Data Processing
Last updated: July 2026
How We Process Data
Welcome to Shoptopus. When you register for any application built by Shoptopus, or when you make use of any service that Shoptopus offers, you accept and agree to be bound by the conditions set out below.
Shoptopus develops Shopify applications that help merchants run their stores more efficiently. Our Invoice Generator app lets merchants produce and tailor business documents such as invoices, packing slips, credit notes, and similar paperwork, while our Bulk Image Upload app gives merchants the ability to update large numbers of products and their attributes at once. Any new capability or tool that we add to these existing Services will likewise fall under this document.
We may, at our discretion and from time to time, change, revise, or restate this document or any other terms, rules, or conditions published on our website or within our applications. We will make reasonable efforts to inform you of such changes, but you accept that no such notice is strictly required, and you waive any right to dispute a provision of this Agreement on the basis of an earlier change or a failure to receive sufficient notice. If you do not agree with, or are unable to comply with, the amended terms, then you are not permitted to use our applications. By continuing to use our applications after a change has been posted to the applications or to our website, you will be treated as having accepted the amended terms. We reserve the right to decline to provide our services or products to any party at any time.
These terms form a legally binding agreement between you and Shoptopus (together referred to as "Shoptopus", "Invoice Generator", "Bulk Image Upload", "we", or "us") concerning your use of our applications and services. Please read them carefully and, where possible, retain a copy for your records. Throughout this Agreement, "you", "your", "merchant", "store owner", "Shopify user", and "Customer" all refer to you. If you are visiting, using, or registering for any Shoptopus application or service on behalf of a company or other organization, then you are accepting these Terms on that organization's behalf and you confirm to Shoptopus that you are authorized to bind that organization to these Terms (in which case "you", "your", "merchant", "store owner", "Shopify user", and "Customer" will refer to that organization).
This Data Processing Addendum (together with each of its Annexes, this "Addendum") takes effect on the date the app is installed (the "Effective Date") and is made between Shoptopus and the Merchant. This Addendum supplements and forms part of the service agreement(s) between the parties that reference it, including, without limitation, the Shoptopus Privacy Policy and the Terms of Service (SaaS) where applicable, which govern the software-as-a-service solutions that Shoptopus provides to the Merchant (together, the "Agreement").
This Addendum sets out the further terms, requirements, and conditions under which Shoptopus will process personal data to the extent such processing relates to the performance of the Services. Where any term in this Addendum conflicts with a term in the Agreement, the term in this Addendum will control unless stated otherwise. The terms "controller", "processor", "data subject", "personal data", "processing", and "appropriate technical and organizational measures" are to be read in line with the applicable Data Protection Legislation. Capitalized terms that are not defined here have the meaning given to them in the Agreement or in applicable Data Protection Legislation. So that Shoptopus can carry out its obligations under this Agreement, Shoptopus may collect certain personal data from Merchants or their representatives (together, "Merchants"), including name and contact details (for example, an email address), financial details relating to payments the Merchant makes to Shoptopus, IP addresses linked to the Merchants' stores, and business information such as the size of the Merchant's organization (together, "Personal Data").
Roles of the Parties
This Addendum applies where the Merchant acts as a controller and Shoptopus as a processor, or where the Merchant acts as a processor and Shoptopus as a sub-processor. Every party agrees to keep all data and Confidential information private and protected from any third party. Shoptopus will not share or hand over any personal data to a third party without the Merchant's written consent, except where doing so is necessary to comply with applicable law or regulation; to investigate or prevent fraud; to protect Shoptopus's rights or property; to enforce this Agreement; or to respond to legal process directed at Shoptopus or the Merchant (such as a search warrant or court order).
Compliance with Data Protection Legislation
Shoptopus and the Merchant will each comply with all applicable requirements of the Data Protection Legislation. For the purposes of this Addendum, "Data Protection Legislation" means all applicable privacy and data protection laws, their implementing regulations, regulatory guidance, and secondary legislation, each as amended or replaced over time, including (i) the General Data Protection Regulation ((EU) 2016/679) (the "GDPR") and any applicable national implementing laws; (ii) the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018; (iii) the Privacy and Electronic Communications Directive (2002/58/EC) together with any applicable national implementing laws, including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426); and (iv) any other equivalent national data protection law applicable to the parties. Shoptopus is responsible for meeting its obligations under the Data Protection Legislation in connection with its processing of Customer Personal Data on behalf of the Customer.
