Data Processing Agreement

Version 1.0 — 1 May 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Westpoint ("Processor", operating Billoop) and the Shopify merchant ("Controller") and applies to the processing of personal data carried out by the Processor on behalf of the Controller in connection with the Billoop Shopify application.

By installing and using Billoop, the Controller accepts this DPA. Merchants requiring a counter-signed copy may request one at marketplace@westpoint.io.

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller solely to provide the Billoop Service: generating, storing, and delivering Factur-X invoices for Shopify orders. Processing lasts for as long as the app is installed.

2. Nature and purpose of processing

• Generation of electronic invoices from Shopify orders.
• Archiving of invoices for the duration legally required.
• Delivery of invoices to buyers via email.
• Application support and incident response.

3. Categories of data subjects

• Buyers placing orders on the Controller's Shopify store.
• Controller's authorised users (the merchant's staff using the Shopify admin).

4. Categories of personal data

• Identification: name, postal address.
• Fiscal identifiers (B2B): VAT number, SIREN, SIRET.
• Order data: line items, prices, taxes, totals, currency.
• Communication: email address used for invoice delivery.
• Technical: Shopify shop ID, app session tokens, log identifiers.

5. Processor obligations

• Process personal data only on documented instructions from the Controller.
• Ensure persons authorised to process data are bound by confidentiality obligations.
• Implement appropriate technical and organisational measures (encryption in transit and at rest, access controls, logging, separation of environments).
• Assist the Controller in fulfilling its obligations regarding data subject requests, security, breach notification, DPIAs, and consultations with supervisory authorities.
• Make available all information necessary to demonstrate compliance with this DPA.
• Notify the Controller without undue delay (and within 72 hours) of becoming aware of a personal data breach.

6. Sub-processors

The Controller authorises the use of the following sub-processors:

• Amazon Web Services EMEA SARL — application hosting and storage in eu-central-1 (Frankfurt).
• Resend, Inc. — transactional email delivery.
• Shopify International Limited — the platform on which the Service is embedded.

The Processor will provide at least 30 days' prior notice of changes to its sub-processor list. Material changes will be communicated via the in-app notification system or email.

7. International transfers

Business data is stored exclusively within the European Union. Where a sub-processor (such as Resend) processes data in a country outside the EEA, transfers rely on the European Commission's Standard Contractual Clauses or another valid transfer mechanism under Chapter V of the GDPR.

8. Data subject rights

The Processor will assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights (access, rectification, erasure, restriction, portability, objection).

9. Audits

The Controller may, upon reasonable prior written notice and no more than once per 12-month period, request audit information demonstrating compliance with this DPA. The Processor may satisfy this obligation by making available a relevant third-party audit report or certification (e.g. AWS SOC 2).

10. Return and deletion of data

Upon uninstall of the app or upon written request, the Processor shall, at the Controller's choice, return or delete all personal data, except where retention is required by applicable law (notably the 10-year fiscal retention period for invoices under French law).

11. Liability

Each party's liability under this DPA is governed by the limitations set out in the main agreement (Terms of Service).

12. Governing law

This DPA is governed by French law and forms an integral part of the Terms of Service.