Orbe | Data Processing Agreement (DPA)

Last updated: May 2026

This Data Processing Agreement ("DPA") forms an integral part of Orbe's General Terms and Conditions of Contract. Acceptance of the T&Cs by the Customer also implies the express and unreserved acceptance of this DPA.

For the purposes of this DPA:

The Customer acts as the Data Controller, insofar as it collects and determines the purposes and means of the personal data processed in its Shopify stores.
MUSHDESK, S.L., with registered office at Paseo de la Castellana, 194, 28046, Madrid, Tax Identification Number B09677048 ("Processor"), acts as the Data Processor, insofar as it accesses and processes certain personal data necessary for the provision of geolocation services, language and currency customisation, redirection and other functionalities offered by the Orbe application, integrated into Shopify.

The Customer and Mushdesk ("the Parties") acknowledge and agree that this DPA governs the conditions under which Mushdesk will process personal data on behalf of the Customer, in compliance with Regulation (EU) 2016/679 (GDPR), the LOPDGDD and other applicable regulations.

1. Definitions

Data Controller: the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing.
Processor: the natural or legal person, public authority, service or other body that processes personal data on behalf of the Data Controller.
Data Protection Legislation: Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 (LOPDGDD) and any legislation implementing, enacting, modifying or replacing them, together with guidelines issued by the Spanish Data Protection Agency (AEPD) or other competent supervisory authority.
Security breach: any actual loss, destruction, modification, or unauthorised or unlawful disclosure of personal data.
Data subject: persons affected by the processing of their data.

2. Purpose and Nature of Processing

The purpose of this DPA is to regulate the processing of personal data that the Processor will carry out on behalf of the Controller, within the framework of the provision of geolocation, language and currency customisation and user redirection services offered by the Orbe software, integrated into Shopify ("the Services").

The processing of personal data is limited to operations strictly necessary for the proper provision of the Services and will always be carried out in accordance with the documented instructions of the Controller.

The Processor undertakes not to use the data for its own purposes or for purposes other than those provided for in this DPA.

The nature of the processing shall include, depending on the Services contracted:

Collection and recording of data linked to geolocation and configuration of the user experience.
Organisation, structuring and storage of information in the Processor's systems.
Consultation and use of information to provide the redirection, language and currency customisation, and welcome pop-up services.
Deletion or destruction of data in accordance with the Controller's instructions and the deadlines defined in this DPA.

3. Duration

This DPA shall remain in force for as long as the Processor provides the Services to the Controller. Once the contractual relationship has ended, the Processor shall return or securely destroy all personal data processed on behalf of the Controller, removing all copies from its systems, unless there is a legal obligation to retain them. The Processor may retain, in a blocked form, the minimum information strictly necessary to meet possible legal, administrative or contractual responsibilities, until such responsibilities expire.

4. Obligations of the Processor

The Processor and all its staff undertake to:

Use personal data exclusively for the purpose of providing the Services to the Controller.
Process data in accordance with the instructions of the Controller, immediately informing the Controller if any instruction is considered to infringe Data Protection regulations.
Ensure that persons authorised to process personal data have expressly committed to confidentiality and comply with applicable security measures.
Not disclose data to third parties unless expressly authorised by the Controller.
Support the Controller in making prior consultations with the supervisory authority, where appropriate.
Implement appropriate security measures to ensure the security of the information processed.
Notify the Controller when services are to be subcontracted, provided that there is written authorisation from the Controller and that the sub-processor is bound to conditions substantially similar to those of this DPA.
Assist the Controller in responding to requests for the exercise of the rights of data subjects (access, rectification, erasure, objection, restriction, portability). When data subjects exercise rights before the Processor, the Processor shall notify the Controller immediately and in no case later than the working day following receipt of the request.
Assist the Controller in carrying out data protection impact assessments, where applicable.

5. Notification of Security Breaches

The Processor shall notify the Controller by email, within a maximum period of 48 hours from the time they become aware of any breach of the security of personal data under their responsibility. The notification shall include:

Description of the nature of the personal data breach, including categories and approximate number of data subjects and records concerned.
Name and contact details of the data protection contact point.
Description of the possible consequences of the breach.
Description of the measures taken or proposed to address the breach, including measures to mitigate adverse effects.

6. Liability

Each Party shall be liable to the other for damages caused as a result of a breach of its obligations under this DPA and applicable data protection regulations. The Processor shall only be liable for breaches directly attributable to it. The total accumulated liability of the Processor arising from this DPA shall be limited to an amount equivalent to the fees actually paid by the Controller to the Processor in the twelve (12) months prior to the event giving rise to the claim, except in cases of wilful misconduct or gross negligence.

7. Jurisdiction

The parties waive their own jurisdiction and expressly submit to the jurisdiction of the Courts and Tribunals of Madrid for any legal dispute arising from this DPA. Spanish law shall be applicable.

