Data Processing Agreement
Last updated: February 16, 2026
This Data Processing Agreement (“DPA”) forms part of the Selio Terms of Service (available at www.selio.ai/terms-of-service) between MGworx LLC (“Processor”) and the merchant identified in the Selio service account (“Controller”). By accepting the Terms of Service — including by installing or using the Selio application — Controller agrees to be bound by this DPA.
1. Scope and Definitions
1.1. This Data Processing Agreement (“DPA”) supplements the Selio Terms of Service and Privacy Policy (together, the “Agreement”) and governs the processing of personal data by Processor on behalf of Controller in connection with the Selio service (“Service”).
1.2. “Data Protection Laws” means all applicable data protection and privacy laws and regulations, including the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”), the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), and other applicable U.S. state privacy laws.
1.3. Terms such as “personal data,” “processing,” “data subject,” “controller,” “processor,” and “supervisory authority” have the meanings given to them in the GDPR, or equivalent meanings under applicable Data Protection Laws. For purposes of U.S. Data Protection Laws, “controller” includes “business,” “processor” includes “service provider,” and “personal data” includes “personal information,” as those terms are defined under applicable law.
1.4. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data.
2. Processing Details
2.1. The subject matter, nature, purpose, duration of processing, types of personal data, and categories of data subjects are described in Annex 1.
2.2. Processor shall process personal data only on documented instructions from Controller, unless required to do so by applicable law. The Agreement (including the Terms of Service and this DPA) constitutes Controller’s documented instructions to Processor.
2.3. Each party shall comply with the obligations applicable to it under Data Protection Laws with respect to the processing of personal data under this DPA.
3. Processor Obligations
Processor shall:
(a) Process personal data only as necessary to provide the Service and in accordance with Controller’s documented instructions.
(b) Ensure that persons authorized to process personal data are bound by appropriate confidentiality obligations.
(c) Implement and maintain appropriate technical and organizational security measures as described in Annex 2.
(d) Taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as this is possible, in responding to data subject requests (access, rectification, erasure, restriction, portability, and objection).
(e) Assist Controller in ensuring compliance with its obligations regarding security of processing, breach notification, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to Processor.
(f) At Controller’s choice, delete or return all personal data to Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires retention.
(g) Make available to Controller all information reasonably necessary to demonstrate compliance with this DPA.
4. Anonymized Data
4.1. Processor is authorized to create anonymized and aggregated data derived from personal data processed under this DPA (“Anonymized Data”). Anonymized Data is data from which all personal identifiers have been removed such that it cannot reasonably be used to identify any natural person. Anonymized Data does not constitute personal data under applicable Data Protection Laws.
4.2. Anonymized Data may be retained and used by Processor after the termination of the Agreement for purposes including service improvement, research, model training, analytics, and benchmarking, as described in the Agreement.
5. U.S. State Privacy Laws
5.1. To the extent that Processor processes personal information subject to U.S. state privacy laws (including CCPA) on behalf of Controller, Processor shall:
(a) Process such personal information only as necessary to provide the Service and as permitted under the Agreement, consistent with the role of a “service provider” (or equivalent term under applicable law).
(b) Not sell or share (as those terms are defined under applicable U.S. state privacy laws) any personal information received from or on behalf of Controller.
(c) Not combine personal information received from Controller with personal information received from other sources, except as necessary to provide the Service.
(d) Assist Controller in responding to verifiable consumer requests, to the extent reasonably practicable and as required by applicable law.
6. Sub-processors
6.1. Controller provides general authorization for Processor to engage sub-processors to assist in providing the Service. The current list of sub-processors is set out in Annex 3.
6.2. Processor shall inform Controller of any intended changes to sub-processors (additions or replacements) by updating Annex 3 and providing notice via email or through the Service. Controller may object to a new sub-processor by notifying Processor in writing within thirty (30) days of receiving notice. If Controller objects on reasonable data protection grounds and Processor cannot reasonably accommodate the objection, either party may terminate the Agreement.
6.3. Processor shall impose data protection obligations on each sub-processor that are no less protective than those in this DPA. Processor remains liable for the acts and omissions of its sub-processors.
7. Data Breach Notification
7.1. Processor shall notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Controller’s data.
7.2. Such notification shall include, to the extent reasonably available: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.
