Data Processing Addendum

Last updated: May 26, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between NexoHub LLC, operating as NexoHub (“NexoHub,” “Processor,” “Service Provider”), and the merchant, business, or organization that installs, accesses, or uses the NexoHub Service (“Merchant,” “Controller,” “Business”). This DPA applies when NexoHub processes personal information on behalf of the Merchant through the NexoHub Shopify SaaS automation platform and related services.

If this DPA conflicts with the Terms of Service or Privacy Policy regarding the processing of Merchant Customer Data, this DPA controls.

1. Roles of the Parties

For Merchant Customer Data, the Merchant is generally the controller that determines the purposes and means of processing. NexoHub acts as the processor that processes Merchant Customer Data on the Merchant's documented instructions.

2. Definitions

  • Applicable Data Protection Laws: GDPR, UK GDPR where applicable, CCPA/CPRA where applicable, Shopify protected customer data requirements, and applicable Israeli privacy law.
  • Merchant Customer Data: Personal information relating to the Merchant's Shopify customers, abandoned-checkout users, order recipients, or other individuals whose data is made available to NexoHub by the Merchant.
  • Protected Customer Data: Shopify customer information subject to Shopify's protected customer data requirements, including direct identifiers and related customer, order, and checkout information.
  • Security Incident: A confirmed breach of security leading to unauthorized destruction, loss, alteration, disclosure of, or access to Merchant Customer Data.
  • Subprocessor: A third party engaged by NexoHub to process Merchant Customer Data to provide the Service.

3. Details of Processing

  • Nature: Collection, access, storage, retrieval, analysis, AI workflow execution, background job processing, email sending, logging, deletion, and anonymization.
  • Purpose: Providing Shopify automations, AI agents, cart recovery, customer winback, order analysis, inventory workflows, email sending through the Merchant's connected Gmail account, support, security, and related Service functionality.
  • Data subjects: Merchant Customers, Shopify store customers, abandoned-checkout users, purchasers, store visitors, Merchant administrators, and authorized users.
  • Categories of personal data: First name, email address, Shopify customer ID, order and purchase history, abandoned checkout data, cart contents, product and inventory context, customer segments, message content, Gmail sending metadata, workflow logs, IP addresses, device/browser data, and technical identifiers.
  • Sensitive data: The ordinary Service is not designed to process government IDs, payment card numbers, health information, precise geolocation, children's data, or special categories. The Merchant must not submit such data without NexoHub's express written approval.

4. Merchant Instructions

NexoHub will process Merchant Customer Data only on the Merchant's documented instructions, including these Terms, this DPA, the Privacy Policy, integration settings, and workflow configuration. The Merchant is responsible for ensuring instructions are lawful and that required consents or lawful bases are in place.

5. Shopify Protected Customer Data

NexoHub will process Shopify Protected Customer Data only to provide and support the Service, execute Merchant-configured automations, maintain security, and comply with law. NexoHub will not sell Shopify Protected Customer Data or use it for unrelated third-party advertising. NexoHub will apply data minimization and purpose limitation to all Shopify Protected Customer Data.

6. Google Workspace, Gmail, and Email Sending

When the Merchant connects Gmail or Google Workspace, NexoHub processes Google user data only to provide user-facing Service features authorized by the Merchant, such as sending Merchant-configured emails through the connected account. OAuth tokens and similar credentials are encrypted and access-controlled.

The Merchant remains the sender and initiator of emails sent through the connected Gmail or Google Workspace account. The Merchant is responsible for consent, unsubscribe handling, suppression lists, message content, recipient selection, lawful basis, and compliance with CAN-SPAM, GDPR, ePrivacy rules, CCPA/CPRA, Israeli direct marketing rules, and Google policies.

7. Confidentiality

NexoHub will ensure that personnel authorized to process Merchant Customer Data are subject to appropriate confidentiality obligations. NexoHub will limit access to Merchant Customer Data to personnel and subprocessors who need access to provide, secure, support, or maintain the Service.

8. Security Measures

NexoHub implements and maintains the following technical and organizational measures:

  • Encryption: Encryption in transit, encryption at rest where supported, encrypted token/session storage, and access controls around OAuth tokens and API credentials.
  • Access controls: Least-privilege access, role-based permissions, restricted production access, authentication controls, and periodic access review.
  • Application security: Secure development practices, environment separation, dependency review, logging, monitoring, and remediation of material vulnerabilities.
  • Operational security: Incident response procedures, audit logs, backup controls, and vendor review.
  • Data minimization: Limiting collected and transmitted data to what is reasonably needed for enabled workflows.