Processing of Personal Data
This section describes the scope, nature, and purpose of the processing carried out by Shoptopus. It also sets out how long the processing lasts and the categories of personal data that Shoptopus processes.
- The Merchant instructs Shoptopus to process personal data on its behalf in accordance with the Merchant's documented instructions, as otherwise needed to provide the Services, or as otherwise agreed in writing between the parties. The initial scope of those instructions is defined by the Agreement. Shoptopus will notify the Merchant if, in its view, an instruction would breach the Data Protection Legislation, or if Shoptopus becomes aware that it cannot process Personal Data in line with the Merchant's instructions because of a legal requirement under applicable law. Where this provision applies, we will not be liable to you under the Agreement for any failure to perform the relevant Service until you issue fresh, lawful instructions regarding the processing.
- The Merchant accepts that it is solely responsible for ensuring that any instructions it gives to Shoptopus comply with applicable laws, including Data Protection Legislation. The Merchant will tell Shoptopus without undue delay if it becomes unable to meet its responsibilities under this section or under applicable Data Protection Legislation.
- Shoptopus and the Merchant agree that Shoptopus acts as a "Service Provider" in relation to applicable Data Protection Legislation. The Merchant discloses personal data to Shoptopus only (i) for a legitimate business purpose, and (ii) so that Shoptopus can perform the Services. Shoptopus is prohibited from (i) selling the Merchant's personal data; (ii) collecting, retaining, using, or disclosing the Merchant's personal data for any purpose other than providing the Services to the Merchant; (iii) collecting, retaining, using, or disclosing the Merchant's personal data outside the direct business relationship between Shoptopus and the Merchant; and (iv) combining the Merchant's personal data with personal data that Shoptopus obtains from other sources. Shoptopus confirms that it understands these prohibitions and will comply with them. The Merchant understands and agrees that Shoptopus may use sub-processors to deliver the Services and process personal data on the Merchant's behalf in accordance with this Addendum.
Security
- Shoptopus will put in place appropriate technical and organizational measures so that the Merchant's personal data is processed in a way that satisfies the requirements set out in Annex B.
- Shoptopus will notify the Merchant without undue delay after discovering any accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data that Shoptopus processes on the Merchant's behalf.
- Shoptopus will ensure that all personnel who process personal data are bound to keep that personal data confidential, consistent with Shoptopus's confidentiality obligations under the Agreement.
Assistance
- Taking into account the nature of the processing and the information available to us, Shoptopus will provide the Merchant with reasonable assistance, including through service providers with sufficient technical and financial capacity to meet their obligations under this Agreement.
- Merchants using Shoptopus are given a range of tools to help them meet their obligations under Data Protection Legislation, including responding to requests from Data Subjects who wish to exercise their rights under applicable Data Protection Legislation.
- If the Merchant is unable to handle a Data Subject Request using the self-service features that Shoptopus provides, the Merchant may submit a written request to Shoptopus for additional help in responding to any Data Subject Requests or to requests from data protection authorities relating to the Processing of Personal Data under this Agreement.
- On termination of the Agreement, Shoptopus will delete all Merchant Data and copies of it, unless retention is required by applicable law (including any Data Protection Legislation) or where Shoptopus holds Merchant Data on back-up systems. Where the Merchant has not given written direction, the personal data will be deleted as set out in the Agreement.
If a Data Subject Request is made directly to Shoptopus, Shoptopus will promptly inform the Merchant and will advise the Data Subject to direct the request to the Merchant. The Merchant is solely responsible for substantively responding to any such Data Subject Requests or communications involving Personal Data.
Audit
- The parties agree that the Merchant must be able to assess Shoptopus's compliance with its obligations under the Data Protection Legislation, to the extent that Shoptopus acts as a processor on the Merchant's behalf. This section sets out the data protection obligations of both parties and the steps they will take in relation to each other's responsibilities.
- Shoptopus and the Merchant agree that Shoptopus will make available all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR, including executive summaries of Shoptopus's information security and privacy policies, upon thirty (30) days' advance written notice to Shoptopus. The Merchant will bear its own costs and expenses in connection with such an audit. For clarity, nothing in this section allows the Merchant to review data belonging to Shoptopus's other Merchants or partners.
