Data Processing Addendum
Last updated: June 22, 2026
Draft. This document is a starting template modeled on standard ecommerce-platform terms and has not yet been reviewed by a lawyer. It is not final and should not be relied on as legal advice.
This Data Processing Addendum (the “DPA”) forms part of the Terms of Service between ururu LLC (“ururu”) and the Merchant and governs ururu’s processing of Shopper Personal Information on the Merchant’s behalf. It is scoped to United States state privacy laws (including the California Consumer Privacy Act, as amended by the CPRA). If ururu and the Merchant later serve individuals in the EU/EEA or UK, the parties will supplement this DPA with GDPR/UK terms and appropriate transfer mechanisms.
1. Roles and Definitions
“Shopper Personal Information” means personal information about a Merchant’s customers that ururu processes on the Merchant’s behalf to operate the Merchant’s store (such as names, contact details, shipping addresses, and order details). With respect to Shopper Personal Information, the Merchant is the “Business” (controller) and ururu is the “Service Provider” (processor). Terms like “personal information,” “process,” “sell,” and “share” have the meanings given under the CCPA/CPRA.
2. Scope and Instructions
ururu will process Shopper Personal Information only (a) to provide the Service and as otherwise instructed by the Merchant through its use of the Service, and (b) as required by law. ururu will not retain, use, disclose, or otherwise process Shopper Personal Information for any purpose other than the specific purpose of providing the Service, and will not combine it with personal information from other sources except as permitted by the CCPA/CPRA.
3. No Sale or Sharing
ururu will not sell or share Shopper Personal Information, and will not process it outside the direct business relationship between ururu and the Merchant. ururu certifies that it understands and will comply with these restrictions.
4. Confidentiality
ururu will ensure that personnel authorized to process Shopper Personal Information are bound by appropriate confidentiality obligations.
5. Security
ururu will maintain reasonable and appropriate technical and organizational measures designed to protect Shopper Personal Information against unauthorized access, loss, or disclosure, taking into account the nature of the data and the risks involved.
6. Subprocessors
The Merchant authorizes ururu to engage subprocessors to process Shopper Personal Information in connection with the Service. Current subprocessors include:
- Cloudflare — hosting, storage, and content delivery for storefronts, content, and images.
- Vercel — hosting for the platform dashboard and marketing site.
- Turso — database for store and order metadata.
- Stripe — payment processing via the Merchant’s Stripe Connect account.
- Resend — delivery of order-confirmation and notification emails to shoppers on the Merchant’s behalf.
- Shippo — shipping rate, label, and insurance services, where enabled by the Merchant; receives the shopper’s name, shipping address, and email address in order to rate shipments and generate labels.
- Meta / Instagram — where the Merchant connects an Instagram account to import product images, or enables the Meta product catalog feed for marketing. This processes the Merchant’s own account and product data; any shopper data is processed only as configured by the Merchant (for example, a Merchant-enabled Meta Pixel on the storefront).
ururu will impose data-protection obligations on its subprocessors that are substantially similar to those in this DPA, and will give Merchants a reasonable means of learning about changes to the subprocessor list (for example, by updating this DPA or posting a list and notifying Merchants of material additions).
7. Assistance to the Merchant
Taking into account the nature of the processing, ururu will provide reasonable assistance to help the Merchant respond to verified shopper requests to access, correct, or delete personal information, and to meet the Merchant’s own security and breach-notification obligations.
8. Breach Notification
ururu will notify the Merchant without undue delay after becoming aware of a confirmed breach of security leading to the unauthorized access, loss, or disclosure of Shopper Personal Information, and will provide information reasonably available to ururu to help the Merchant meet its notification obligations.
9. Deletion or Return
On termination of the Service, ururu will delete or, where feasible, return Shopper Personal Information processed on the Merchant’s behalf, except where retention is required by law, within a reasonable period consistent with the retention practices described in the Privacy Policy.
10. Audit
On reasonable written request, and no more than once per year absent a regulator requirement or a security incident, ururu will make available information reasonably necessary to demonstrate its compliance with this DPA. The parties will treat such information as confidential.
11. Relationship to the Terms
This DPA is incorporated into and forms part of the Terms of Service. In case of conflict between this DPA and the Terms regarding the processing of Shopper Personal Information, this DPA controls. The liability limitations in the Terms apply to this DPA.