9. Subprocessors

The Merchant authorizes NexoHub to engage the following subprocessors:

  • Vercel: Application hosting, deployment, edge/network infrastructure, and runtime services.
  • Supabase: Database, authentication-related infrastructure, encrypted token/session storage (US-East).
  • Gadget.dev: App infrastructure and Shopify-related backend services.
  • Inngest: Background jobs, event processing, workflow orchestration, retries, and automation execution.
  • OpenAI: AI model processing for Merchant-configured agents and generated outputs.
  • Anthropic: AI model processing for Merchant-configured agents and generated outputs.

NexoHub will impose appropriate confidentiality, security, and data protection obligations on subprocessors. NexoHub will provide notice of material subprocessor changes where required by Applicable Data Protection Laws.

10. International Transfers

NexoHub and its subprocessors may process Merchant Customer Data in the United States, Israel, the European Economic Area, the United Kingdom, and other jurisdictions. Where GDPR, UK GDPR, or similar laws require transfer safeguards, NexoHub will use appropriate mechanisms such as standard contractual clauses, adequacy decisions, or other legally recognized safeguards.

11. Assistance With Data Subject and Consumer Requests

The Merchant is responsible for responding to requests from Merchant Customers to access, delete, correct, restrict, port, or exercise similar privacy rights. NexoHub will provide reasonable assistance, taking into account the nature of the processing and information available to NexoHub.

12. Security Incident Notification

NexoHub will notify the Merchant without undue delay after becoming aware of a confirmed Security Incident involving Merchant Customer Data. The notice will include information reasonably available to NexoHub, such as the nature of the incident, affected data categories, approximate scope, and mitigation steps taken or planned.

The Merchant is responsible for determining whether notice to regulators, Merchant Customers, Shopify, Google, or other parties is required. NexoHub will provide reasonable cooperation to support legally required notifications.

13. Data Retention and Deletion

Upon termination, uninstall, or written request:

  • Active systems: Merchant Customer Data deleted or anonymized typically within 30 days.
  • Encrypted backups: Deleted or overwritten according to backup rotation schedules, typically within 90 days.
  • Security and audit logs: Retained for 90–180 days unless required longer for an active investigation or legal obligation.
  • Email sending records: Retained up to 24 months for auditability, suppression, deliverability troubleshooting, compliance, and analytics.

14. CCPA/CPRA Service Provider Terms

Where CCPA/CPRA applies, NexoHub acts as a service provider and/or contractor. NexoHub will not sell or share Merchant Customer Data, retain, use, or disclose Merchant Customer Data outside the direct business relationship with the Merchant, or combine Merchant Customer Data with personal information from other sources except as permitted by CCPA/CPRA and the Merchant's instructions.

15. AI Processing

NexoHub may send limited Merchant Customer Data to AI model providers such as OpenAI and Anthropic as subprocessors to generate Merchant-configured outputs. NexoHub will seek to limit prompts and context to what is reasonably necessary for the configured workflow. The Merchant must not use AI agents for unlawful profiling, discrimination, or regulated eligibility decisions without NexoHub's express written approval and appropriate safeguards.

16. DPIAs and Regulatory Cooperation

Taking into account the nature of processing and information available to NexoHub, NexoHub will provide reasonable assistance for data protection impact assessments and prior consultations relating to NexoHub's processing of Merchant Customer Data. NexoHub may satisfy audit requests by providing security documentation, policies, third-party certifications, or similar materials.

17. Liability and Precedence

Liability arising under this DPA is subject to the limitations and exclusions in the Terms of Service, unless Applicable Data Protection Laws require otherwise. If this DPA conflicts with the Terms of Service regarding processing of Merchant Customer Data, this DPA controls.

18. Term and Termination

This DPA remains in effect while NexoHub processes Merchant Customer Data on behalf of the Merchant and for any post-termination period required for deletion, backup expiration, legal compliance, security, or dispute resolution. Sections relating to confidentiality, security, deletion, audit, international transfer, and liability survive termination.

19. Governing Law

Unless mandatory privacy law requires otherwise, this DPA is governed by the law and dispute-resolution provisions in the Terms of Service (laws of the State of Israel, courts in Tel Aviv-Jaffa).

20. Contact

For DPA and privacy questions, contact us at:

Privacy Policy

How we collect and use your data

Terms of Service

Read our terms and conditions

NH
NexoHub

The ultimate platform for AI creators to build, share, and monetize their LLM tools and applications.

© 2026 NexoHub LLC. All rights reserved.

Privacy PolicyTerms of ServiceDPA