Sub-Processors
- Shoptopus grants written authorization to sub-processors, including Shoptopus's Affiliates, to carry out the same data processing activities described in the Privacy Policy. For the purposes of this Addendum, "Affiliate" means an entity that controls, is controlled by, or is under common control with a party. Shoptopus and its Affiliates may engage such sub-processors to process personal data provided that they have entered into a written agreement with the third-party processor containing data protection terms that require it to protect the personal data to the same standard required under this Addendum.
- Shoptopus may appoint a new sub-processor to process data on its behalf, and where it does so it will update its list of sub-processors. The Merchant may opt in to receive notifications of updates to that list via the notification mechanism made available on the Shoptopus website. Where the Merchant has opted in, Shoptopus will send an email announcing the change to the address the Merchant has provided. The Merchant may object to Shoptopus's appointment or replacement of a sub-processor within 30 days of receiving notice from Shoptopus. If the Merchant does not object within that period, the addition of the new sub-processor will be deemed accepted. If the Merchant objects and Shoptopus believes it cannot reasonably accommodate the objection, the Merchant may terminate the affected services by giving written notice to Shoptopus. Any rights and obligations that have already accrued will survive such termination.
- Shoptopus is not responsible for the acts or omissions of its sub-processors, except that, to the extent Shoptopus would be liable if it were performing the Services directly, Shoptopus remains liable for the acts and omissions of its sub-processors in connection with those Services.
- Shoptopus and the Merchant agree that, in order to facilitate the provision of the Standard Contractual Clauses, Shoptopus may remove any commercial information or clauses that are unrelated to those Clauses from copies of sub-processor agreements provided to the Merchant. Shoptopus will provide the Merchant with copies of such redacted agreements on request.
- The Merchant acknowledges and agrees that Shoptopus may use telecommunications providers in delivering the Service, and that, in order to send communications needed for the Service, Shoptopus may have to transmit the Merchant's communications across existing telecommunications networks and suppliers. The Merchant further acknowledges that Shoptopus may use payment gateways operated by companies that are bound to comply with data protection laws but that may not have direct contracts with Shoptopus. The Merchant instructs Shoptopus to transmit communications through existing telecommunications networks and to use payment gateways as necessary to provide the Service, and accepts that such telecommunications networks and payment gateway suppliers are not treated as Sub-processors under the Agreement.
- The Merchant may provide information that contains personal data when it reports potential problems with the quality of the Service. The Merchant instructs Shoptopus to engage relevant suppliers for assistance, including by giving them access to the data necessary, which may contain personal data, for the purpose of diagnosing and resolving the reported issues.
International Personal Data Transfers
- As a company, Shoptopus is committed to protecting the privacy of its clients. This means we will not transfer any personal data outside the European Economic Area (EEA) without first ensuring that all applicable requirements for cross-border transfers of personal data under the Data Protection Legislation are met.
- To the extent that Shoptopus processes any personal data under this Addendum that originates in the European Economic Area ("EEA") or in a country that has not been recognized by the European Commission (as applicable) as providing an adequate level of protection for personal data, the parties agree to enter into the Standard Contractual Clauses for the transfer of personal data to third countries set out in the Annex to Commission Decision (EU) 2021/914 adopted on June 4, 2021 (the "Standard Contractual Clauses"), which are incorporated into and form part of this Addendum.
- Where the Merchant is deemed a controller under the GDPR, the parties agree that, insofar as data processing activities are carried out by Shoptopus on the Merchant's behalf, those activities will be performed in compliance with Annex 1 and Annex 2 of the Standard Contractual Clauses. Shoptopus will be treated as the "data importer" and the Merchant as the "data exporter" under the Standard Contractual Clauses, and each party will comply with its respective obligations. The Merchant grants Shoptopus a mandate to execute the Standard Contractual Clauses (Module 3) with any relevant sub-processor (including Shoptopus Affiliates). Unless Shoptopus notifies the Merchant otherwise, if the European Commission later amends the Standard Contractual Clauses, the amended terms will supersede and replace any Standard Contractual Clauses executed between the parties. Annex C applies to the use of the Standard Contractual Clauses.
