Data Processing Addendum

The Controller is the merchant that uses the Service. The Processor is [OWNER: Legal entity name operating Tóg Studio / the Tóg Marketplace], trading as Tóg Studio, of [OWNER: Registered business address]. The Processor processes personal data only on behalf of, and on the documented instructions of, the Controller, except where required by law (in which case it informs the Controller unless prohibited).

As required by Article 28(3) GDPR, the details of the processing are:

• Subject-matter. Tóg’s provision of the marketplace plugins the Controller enables.
• Duration. For the term of the agreement, until the data is deleted or returned in accordance with §9.
• Nature and purpose. Hosting, storing, transmitting and otherwise processing personal data as needed to operate the enabled plugins — e.g. enrolling and crediting loyalty members, recording reviews and bookings, generating AI-chat replies, and sending transactional messages.
• Types of personal data. Depending on the plugins enabled: email addresses; names; business names; phone numbers; loyalty points and referral codes; review ratings and text; booking service, time and notes; and AI-chat message content and any attached image. The Controller must not instruct the processing of special-category data through free-text fields.
• Categories of data subject. The Controller’s end-shoppers and customers who interact with an enabled plugin.

• Documented instructions. Tóg processes the personal data only on the Controller’s documented instructions, which include the configuration choices the Controller makes in the console and these terms.
• Confidentiality. Personnel authorised to process the data are bound by confidentiality.
• Security. Tóg implements appropriate technical and organisational measures as set out in §5.
• Assistance. Taking into account the nature of the processing, Tóg assists the Controller with data-subject requests (§6), and with security, breach notification, data-protection impact assessments and prior consultation, so far as it is able.
• Deletion or return. On termination, Tóg deletes or returns the personal data as set out in §9.
• Information and audits. Tóg makes available the information needed to demonstrate compliance with Article 28 and supports audits as set out in §8.

The Controller gives general authorisation for Tóg to engage the sub-processors listed, with their purpose, data and region, on our Sub-processors page (currently v1.0, effective 19 June 2026), which is incorporated into this DPA by reference. Tóg imposes data-protection obligations on each sub-processor that are materially equivalent to those in this DPA, and remains responsible for their performance.

Change notice. Tóg will update the Sub-processors page and notify merchants of any intended addition or replacement of a sub-processor with reasonable advance notice, giving the Controller the opportunity to object on reasonable data-protection grounds. The notice period and objection mechanism are to be confirmed: [OWNER: Confirm the sub-processor change-notice period and objection/termination right with a solicitor].

Tóg maintains technical and organisational measures appropriate to the risk, which presently include:

• Encryption in transit — TLS for connections to the Service and to every provider.
• Encryption at rest — data is stored on Google Cloud with its at-rest encryption; in addition, the sensitive credentials a Controller supplies (bring-your-own-key provider secrets and connection tokens) are envelope-encrypted with AES-256-GCM using a fresh per-value nonce, and the scheme fails closed (it never falls back to plaintext).
• Secret minimisation — the API keys a tenant mints are high-entropy random tokens stored only as a SHA-256 hash plus the last four characters; provider secrets are stored only as ciphertext plus the last four characters. Plaintext keys and secrets are never persisted, logged or placed in exports.
• Tenant isolation — each merchant’s data is isolated; plugin data is partitioned per tenant and site, and every server-side read re-verifies the tenant before acting, so one tenant can never read another’s data.
• Single authenticated gateway — every plugin API call passes through one gateway that verifies the presented key (constant-time, rejecting revoked keys), enforces where the key may be presented from, checks the subscription entitlement, and enforces usage quotas and rate limits.
• Access control — the collections holding keys, secrets and connection tokens are reachable only by trusted server-side processes; client access is denied by default by the database security rules.
• Audit logging — sensitive actions are recorded in an append-only audit log, written server-side and never containing secret material.
• Webhook integrity — inbound platform webhooks are verified (HMAC over the raw bytes, constant-time) before any processing.

A fuller, plain-language description is on our Security page. Tóg may update these measures provided the level of protection is not materially reduced.

Tóg provides tools and assistance for the Controller to meet data-subject requests:

• Access and portability — an account owner can export a complete, secret-safe JSON copy of the account’s data on demand.
• Erasure — closing the account deletes the tenant’s data across all collections, including a recursive delete of the per-site plugin programmes that hold end-shopper data (loyalty, reviews, bookings). For a connected Shopify store, the mandatory customer-redaction webhook performs a real, idempotent erasure of that customer’s data across every plugin that holds it: a matching loyalty member is anonymised (email, name and business cleared, access token rotated, record marked deleted, email index removed); a matching review has its author name and email cleared; and a matching booking has its customer name, email, phone and notes cleared and its self-cancel token rotated. Shop-redaction erases the stored connection token.
• Other requests — for rectification, restriction or objection, or where a plugin holds end-shopper data the Controller needs Tóg to action, the Controller can contact support@togs.ie and Tóg will assist.

If a data subject contacts Tóg directly about data Tóg processes for a Controller, Tóg will, unless legally required to act, refer them to the Controller.

Tóg will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and will provide the information reasonably available to help the Controller meet its own notification obligations. The specific notification timeframe is to be confirmed: [OWNER: Confirm the breach-notification timeframe (e.g. without undue delay and within a stated number of hours) with a solicitor].

Tóg will make available to the Controller the information reasonably necessary to demonstrate compliance with Article 28 GDPR — including this DPA, the Security page, and the Sub-processors list — and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable notice, during business hours, subject to confidentiality and without compromising the security of other customers. The exact scope, frequency and any cost-bearing terms are to be confirmed: [OWNER: Confirm the audit scope, frequency and cost terms with a solicitor].

On expiry or termination of the agreement, Tóg will, at the Controller’s choice, delete or return the personal data it processes for the Controller, and delete existing copies, unless retention is required by law. The Controller can trigger deletion itself by closing the account — which deletes the tenant’s data across all collections and recursively deletes the per-site plugin programmes holding end-shopper data (loyalty, reviews, bookings), leaving only a minimal non-personal tombstone — and can export its data beforehand. The retention of any residual records is described in the Privacy Policy.

The primary data store is hosted in the European Union (Cloud Firestore, eur3 multi-region). Where personal data is transferred to a sub-processor outside the EU/EEA (for example our hosting and AI-gateway provider, payment processor, AI model providers, or email provider in the United States), Tóg relies on appropriate safeguards under Chapter V GDPR — intended to be the European Commission’s Standard Contractual Clauses, with any applicable UK Addendum or Swiss adequacy arrangement. [OWNER: Confirm reliance on the EU Standard Contractual Clauses (and UK Addendum / Swiss adequacy if relevant), the relevant modules, and who signs them].

This DPA forms part of, and is subject to, the Terms of Service, including their limitation of liability. In the event of a conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails to the extent of the conflict.

A countersigned copy of this DPA is available on request for merchants who need one for their records or procurement. Email support@togs.ie.