Passo

Data Processing Agreement

The Passo Agency's UK GDPR Article 28 commitments to merchants for the shopper data we process on your behalf.

Last updated: 2026-04-23

What the DPA covers

When you use The Passo Agency, some of the data we pull from Shopify is about your shoppers. This includes order records, customer email addresses, and shipping addresses. For that slice of data you are the Controller and The Passo Agency Ltd is the Processor. The DPA is the contract that sets out the Processor’s obligations under UK GDPR Article 28.

Our DPA commits The Passo Agency Ltd to:

  • process shopper data only on documented instructions from you as Controller;
  • ensure everyone authorised to process the data is under a duty of confidentiality;
  • implement appropriate technical and organisational security measures (see section 14 of the Privacy Policy for the specifics);
  • use only the subprocessors listed at passoagency.com/subprocessors, each bound by terms at least as strict as those in the DPA;
  • assist you in responding to data subject rights requests and regulator queries;
  • notify you without undue delay after becoming aware of a personal data breach;
  • on the end of the relationship, delete or return shopper data at your choice;
  • support the legal transfer mechanisms (UK Addendum to the EU SCCs or adequacy) for any transfer outside the UK / EEA.

Requesting a countersigned copy

If your compliance team needs a signed DPA for their records, email hello@passoagency.com with the subject line “DPA request” and include your merchant name and the contact who should receive the countersigned document. We return it within 5 UK working days.

The DPA is automatically incorporated into your Terms of Service when you activate Passo. You do not have to request a signed copy to be covered by it. The request route exists for teams that need the document on file.

What the DPA does not cover

The DPA covers shopper data where Passo is a Processor. It does not cover:

  • Merchant-user data (your email, your login, your research questionnaire answers). For that data The Passo Agency Ltd is the Controller. See the Privacy Policy.
  • Data held by third-party advertising partners after we’ve transmitted a suppression list or creative asset. Each partner’s own DPA governs their processing. See the subprocessor list.