- The parties agree that if Shoptopus processes any personal data originating from a country that has not been recognized as providing an adequate level of protection for personal data, and where the parties have put in place a valid transfer mechanism for such transfers, that mechanism will continue to apply. The parties further agree that, unless the Merchant notifies Shoptopus otherwise, if a new valid data transfer mechanism is recognized after the Effective Date of this Addendum, it will supersede and replace any existing mechanism. The Annexes to this Addendum supersede those attached to any previous agreements between the Merchant and Shoptopus, except where doing so would conflict with this section.
- If the Merchant uses an alternative data export solution for the lawful transfer of personal data (as recognized under the Data Protection Legislation), then this section will not apply. In that case, the parties will work together to find a solution, but only insofar as it relates to the territories to which personal data is transferred under this Addendum.
Other
- This Addendum supersedes and replaces any existing data processing addendums, attachments, or exhibits between the parties. Any additional security measures, attachments, appendices, or exhibits relating to those measures will stand in place of the Annex and supplement its provisions. If there is a conflict between the Annex and any other agreement the Merchant has entered into with Shoptopus concerning information security, then whichever agreement provides the greater protection for personal data will govern.
Liability
In the event of any inconsistency between this Addendum and the Agreement, the terms of this Addendum will prevail to the extent necessary to resolve that inconsistency. Shoptopus's total liability to you will never exceed the amount it has received under this contract during the preceding twelve-month period. Neither party will be liable to the other for any loss of profits or revenue, loss of goodwill, loss or corruption of data, or for any indirect, special, incidental, consequential, or punitive damages arising out of this Agreement.
Governing Law and Jurisdiction
The provisions on governing law and jurisdiction set out in the Terms of Service will apply to and be used to interpret this Addendum, except where a different rule is required to comply with relevant Data Protection Legislation.
Termination of Addendum
This Addendum ends automatically at the same time the app is uninstalled, without requiring any further action from either party.
This Addendum becomes a legally binding part of the Agreement from the Addendum Effective Date onward.
Annex A, Purpose and Details of the Processing of Personal Data
List of Parties
Data exporter(s): After accepting the Agreement, the data exporter should email support@shoptopus.info to provide contact details for its data protection officer or EU representative (if applicable) and for the person who handles data protection matters. The data exporter carries out the activities relating to the transfer of personal data described in the Agreement, receiving the Services from the data importer.
Data importer(s): Shoptopus is the data importer and undertakes the activities relating to the transfer of personal data described in the Agreement while providing the Services to the data exporter.
Description of Transfer
Categories of data subjects whose personal data is transferred. The Merchant may provide personal data to Shoptopus so that Shoptopus can perform the Services. The Merchant alone decides and controls the scope of that data submission, which may include, but is not limited to, personal data relating to the following categories of data subjects:
- Shopify partners and business partners (who are natural persons);
- Employees or contact persons of the Merchant, its business partners, and its vendors (who are natural persons);
- The Merchant's end users (for example, customers, respondents, and visitors);
- Employees, agents, advisors, contractors, or any other user authorized by the Merchant to use the Services (who are natural persons).
Categories of personal data transferred. The Merchant decides and controls the scope of the personal data it submits to Shoptopus so that Shoptopus can perform the Services. The data submitted may vary with the nature of the Services and may include, but is not limited to:
- First and last name and title;
- Employer and position;
- Contact details (email, username, phone number, business address);
- Order information;
- Device identification data (such as a device ID);
- Electronic identification data (such as an IP address);
- Technical data (such as operating system information, software logs, and crash reports);
- Username and password for the Shoptopus Services.
The Merchant is able to upload, submit, or otherwise provide personal data to the Service and has full discretion over the scope of that data. The categories of personal data that may be included are typically as follows:
- Identification and contact data (such as name, address, title, contact details, and username), financial information (such as account details and payment information), and employment details (such as employer, job title, location, and area of responsibility);
- For contacts, identification and contact data (such as name, occupation or other demographic information, address, title, and contact details including email address and phone number), personal interests or preferences, and IT information (such as IP addresses, usage data, cookie data, online navigation data, location data, and browser data);
- Project content, meaning material submitted by Merchants through the Service such as text, images, and other data files, the scope of which depends on the type of project and may include segmentation, consumer preferences, and similar data.