8. Audits
8.1. Processor shall allow Controller (or a third-party auditor appointed by Controller) to conduct audits to verify compliance with this DPA, subject to the following conditions:
(a) Controller shall provide at least thirty (30) days’ advance written notice.
(b) Audits shall be limited to once per twelve (12) month period, unless required by a supervisory authority or in response to a data breach.
(c) Audits shall be conducted during normal business hours and shall not unreasonably disrupt Processor’s operations.
(d) Controller shall bear its own costs of any audit.
8.2. Processor may satisfy audit requests by providing relevant certifications, audit reports, or written responses to Controller’s reasonable questions, where such documentation adequately addresses Controller’s audit objectives.
9. International Data Transfers
9.1. Controller acknowledges that Processor’s infrastructure and sub-processors are located in the United States. Where personal data of individuals in the EU or UK is transferred to the United States or other countries without an adequacy decision, the parties agree that such transfers shall be governed by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2: Controller to Processor), which are incorporated by reference into this DPA.
9.2. The official text of the Standard Contractual Clauses is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
The information required by the SCC Appendix (Annexes I, II, and III) is provided in Annexes 1, 2, and 3 of this DPA.
9.3. For the purposes of the Standard Contractual Clauses: the “data exporter” is the Controller; the “data importer” is the Processor (MGworx LLC); and the competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs.
9.4. Where the EU-US Data Privacy Framework or any successor framework applies and Processor or its sub-processors are certified under it, such framework may serve as an additional or alternative transfer mechanism.
9.5. For transfers of personal data from the UK, the parties shall rely on the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner’s Office), which is incorporated by reference where applicable.
10. Liability
10.1. Each party’s liability under this DPA is subject to the limitations of liability set out in the Agreement.
10.2. Nothing in this DPA or the Agreement limits either party’s liability to the extent such limitation is not permitted under applicable data protection law.
11. Term and Termination
11.1. This DPA shall remain in effect for as long as Processor processes personal data on behalf of Controller.
11.2. Upon termination of the Agreement, Processor shall anonymize or delete Controller’s personal data within thirty (30) days of receiving Shopify’s shop data redaction request (shop/redact), in accordance with the Privacy Policy and Shopify’s requirements. Processor may retain Anonymized Data as described in Section 4.
Annex 1: Processing Details
| Description | |
|---|---|
| Subject matter | Processing personal data to provide AI-powered product recommendations through the Selio Shopify application |
| Duration | For the term of the Agreement, plus up to 30 days for data anonymization/deletion after termination |
| Nature and purpose | Analyzing products and purchase data to generate personalized product recommendations; tracking recommendation performance; providing the Service as described in the Agreement |
| Categories of data subjects | Customers (shoppers) of Controller’s Shopify store |
| Types of personal data | Names, email addresses, phone numbers, postal address data (city, country, postal code), purchase history, cart and checkout contents, marketing consent status, recommendation interaction data |
Annex 2: Technical and Organizational Security Measures
Processor implements the following measures to protect personal data:
Encryption
- Data in transit is encrypted using TLS/SSL
- Sensitive credentials are encrypted at rest using cloud-provider key management services
Access controls
- Access to production systems and personal data is restricted to authorized personnel
- Authentication is required for all system access
Data isolation
- Each merchant’s data is logically separated and isolated from other merchants’ data
Infrastructure security
- The Service is hosted on industry-standard cloud infrastructure with physical and network security controls maintained by the cloud provider
- Systems are monitored for errors and anomalies
Incident response
- Processor maintains procedures for detecting, reporting, and responding to security incidents
Data minimization
- Third-party AI service providers receive only the data necessary for processing (product data and purchase patterns; customer names, emails, phones, and addresses are not sent to AI service providers)
- Error monitoring services are configured to minimize collection of personal data
- Application logging services may capture AI inference request and response data (including product data and purchase patterns) to enable troubleshooting; customer names, emails, phone numbers, and addresses are not included in this data
Annex 3: Sub-processors
Current as of February 11, 2026.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure, hosting, data storage | United States |
| OpenAI, LLC | AI/ML inference and analysis | United States |
| Functional Software, Inc. (Sentry) | Error tracking and monitoring | United States |
| Pydantic Services, Inc. (Logfire) | Application logging and performance monitoring | United States |
| Google LLC | Website and app analytics | United States |
| Klaviyo, Inc. | Email marketing integration (only when enabled by Controller) | United States |