Cervito Data Processing Addendum (DPA)

Effective: This DPA applies as of the date you accept the Cervito Terms of
Service or first use the Cervito Service, whichever is earlier.

Last updated: 2026-05-17 (v1.0)

This Data Processing Addendum ("DPA") forms part of the agreement between
Cervito (the "Processor", "we", "us") and the merchant entity identified
in your Cervito account (the "Controller", "you") (collectively the
"Parties") for the use of the Cervito AI Shop Assistant service (the
"Service").

This DPA reflects the Parties' agreement with regard to the Processing of
Personal Data, in compliance with Regulation (EU) 2016/679 ("GDPR"), the
United Kingdom Data Protection Act 2018, the California Consumer
Privacy Act ("CCPA") as amended by the CPRA, and other applicable data
protection laws.

By using the Service, you accept this DPA on behalf of the Controller. If
your organization requires a counter-signed copy, email privacy@cervito.app
and we will execute one within 10 business days.

1. Definitions

Capitalized terms not defined here have the meaning given in the GDPR.

"Personal Data" — any information relating to an identified or

identifiable natural person processed by Cervito on the Controller's behalf in connection with the Service.

"Processing" — any operation performed on Personal Data, including

collection, storage, transmission, alteration, retrieval, deletion.

"Sub-processor" — any third party engaged by Cervito to process

Personal Data on the Controller's behalf. Current Sub-processors are listed at docs/legal/sub-processors.md.

"Data Subject" — the individual to whom Personal Data relates;

typically a storefront visitor or a customer.

"Standard Contractual Clauses" or "SCCs" — the contractual clauses

approved by the European Commission Decision (EU) 2021/914 of 4 June 2021.

2. Subject matter and duration

Subject matter: Cervito processes Personal Data on the Controller's

behalf to deliver the Service (AI-powered chat, recommendations, contact management, analytics, attribution).

Duration: For as long as the Controller has an active Cervito account

+ the retention windows defined in Section 9 below.

3. Nature and purpose of Processing

Cervito processes Personal Data for the following purposes:

1. Visitor chat: generating AI responses to storefront visitor messages
using the Controller's Shopify catalog as grounding.
2. Contact management (CRM): deduplicating and merging visitor identity
across sessions/devices to build a unified contact record.
3. Attribution: tracking visitor journeys across chat, product view,
add-to-cart, and purchase events to attribute revenue to the Service.
4. Communications to Controller: transactional emails to the merchant
(daily debriefs, cost-budget alerts, account verification).
5. Service operation: authentication, billing reconciliation, security
monitoring, error diagnostics.

4. Types of Personal Data and categories of Data Subjects

Category of Data Subject	Personal Data processed
Storefront visitors (anonymous)	Visitor session identifier, IP address (for rate-limiting only — not stored persistently in raw form), browser language, page URL viewed, chat messages typed, products clicked, cart events
Storefront visitors (identified, post-email-capture)	All of the above + email address, name (if provided), phone (if provided), order history (linked via Shopify customer record)
Merchant users	Name, email, hashed password, Shopify shop ID, Google OAuth ID (if used), dashboard activity logs, billing address (when billing is enabled)

5. Controller obligations

The Controller represents and warrants that:

It has a lawful basis under GDPR Article 6 (typically legitimate interest

or consent) for the Processing it instructs Cervito to perform.

Where consent is the lawful basis, the Controller has obtained valid

consent from the Data Subject, including for the placement of the storefront chat widget and any cookies it sets (visitor session identifier).

It has provided Data Subjects with a privacy notice that includes

Cervito as a Processor.

It has appropriate legal basis for transferring Personal Data to Cervito

for any special-category data (Cervito does not intentionally process special-category data; the Controller must ensure the storefront and chat surface do not solicit it).