Sensitive data. Where sensitive data is transferred, restrictions and safeguards will be applied that fully take into account the nature of the data and the risks involved. These measures may include strict purpose limitation, access restrictions (such as access only for staff who have completed specialized training), logging of access to the data, restrictions on onward transfers, and additional security measures. The Merchant may only transfer sensitive data to Shoptopus where it is necessary to provide the Services described in the Agreement. The safeguards that apply to the processing of such sensitive data are described in Annex B. Data is transferred on a continuous basis.
Nature of the processing. Shoptopus will process personal data as necessary to perform the Services in accordance with the Agreement and as further instructed by the Merchant through its use of the Services, as expressly set out in this Addendum.
Purpose of the transfer and further processing. The purpose of the data transfer and any further processing is as set out in the Agreement and as instructed by the Merchant through its use of the Services. Any additional purpose will be subject to the data subject's express consent where applicable data protection laws require it. Shoptopus will process personal data only for the purposes necessary to perform the Services in accordance with the Agreement and the Merchant's instructions, as expressly set out in this Addendum.
Retention period. Personal data will be retained in accordance with the Agreement and any applicable laws and regulations governing retention. Where a specific retention period is not set, Shoptopus will determine the period based on the nature of the personal data, the purposes for which it was collected, and any legal obligations or industry standards, and will ensure that personal data is not kept for longer than necessary. In practice, Shoptopus retains personal data for the duration of the provision of the Services under the Agreement and deletes or anonymizes it once it is no longer needed for those purposes, unless a longer period is required by law or regulation. When transferring personal data to sub-processors, the subject matter, nature, and duration of the processing will depend on the particular sub-processor and the services it provides as part of the overall Services.
Annex B, Technical and Organizational Measures
This Annex sets out the security measures that Shoptopus maintains in connection with the personal data the Merchant submits to Shoptopus so that Shoptopus can provide the Services under the Agreement.
Pseudonymization and encryption. Pseudonymization and encryption are both important measures for protecting personal data. Pseudonymization replaces identifying information with a pseudonym or code, while encryption converts data into an unreadable format using a key. Both techniques help protect personal data from unauthorized access and support its confidentiality, integrity, and availability. Shoptopus always encrypts Merchant personal data while it is in transit to and from Shoptopus's applications over the Shopify API and cloud networks.
Confidentiality, integrity, availability, and resilience. Shoptopus implements technical and organizational measures designed to ensure the ongoing confidentiality, integrity, availability, and resilience of its processing systems, apps, and services.
Restoring availability after an incident. Shoptopus carries out data replication and backups as necessary, which protects against data loss and helps it restore the Service for the Merchant after a physical or technical incident.
Testing and assessing the measures. Shoptopus uses a range of tools to continuously monitor and track security vulnerabilities so that they can be identified, reported, and addressed. Identified vulnerabilities are assessed, prioritized, and remediated according to their nature, the severity of their potential impact, and other relevant factors. Shoptopus also conducts regular penetration testing of its networks, infrastructure, and products, including with automated tools, in order to identify vulnerabilities and reduce the risk of attacks.
User identification and authorization. Shoptopus uses industry-standard tools, along with its own security controls, to manage, monitor, and protect the credentials and secrets used for access, and to secure access to the systems that store Merchant personal data. Shoptopus maintains policies governing internal access to Merchant personal data based on the principles of least privilege and need-to-know, taking account of individual roles and responsibilities. Appropriate authentication methods, such as a Virtual Private Network (VPN) and Multi-Factor Authentication (MFA), are used to control access to the networks, applications, and systems that hold Merchant personal data.
Protecting data during transmission. Shoptopus encrypts all Merchant personal data that is processed while in transit over its corporate networks, as well as when transmitted to and from Shoptopus's applications, in order to protect data during transmission.
Protecting data during storage. Shoptopus encrypts Merchant personal data while at rest, wherever this is possible given the services being provided, in order to protect data during storage.
Physical security. Shoptopus applies appropriate security measures to the facilities that host the servers containing sensitive or critical information, including Merchant personal data, and restricts access to authorized personnel only. These measures include:
- Monitoring and access controls for these facilities to keep security measures effective and to prevent unauthorized access;
- A procedure to promptly revoke data access when an employee leaves;
- Policies and employee training to secure Merchant personal data and prevent unauthorized disclosure, including measures such as screen locks and least-privilege access.
