Data Processing Addendum (DPA)

Parties:
- Controller: Merchant using Convomesh
- Processor: Melbourne Digital Group Pty Ltd (ABN 69640635561)

1. Subject matter and duration
Processor will process personal data to provide the Service for the term of the Agreement.

2. Nature and purpose
Processing Shopify commerce and web events to provide analytics, automations, and related services.

3. Categories of data subjects and data
Customers and visitors of Controller's Shopify store; account and operational metadata.

4. Processor obligations
Process only on documented instructions; confidentiality; security measures; assist with data subject requests; delete/return upon termination.

5. Security
Encryption in transit/at rest; access controls; least privilege; logging; vulnerability management.

6. Sub‑processing
Allowed with contractual safeguards; current list at /legal/subprocessors.

7. International transfers
Appropriate safeguards (e.g., SCCs) where required by law.

8. Audit
Provide information reasonably necessary to demonstrate compliance; audits upon reasonable notice.

9. Return or deletion
Upon termination, delete or return personal data unless retention is required by law.

10. Governing law
As per the Agreement (Victoria, Australia).

Contact: msango@convomesh.com