Data Processing Agreement

For shop data Anlyzo processes on your behalf, you are the Data Controller and Anlyzo is the Data Processor. For account data we collect directly (your email, your billing), Anlyzo is the Controller.

Processing is limited to operating the Anlyzo service for the duration of your subscription, plus the 90-day retention window after disconnection.

Marketplace listing data, order and transaction data, fee data, customer-facing copy, store metadata. We avoid processing customer PII beyond what marketplaces strictly require for order analysis (name, country, postal code).

AWS (US, EU), infrastructure. Cloudflare (global), edge / DDoS. Stripe (US), billing. Resend (US), transactional email. Sentry (US), error monitoring. Material changes to this list are announced 30 days in advance with an opt-out window.

AES-256 at rest, TLS 1.3 in transit, SOC 2 Type II, ISO 27001:2022, annual third-party penetration testing, role-based access with hardware-key enforcement for production systems, full audit-log retention for 18 months.

Standard Contractual Clauses (2021 EU Commission decision) with supplementary technical measures including end-to-end encryption of in-transit data and pseudonymization at the storage layer.

We notify you of confirmed personal-data breaches within 72 hours of discovery, with all information available at that time, followed by a complete RCA within 14 days.

You may audit our compliance with this DPA once per year on 30 days' written notice, or more frequently if regulators require. We provide our most recent SOC 2 report under NDA on request without need for an audit.