part of the Terms of Service. If your legal team requires a separately countersigned copy:

• Email rastaar@aftermkt.io with your shop domain and the contact details for your data-protection officer or equivalent.
• AfterMKT will return a countersigned PDF of this DPA, populated with your details, within five business days.
• The countersigned copy and the published version are intended to have identical substance; if there is a discrepancy, the version your legal team has explicitly negotiated and signed controls.

Annex I — Description of Processing

1. Categories of Data Subjects.

• The Merchant's authorized personnel (the contact AfterMKT communicates with about the merchant account).
• Buyers placing paid orders on the Merchant's Shopify store. Note that AfterMKT receives no Personal Data about Buyers; their identity is represented only by the wallet address they choose to connect when claiming a receipt, which is pseudonymous under the GDPR.

2. Categories of Personal Data Processed.

• Merchant business contact information: business name, contact email address (the Merchant's, never a customer's), optional phone number, optional business address, the Shopify shop domain and numeric shop ID, the timestamp of Terms of Service acceptance, and internal approval audit fields recording who at AfterMKT approved the Merchant onboarding and when.
• Order data: Shopify order ID and order number, currency, totals, sale date, sales channel, line items (product title, description, image URL, price, quantity, SKU, vendor, product type), and additional product details fetched from the Shopify Admin API (description, images, tags, public metafields).
• Wallet address: when a Buyer claims a receipt, the Buyer's Solana wallet address (a pseudonymous public-key string) is associated with the resulting on-chain receipt. This is not received from the Merchant; it is supplied by the Buyer at claim time.

3. Categories of data the Merchant instructs AfterMKT NOT to process.

The following fields are present in Shopify webhook payloads but are explicitly stripped by AfterMKT at ingestion before any storage occurs, pursuant to the Merchant's standing instruction recorded in Section 4(a) of this DPA:

• Customer email address
• Customer name (first or last)
• Billing address and shipping address
• Customer phone number
• Customer IP address
• Customer browser or user-agent string
• Marketing-consent flags
• Internal Shopify customer ID

If Shopify adds new buyer-identifying fields to the webhook payload in the future, AfterMKT's ingestion pipeline drops any field that is not on an explicit allowlist of commercial data, so by default new fields are excluded from Processing.

4. Subject matter, nature, and purpose of Processing.

• (a) Subject matter. The Processing of Merchant business contact information and order data necessary to operate the AfterMKT digital-receipts service for the Merchant.
• (b) Nature. Receipt and storage of Shopify webhook payloads in Amazon DynamoDB; enrichment of order data via the Shopify Admin API; minting of compressed NFTs on the Solana blockchain (via Helius RPC) representing each line item in a paid order; service of receipt-claim and receipt-detail pages to Buyers and Merchants via the AfterMKT marketing site and admin app.
• (c) Purpose. Issuing a digital receipt for each line item in each paid Shopify order on the Merchant's store, and making that receipt available for the Buyer to claim into a Solana wallet.
• (d) Data written to the Solana blockchain. Per receipt: the Merchant's public business name; the product title; a trimmed product description; one product image URL; the order number (a Merchant-assigned reference such as #1042); the sale date (date only, no timestamp); the item price; the Buyer's Solana wallet address. No Personal Data about Buyers is written on-chain. A wallet address on its own is pseudonymous under the GDPR.

5. Duration of Processing.

For as long as the Merchant is an active AfterMKT user, plus a retention window of up to twenty-four (24) months following uninstall (see Section 10). Order data, which contains no Personal Data, is retained indefinitely as a non-personal commercial record. Buyer Personal Data is not retained because it is not collected.

6. Frequency of transfers (for SCC purposes).

Continuous, in connection with the operation of the AfterMKT service.

Annex II — Technical and Organizational Measures

AfterMKT implements and maintains the following measures, designed to ensure a level of security appropriate to the risk presented by Processing under this DPA:

Encryption.

• All data in transit is encrypted using TLS 1.2 or higher.
• All data at rest is encrypted using AWS-managed encryption (AES-256) on Amazon DynamoDB and related AWS storage services.

Access control.

• Access to production data is restricted to authorized AfterMKT personnel.
• Access is gated by role-based access controls and multi-factor authentication.
• Administrative access to production resources is logged and reviewed.

Network security.

• Production resources are hosted in Amazon Web Services regions us-west-2 (gamma/staging) and us-east-1 (production).
• Edge traffic is fronted by Vercel; backend APIs run on AWS Lambda with restrictive IAM policies (least privilege).
• Inbound traffic to backend services is restricted by AWS security groups.

Sub-processor controls.

• AfterMKT engages Sub-processors only after performing a reasonable diligence review and only under written contracts that impose data-protection obligations no less protective than those in this DPA.
• The current Sub-processor list is maintained at Annex III.

Data minimization.

• AfterMKT's Shopify webhook ingestion pipeline strips all buyer-identifying fields at ingestion, before any storage occurs. New fields added by Shopify are excluded by default unless explicitly added to an allowlist of commercial data.
• AfterMKT does not collect, receive, or store buyer Personal Data.

Incident response.

• AfterMKT will notify affected Merchants of a Personal Data Breach within seventy-two (72) hours of becoming aware, per Section 7.

Personnel.

• AfterMKT personnel with access to production data are bound by written confidentiality obligations.

Auditing and logging.

• Administrative access is logged for audit purposes.
• AfterMKT periodically reviews logs and access controls.

These measures are reviewed periodically and updated as the AfterMKT service evolves. Material reductions in the protection afforded by these measures will be communicated to the Merchant in accordance with Section 5 of this DPA.

Annex III — Approved Sub-processors

As of the effective date of this DPA, AfterMKT engages the following Sub-processors:

• Amazon Web Services, Inc. — cloud infrastructure (compute, storage, networking). Regions: us-west-2, us-east-1. AWS's processing of Personal Data is subject to the AWS Data Processing Addendum (DPA), which incorporates the EU Standard Contractual Clauses (Module 2) and the UK IDTA. AWS publishes its DPA at https://aws.amazon.com/service-terms/.
• Vercel, Inc. — hosting, edge network, and CDN for the AfterMKT marketing site (aftermkt.io), the buyer claim flow, and the merchant admin app. Vercel's processing of Personal Data is subject to the Vercel Data Processing Addendum, which incorporates the EU SCCs and the UK IDTA. Vercel publishes its DPA at https://vercel.com/legal/dpa.
• Shopify, Inc. — source of order and merchant webhook data. Shopify is the Merchant's own processor for the underlying e-commerce transaction; AfterMKT receives data from Shopify on the Merchant's instructions.
• Helius Labs, Inc. — Solana RPC provider used to submit receipt-mint transactions and to read public on-chain state. Helius receives only the public Solana transactions AfterMKT submits — it does not receive Merchant business contact information from us. AfterMKT has not yet executed Standard Contractual Clauses with Helius. AfterMKT will execute SCCs (or rely on an equivalent valid transfer mechanism) with Helius before onboarding the first Merchant established in the EEA, the UK, or Switzerland, and in any event within ninety (90) days of the effective date of this DPA. Until then, the absence of SCCs with Helius does not affect EEA/UK/Swiss Data Subjects, because no such Personal Data is sent to Helius.
• Arweave — decentralized storage network used to host public receipt metadata and product images. Arweave hosts only the public commercial fields listed in Annex I, Section 4(d). No Personal Data is sent to Arweave.

The list above will be kept current. Notice of additions or replacements is delivered as set out in Section 5.

Contact

For any question arising under this DPA, including a request for a countersigned copy:

Email: rastaar@aftermkt.io

Postal address: AfterMKT, LLC, 4244 Duquesne Ave, Culver City, CA 90232