6. Cervito (Processor) obligations

Cervito will:

1. Process Personal Data only on documented instructions from the
Controller, including with regard to transfers of Personal Data to a
third country. The Controller's acceptance of the Cervito Terms of
Service and use of the Service's standard features constitute documented
instructions for the purposes listed in Section 3.
2. Ensure that persons authorized to process the Personal Data have
committed themselves to confidentiality.
3. Implement appropriate technical and organizational measures as
described in the TOMs annex (Annex A below).
4. Assist the Controller in fulfilling its obligations to respond to
Data Subject requests (access, rectification, erasure, portability,
restriction, objection) by providing tools and procedures as described
in Section 10.
5. Notify the Controller without undue delay (and in any event within
72 hours of awareness) of any Personal Data Breach affecting the
Controller's Personal Data.
6. Delete or return Personal Data at the Controller's choice upon
termination, as described in Section 11.
7. Make available to the Controller all information necessary to
demonstrate compliance with Article 28 GDPR, and allow for and
contribute to audits (subject to the audit terms in Section 12).

7. Sub-processors

The Controller authorizes Cervito to engage the Sub-processors listed at
docs/legal/sub-processors.md ("Authorized
Sub-processors").

Cervito will:

Maintain the public Sub-processor list at the URL above.
Notify the Controller at least 30 days before engaging any new

Sub-processor, via email to the Controller's account email and via the in-app notification feed.

Impose, in writing, data protection obligations on Sub-processors

substantially equivalent to those imposed on Cervito under this DPA, including (for non-EU Sub-processors) the appropriate Standard Contractual Clauses.

Remain fully liable to the Controller for the performance of each

Sub-processor's obligations.

If the Controller objects to a new Sub-processor within the 30-day notice
period and Cervito cannot accommodate the objection by re-routing
processing, the Controller may terminate the affected portion of the
Service for cause with a pro-rata refund of any prepaid fees.

8. International transfers

Where Personal Data of EU/UK Data Subjects is transferred to a
Sub-processor outside the EEA/UK without an adequacy decision, the
transfer is governed by the Standard Contractual Clauses Module 3
(Processor-to-Processor) with Cervito as data exporter and the
Sub-processor as data importer. The SCCs are incorporated by reference
into this DPA.

For UK-only transfers, the UK International Data Transfer Addendum to
the SCCs applies.

9. Data retention and deletion

Cervito retains Personal Data only as long as necessary to deliver the
Service or as required by law. Default retention windows are:

Data type	Default retention	Notes
Visitor chat transcripts (anonymous)	90 days from last activity	Auto-pruned by cron
Visitor chat transcripts (identified)	365 days from last activity	Tied to identified contact
Identified contact records	Until merchant deletes OR account terminated	Subject to merchant deletion
Merchant account data	Until merchant deletes OR account terminated	Subject to account closure
API call logs (cost + token usage)	90 days raw, 12 months aggregated	For billing reconciliation
Security event logs	180 days	For incident investigation
Admin audit log	365 days	For founder-impersonation audit trail
Shopify GDPR webhook receipts	7 days (idempotency dedup window)	Then auto-pruned

The Controller may instruct Cervito to apply shorter retention windows by emailing privacy@cervito.app.

10. Data Subject rights assistance

Cervito assists the Controller in fulfilling Data Subject requests through:

1. Automated GDPR webhooks required by Shopify:
- customers/data_request — Cervito generates a JSON export of all
Personal Data tied to the requesting customer and emails it to the
Controller within 5 business days.
- customers/redact — Cervito deletes the customer's contact record,
visitor records, chat transcripts, events, and attribution touches
within the deadline mandated by Shopify (currently 10 days from
webhook receipt).
- shop/redact — Cervito deletes all Personal Data associated with the
Controller's shop within the Shopify-mandated 30 days of webhook
receipt.
2. Manual deletion via the dashboard Contacts page and the Settings →
Delete Account flow.
3. Data export via Contacts CSV export.