8. Acceptance

This DPA forms an integral part of Orbe's General Terms and Conditions of Contract. By installing and using the Orbe application in their Shopify store, the Customer declares that they have read, understood and fully accepted both the T&Cs and this DPA, which shall be binding on both parties from the date of acceptance of the T&Cs, without the need for a physical signature.

Annex I – Description of Personal Data Processing

The processing of personal data carried out by the Processor in the context of providing the Orbe application Services will affect the following categories of data subjects, types of data and purposes:

1. Visitors to the online store integrated with Shopify

Technical data such as IP address, country of connection, browser language, approximate geolocation and, where applicable, cookies or similar technologies are processed to determine the most appropriate version of the store for the visitor. The initial geolocation is carried out on a one-off, non-persistent basis — no cookies are installed, no persistent identifiers are generated and no tracking occurs at this stage.

2. End customers of the online store

Data relating to commercial preferences — market selection, language, currency and redirection history — is processed to personalise the shopping experience, display correct prices and currencies, and recommend the store version corresponding to the customer's location.

3. Users who interact with welcome pop-ups and the market selector

Data linked to interaction with these elements (manual selection of country, language or currency) and marketing campaign attribution parameters are processed to manage redirects, respect the user's manual choices and maintain parameters necessary for correct campaign attribution.

Processing limitations

The Processor does not access the content of purchases, orders or financial data of end customers.
Processing is limited exclusively to browsing metadata, geolocation and configuration preferences necessary for the provision of the Services.
The Processor shall not carry out profiling with significant legal effects or automated decisions within the meaning of Article 22 of the GDPR.

Annex II – Technical and Organisational Security Measures

The Processor declares and guarantees that it applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR:

1. Access control and confidentiality

Access to personal data is limited to those persons who need to process it in the context of providing the Services. All staff and collaborators of the Processor are subject to confidentiality commitments and receive regular training on data protection and information security.

2. Logical security and authentication

Access to systems that process personal data is protected by robust authentication mechanisms and permission management based on the principle of least privilege. Secure password policies and multi-factor authentication are applied in critical environments.

3. Encryption and pseudonymisation

Personal data is transmitted using secure encryption protocols (TLS/SSL). Shopify access tokens and other sensitive credentials are encrypted at rest. Where possible, pseudonymisation or anonymisation techniques are applied to reduce risks in the event of unauthorised access.

4. Resilience and service continuity

The Processor maintains policies for regular encrypted incremental backups with off-site copies, as well as disaster recovery and business continuity plans that allow personal data to be restored within a reasonable timeframe in the event of a physical or technical incident.

5. Incident management

An internal procedure for detecting, managing and reporting security incidents has been implemented, including the obligation to record any relevant event, assess its impact and, where appropriate, report it to the Controller within 48 hours in accordance with the provisions of this DPA.

6. Verification and audit

The Processor periodically submits its systems and security measures to internal review processes and penetration tests carried out by independent third parties in order to assess the effectiveness of the measures implemented and ensure continuous improvement.

7. Infrastructure and sub-processors

When infrastructure service providers or sub-processors are used, they are contractually obliged to apply equivalent technical and organisational measures. The Processor maintains an up-to-date record of such providers and the measures applied.

Sub-processor list

Provider	Service provided	Location	International transfers	Certifications / Guarantees
OVHCloud	Infrastructure hosting (servers, storage, backups, availability)	France (EU)	Not applicable – data remains in the EU	ISO 27001, ISO 27017, ISO 27018, HDS
Cloudflare, Inc.	Network services, DNS, reverse proxy, firewall, DDoS protection, edge compute (Workers & KV)	US and global edge	Yes. Standard Contractual Clauses (SCC) approved by the European Commission, EU–US Data Privacy Framework	SCC, EU–US Data Privacy Framework, encryption in transit
Mantle	CRM and email communications with merchants	Canada	Yes. Canada holds an adequacy decision from the European Commission under Art. 45 GDPR	SOC 2, ISO 27001
Mixpanel, Inc.	Application dashboard usage analytics	European Union	Not applicable – data hosted in the EU	ISO 27001, SOC 2
Crisp IM	Support and helpdesk platform (chat and email)	France (EU)	Not applicable – data remains in the EU	GDPR compliance, EU hosting, Art. 32 GDPR measures

IP resolution technical services

For the technical and timely detection of the user's approximate location, Orbe uses IP address resolution services provided by third parties on an ad hoc and real-time basis. These services are limited to providing an immediate technical result (approximate country or region) and do not involve the storage, retention or association of IP addresses with identifiers, nor access to Customer or end-user data. These providers do not act as sub-processors in the strict sense, as there is no continuous processing of personal data on their part.

The technical and organisational measures described in this Annex may be updated by the Processor to adapt them to technological developments, identified risks or regulatory changes. Such modifications shall not result in a reduction in the level of security required by applicable regulations.