CODcheck

Data Processing Agreement (DPA)

Version 1.0 ยท Effective July 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the merchant ("Controller") and CODcheck ("Processor") governing the processing of personal data carried out by the CODcheck application ("Service") on behalf of the Controller, in accordance with Regulation (EU) 2016/679 ("GDPR").

1. Roles of the parties

The Controller determines the purposes and means of processing personal data relating to its customers. The Processor processes that personal data solely on documented instructions from the Controller and as necessary to provide the Service.

2. Subject matter and purpose

The Processor evaluates cash-on-delivery orders for fraud/refusal risk and contributes anonymised refusal signals to a shared anti-fraud network, in order to reduce delivery-refusal losses for the Controller.

3. Categories of data subjects and personal data

Data subjectsThe Controller's customers who place cash-on-delivery orders.
Personal dataOrder identifiers and value; and โ€” only where enabled โ€” customer name, phone number, email and shipping address. Identity fields are converted to irreversible cryptographic hashes (HMAC-SHA-256) before any network sharing.
Special categoriesNone. The Service does not process special-category data.

4. Security measures

5. Sub-processors

The Controller authorises the Processor to engage sub-processors for hosting and error monitoring. The Processor remains responsible for their compliance and will inform the Controller of material changes.

6. Data subject rights

The Processor assists the Controller in responding to data-subject requests (access, erasure, portability) via the Service's GDPR tools, and honours Shopify's customers/redact, customers/data_request and shop/redact compliance webhooks.

7. Retention and deletion

Personal data is retained only as long as necessary for the stated purpose and is deleted or anonymised thereafter. On uninstall, tenant data is purged following the applicable grace/compliance window.

8. International transfers

Where personal data is transferred outside the EEA, the transfer is governed by an adequacy decision or by Standard Contractual Clauses.

9. Liability and term

This DPA is effective for the duration of the Controller's use of the Service and terminates upon deletion of all personal data processed on the Controller's behalf.

This DPA template is provided for convenience and does not constitute legal advice. Please review it with your own counsel before relying on it. Contact: hello@codcheck.ro