New: Re-audit deltas + Image AVIF detection now live.
StoreBoost

Legal

Data Processing Agreement

Last updated: June 1, 2026

This Data Processing Agreement ('DPA') supplements our Terms of Service and applies whenever StoreBoost processes personal data on behalf of a Customer (the 'Controller') in accordance with Article 28 GDPR. By using the paid Service you accept this DPA on behalf of the Controller.

1. Roles

Controller: the Customer. Processor: StoreBoost, Inc. StoreBoost will process Personal Data only on documented instructions from the Controller.

2. Subject-matter and duration

Processing is performed for the duration of the subscription and for any retention period required by law.

3. Categories of data and data subjects

  • Data subjects: Controller's authorized users.
  • Categories of personal data: name, email, IP address, usage logs.
  • Special categories: none — must not be uploaded.

4. Sub-processors

StoreBoost engages a limited set of vetted sub-processors, each bound by a written DPA and used strictly for one of the following purposes:

  • Cloud hosting & content delivery (EU & US regions)
  • Database, authentication & storage (EU region for EU customers where available)
  • Payment processing
  • Transactional email delivery
  • Error monitoring & observability
  • Privacy-friendly product analytics

The current named list of sub-processors is available under NDA to enterprise customers on request at legal@storeboostpro.com. We notify Customers of material changes at least 30 days in advance via email and provide an objection mechanism.

5. International transfers

Transfers outside the EEA/UK rely on the EU 2021/914 Standard Contractual Clauses (Module 2, Controller-to-Processor) and the UK IDTA, incorporated by reference.

6. Security measures

StoreBoost implements technical and organisational measures detailed in our Security page, including encryption in transit and at rest, role-based access control, MFA, audit logging, vulnerability scanning, and incident response.

7. Sub-processor and breach notification

StoreBoost will notify the Controller without undue delay (and within 72 hours) of any Personal Data Breach affecting Controller data.

8. Data subject requests

StoreBoost assists the Controller in responding to data subject requests via in-product tools and a dedicated privacy@storeboostpro.com mailbox.

9. Return or deletion

Upon termination, Controller may export its data via the API. After 30 days, all Personal Data is deleted from production and within 90 days from backups.

10. Audit

StoreBoost makes available a SOC 2 report (when available) and reasonable information necessary to demonstrate compliance, no more than once per year.