Effective date: May 1, 2026
Capitalized terms used in this Data Processing Agreement (“DPA”) have the meanings given in the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and equivalent terms in the UK GDPR and California Consumer Privacy Act, including: “Personal Data,” “Processing,” “Controller,” “Processor,” “Sub-processor,” “Data Subject,” “Supervisory Authority,” and “Personal Data Breach.”
“Antigency,” “we,” and “us” refer to Antigency Inc.. “Customer,” “you,” and “your” refer to the merchant who has agreed to the Antigency Terms of Service.
Antigency Processes Personal Data on behalf of Customer in connection with providing the Antigency service.
The duration of Processing is the term of Customer’s subscription, plus a 90-day grace period, after which Personal Data is purged in accordance with the Privacy Policy.
The nature and purpose of Processing are described in the Privacy Policy at /legal/privacy. Processing is bound by the Terms of Service at /legal/terms.
Types of Personal Data: end-customer email, name, shipping and billing address, order history, and similar fields present in Customer’s Shopify orders and connected integrations; Customer’s own team-member contact information for dashboard access.
Categories of Data Subjects: Customer’s end customers; Customer’s team members; Customer’s vendors to the extent their data appears in connected systems.
For Personal Data relating to Customer’s end customers, Customer is the Controller and Antigency is the Processor.
Customer is responsible for ensuring there is a lawful basis for Processing under applicable data protection law.
Antigency Processes Personal Data only on Customer’s documented instructions, including as documented in the Terms of Service, the Privacy Policy, and the configuration choices Customer makes in the dashboard.
Customer authorizes Antigency to engage the following sub-processors:
Antigency provides at least 30 days’ notice of new sub-processors via email and dashboard banner. Customer may object on reasonable grounds during the notice period.
Antigency remains liable to Customer for the acts and omissions of its sub-processors with respect to the Processing of Personal Data.
Antigency implements appropriate technical and organizational measures, including:
Antigency is working toward SOC 2 Type II readiness; status will be published as it becomes available.
Antigency assists Customer in responding to Data Subject requests for access, rectification, erasure, portability, restriction, and objection.
Direct Data Subject requests received by Antigency are forwarded to Customer within 5 business days, except where applicable law requires Antigency to respond directly.
Antigency notifies Customer without undue delay, and in any event within 72 hours after becoming aware of a confirmed Personal Data Breach. Notification includes: the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.
Antigency provides reasonable assistance to Customer with Data Protection Impact Assessments and prior consultations with Supervisory Authorities, where required by Articles 35 and 36 GDPR or equivalent provisions.
Antigency’s primary infrastructure is located in the United States. For Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland, Antigency relies on the European Commission’s Standard Contractual Clauses (Module 2, Controller-to-Processor) and the UK International Data Transfer Addendum, attached as Annex A to this DPA and incorporated by reference.
Where additional safeguards are required by law, Antigency implements supplementary measures such as encryption in transit and at rest, access controls, and contractual restrictions on government access requests.
Customer may audit Antigency’s compliance with this DPA no more than once per twelve-month period, with at least 30 days’ written notice, during normal business hours, and subject to reasonable confidentiality obligations.
Antigency’s most recent third-party audit report (such as a SOC 2 report, when available) satisfies this audit right unless Customer reasonably requires additional information.
In the event of a confirmed Personal Data Breach affecting Customer’s data, the notice period may be reduced.
This DPA terminates simultaneously with the underlying Terms of Service.
On termination, Antigency returns or deletes all Personal Data within 90 days, in accordance with the Privacy Policy, except where applicable law requires longer retention.
Liability under this DPA is governed by the limitations and exclusions in Section 10 of the Terms of Service, except where applicable data protection law (including Article 82 GDPR) provides for joint and several liability of Controllers and Processors, in which case those statutory provisions apply.
This DPA takes effect on the start date of Customer’s subscription and is incorporated by reference into the Terms of Service. A standalone signed version is available on request for enterprise customers; contact us via the address listed in the Privacy Policy.
The Standard Contractual Clauses (Module 2: Controller-to-Processor) adopted by the European Commission in Implementing Decision (EU) 2021/914, and the UK International Data Transfer Addendum issued by the Information Commissioner’s Office, are incorporated into this DPA by reference. The current text of those clauses is published by the European Commission and the ICO respectively, and a copy will be provided on request.
For purposes of the Standard Contractual Clauses: