Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Alloy ("Processor") and the customer entity ("Controller") that has executed an agreement for the use of the Alloy platform (the "Service Agreement"). This DPA applies to the extent that Alloy processes Personal Data on behalf of the Controller in the course of providing the Service.

1. Scope

This DPA applies to all Personal Data processed by Alloy on behalf of the Controller through the Service. "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Alloy in connection with the Service. The subject matter of processing is the provision of enterprise Shopify solutions and related services. The duration of processing corresponds to the term of the Service Agreement.

Categories of data subjects may include the Controller's employees, contractors, and end customers. Categories of Personal Data processed may include names, email addresses, IP addresses, device identifiers, and any personal data contained within the Controller's storefront configurations and deployment artifacts.

2. Data Processing

Alloy shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, Alloy shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

Alloy shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Alloy shall not engage another processor without prior specific or general written authorization of the Controller.

3. Security Measures

Alloy implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: all data encrypted in transit using TLS 1.3 and at rest using AES-256
• Isolation: pod-per-tenant architecture ensuring complete separation of customer environments, dedicated databases, and independent process boundaries
• Access control: role-based access controls, multi-factor authentication for all internal systems, and principle of least privilege for all access grants
• Monitoring: continuous security monitoring, automated anomaly detection, and centralized audit logging
• Testing: regular penetration testing, vulnerability assessments, and security code reviews
• Incident response: documented incident response procedures with defined escalation paths
• Business continuity: automated backups, geographic redundancy, and disaster recovery procedures

4. Sub-processors

Alloy maintains a list of sub-processors used to provide the Service. The Controller may subscribe to receive notifications of changes to the sub-processor list. Alloy will provide at least 30 days' notice before engaging a new sub-processor. If the Controller objects to a new sub-processor on reasonable grounds related to data protection, the parties will work together in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the affected Service.

Alloy imposes data protection obligations on each sub-processor that are no less protective than those set out in this DPA. Alloy remains fully liable to the Controller for the performance of each sub-processor's obligations.

5. Data Subject Rights

Alloy shall assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under applicable data protection law. This includes the right of access, rectification, erasure, restriction of processing, data portability, and the right to object.

If Alloy receives a request from a data subject directly, Alloy shall promptly notify the Controller and shall not respond to the request without the Controller's authorization, unless required by applicable law.

6. Breach Notification

Alloy shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
• The name and contact details of Alloy's point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its potential adverse effects

Alloy shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of any breach.

7. Audit Rights

Alloy shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt Alloy's operations.

Alloy may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2 Type II), or other evidence of compliance with its security and data protection obligations. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by Alloy.

8. International Data Transfers

To the extent that the processing of Personal Data involves a transfer to a country outside the European Economic Area, the United Kingdom, or Switzerland that has not been deemed to provide an adequate level of data protection, Alloy shall ensure that appropriate safeguards are in place, including the execution of Standard Contractual Clauses as approved by the European Commission or other legally recognized transfer mechanisms.

9. Term and Termination

This DPA shall remain in effect for the duration of the Service Agreement. Upon termination of the Service Agreement, Alloy shall, at the Controller's election, return or delete all Personal Data processed on behalf of the Controller within 30 days, unless applicable law requires further storage. Alloy shall certify the deletion of Personal Data upon the Controller's request.

10. Contact

For questions regarding this DPA or to exercise any rights under it, contact us at security@getalloy.dev.