Events logging. Shoptopus maintains processes and policies so that incidents are addressed and logged according to the following stages:
- Identification, recognizing and determining the nature of an incident, which is the first step in incident management;
- Classification, categorizing an incident by its nature, severity, and impact on operations, which helps determine the appropriate response and resources;
- Reporting, once an incident has been identified and classified, reporting it to the appropriate internal stakeholders so that the necessary actions can be taken;
- Mitigation and remediation, taking the steps needed to resolve the incident and prevent recurrence throughout the incident response stages, including post-incident reviews that identify areas for improvement.
System configuration. Shoptopus develops, documents, and maintains a current baseline configuration for its systems that is kept under configuration control and reviewed at least annually to confirm it remains effective. Shoptopus also removes default configurations of technical controls before they are put into operational use, in order to reduce the risk of unauthorized access and other threats.
Internal IT governance and security management. Shoptopus implements internal IT governance and security management systems to help secure its data and systems. This involves developing and applying policies and procedures to manage and monitor its IT systems and processes and to keep them aligned with relevant regulations and standards. The governance framework gives structure to Shoptopus's IT activities and aligns them with business objectives, while the security management system provides a framework for identifying, assessing, and managing security risks and for implementing controls to mitigate them.
Process and product certifications. Shoptopus follows recognized best practices when developing its products and services.
Data minimization. In line with GDPR requirements, all Shoptopus employees must complete information security training and awareness sessions, which include modules on the importance of data minimization. Shoptopus provides practical guidance to help employees ensure that the data they process is limited in scope and time to what is necessary. Shoptopus processes the data it receives from Merchants, and the amount of information retained is determined by the Merchant's preferences.
Data quality. Shoptopus is responsible for the security and confidentiality of Merchant personal data that it processes through the Shopify API. Shoptopus is not responsible for the accuracy or completeness of the data provided by Merchants; Merchants are responsible for ensuring the accuracy and completeness of their data, and Shoptopus processes that data as provided. The quality of the data generated by Shoptopus's products is supported by the use of secure development practices when code is introduced or changed.
Limiting retention. Shoptopus follows the retention period set out in the Agreement or documentation with the Merchant and retains Merchant information only for as long as required. Where applicable laws or regulations require a longer retention period, Shoptopus will retain the information for the necessary time. Once the retention period has passed, or once Shoptopus is no longer required to retain the information, Shoptopus securely disposes of or deletes it in a way that protects its confidentiality, integrity, and availability. Shoptopus uses industry-standard processes for secure data disposal, such as cryptographic erasure, overwriting, or physical destruction, so that the data cannot be read or reconstructed.
Accountability. Shoptopus's approach to information security is comprehensive and includes practices covering asset management, access management, physical security, people security, network security, third-party security, product security, vulnerability management, security monitoring, and incident response. Shoptopus's management approves all information security policies and standards, which are made available to all employees. Through this framework, Shoptopus aims to protect the confidentiality, integrity, and availability of Merchant personal data and to defend against security threats and incidents.
Data portability. Shoptopus applies appropriate security measures so that Merchant personal data is accessible only to authorized individuals for legitimate business purposes, even where Merchants can view their own data through a Shoptopus app. Access controls such as multi-factor authentication and role-based access controls limit access to sensitive data to those who need it for their work, and Shoptopus trains its employees on the importance of data privacy and security and requires strict procedures when accessing and handling Merchant personal data. Before working with a new third party that could access Merchant personal data, Shoptopus assesses that party's data security standards through a risk assessment, and where necessary continues to monitor the third party to confirm it meets Shoptopus's information security standards.
Annex C, Supplementary Terms
This Annex should be read together with the Standard Contractual Clauses. Any reference to the term "Clauses" in this Annex is a reference to the Standard Contractual Clauses.
Under this Annex, the data subject may enforce Paragraph 2 and Paragraph 4 against the data importer as a third-party beneficiary, in accordance with Clause 3 of the Standard Contractual Clauses.
The data importer will provide reasonable assistance to the data exporter to support ongoing assessments of whether personal data protection is adequate under applicable data protection laws.
If the data importer receives a legally binding order or request from a government or law enforcement agency to disclose personal data, it will respond in accordance with Clause 15 of the Standard Contractual Clauses. The data importer will also notify the data exporter of the request unless legally prohibited from doing so. If the data exporter decides to challenge the request, the data importer will provide reasonable assistance, taking into account the nature of the request and the information available, and will follow any reasonable instructions the data exporter gives in responding to the request.