If the Controller receives a Data Subject request that requires Cervito's
assistance, email privacy@cervito.app with the request details. Cervito
will respond within 5 business days.

11. Return or deletion on termination

Upon termination of the Controller's Cervito account:

The Controller has 30 days to export all data via the dashboard.
After 30 days, Cervito will delete the Controller's Personal Data from

active systems within 60 days. Backup copies are deleted within 90 days of the active-system deletion.

Anonymized aggregate data (e.g. count of chats served, no PII) may be

retained for service improvement and benchmarking.

The Controller may request earlier deletion at any time by emailing
privacy@cervito.app.

12. Audit rights

Once per calendar year, and at the Controller's expense, the Controller
may audit Cervito's compliance with this DPA by:

Requesting Cervito's then-current SOC 2 / ISO 27001 / equivalent

certification reports (when available — Cervito has begun the SOC 2 Type I process and expects completion in 2026-Q4).

Submitting a written security questionnaire that Cervito will respond

to within 30 days.

For Controllers with documented regulatory obligations, conducting an

on-site audit with 30 days advance notice during normal business hours, subject to confidentiality and security restrictions.

13. Liability

The liability of each Party under this DPA is subject to the limitations
and exclusions in the Cervito Terms of Service.

14. Governing law

This DPA is governed by the laws specified in the Cervito Terms of Service
(currently: Romania), without regard to its conflict-of-laws principles.

15. Order of precedence

If there is any conflict between this DPA and the Cervito Terms of Service,
this DPA prevails with regard to data protection matters.

Annex A — Technical and Organizational Measures (TOMs)

Cervito implements the following measures to protect the confidentiality,
integrity, and availability of Personal Data:

A.1 Access control

Two-factor authentication required for all Cervito staff with database

or server access.

Principle of least privilege: founder-level access is required to view

cross-tenant data; all such access is logged in admin_actions.

No third-party (including Sub-processors) has direct database access.

A.2 Encryption

In transit: TLS 1.2+ for all client-server and server-to-Sub-processor

communication.

At rest (Shopify access tokens + custom-app client secrets): AES-256-GCM

column-level encryption with a key held in environment variable, never committed to source.

At rest (database file): encrypted by Railway's managed storage layer.
In application memory: Personal Data is held only as long as needed

to serve the request.

A.3 Tenant isolation

Every database query that reads Personal Data is scoped via

WHERE shop_id = ?.

Chokepoint pattern enforced in critical modules (coaching.js,

attribution.js, assistant.js, cost-cap.js): functions throw on missing shopId to prevent accidental cross-tenant reads.

A.4 Webhook security

All inbound Shopify webhooks are HMAC-verified with crypto.timingSafeEqual

before any processing.

Idempotency dedup table prevents double-processing on Shopify retries.

A.5 Authentication

Merchant passwords: bcrypt with cost factor 12.
JWT tokens: HS256 with secret rotation capability + per-user

token_invalidate_after for sliding revocation.

Cookies: httpOnly, secure (in production), sameSite=lax.

A.6 Monitoring

Application logs centralized in Railway.
Security events (HMAC failures, capture spoofing attempts, encryption

failures, unhandled rejections, cost-alert send failures) written to security_events table for founder-console review.

Per-shop monthly cost cap enforced at the LLM call gate to prevent

runaway spend from a leaked shopkey.

A.7 Incident response

On detection of a Personal Data Breach, Cervito will notify affected

Controllers within 72 hours, including the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address it.

A.8 Business continuity

Database backups: Railway's managed volume snapshots, retained 7 days.
Service recovery target: RTO 4 hours, RPO 24 hours.

A.9 Sub-processor management

Annual review of each Sub-processor's security posture.
Public sub-processor list with 30-day notice for additions.

A.10 Training

All Cervito staff complete annual privacy and security training.

Changelog

Date	Version	Change
2026-05-17	v1.0	Initial publication.

For questions about this DPA, email privacy@cervito.app.