If you run a Shopify store and sell to even one EU resident, you need multiple Data Processing Agreements (DPAs) in 2026 — not just one. This guide breaks down exactly what a DPA is, which ones you need for a typical Shopify stack, where to find them, and how to keep your processor register clean enough to survive a CNIL or ICO audit.
TL;DR — Shopify Data Processing Agreement essentials
- Yes, you need a DPA. GDPR article 28 requires every controller (you, the merchant) to have a signed DPA with every processor (Shopify, Klaviyo, Stripe, Meta Pixel, every app on your stack).
- Shopify’s DPA is automatic. Accepted by using Shopify — find it at
shopify.com/legal/dpa. Download a dated PDF. - Each app is a separate DPA. Klaviyo, Mailchimp, Stripe, Meta, Google: each has its own self-serve DPA. Sign or accept all of them.
- Keep a processor register. One row per processor (article 30 record). This is what regulators actually request first in an audit.
- No DPA = direct violation. Up to 10M EUR or 2% of revenue per missing agreement, plus public sanction listing.
What is a Data Processing Agreement?
A Data Processing Agreement (sometimes called Data Processing Addendum, DPA, or Auftragsverarbeitungsvertrag in German) is a bilateral contract between a data controller and a data processor, mandated by GDPR article 28. Equivalent obligations exist under UK-DPA 2018, Brazilian LGPD article 39, and California CPRA service-provider provisions.
The DPA specifies:
- The scope of the processing (which categories of data, which data subjects, what purposes).
- The duration of the processing and what happens to the data at termination.
- The security measures the processor commits to (article 32).
- The sub-processors the processor uses (e.g., Shopify uses AWS for hosting), and how new sub-processors are added.
- The transfer mechanism if data leaves the EEA (Standard Contractual Clauses, adequacy decision, BCRs).
- The rights and obligations in case of a data breach.
- The data subject rights the processor assists with (article 28(3)(e)).
In short: the DPA is the legal evidence that you, the merchant, are not blindly sending EU personal data to whatever vendor charges the lowest monthly fee. It documents that each vendor has signed up to the GDPR’s processor obligations.
Why you, the Shopify merchant, are the “controller”
A common misunderstanding: many merchants assume Shopify itself is responsible for GDPR compliance because Shopify is the platform.
Under GDPR (article 4):
- Controller = the entity that decides the purposes and means of processing personal data.
- Processor = the entity that processes data on behalf of the controller.
When a customer places an order on your Shopify store:
- You decide why their data is collected (to fulfill the order, to send marketing if they opt in, to compute analytics).
- Shopify processes the data on your behalf (storing it in their database, displaying the checkout UI, generating invoices).
That makes you the controller, regardless of whether you have an employee handling the order or it’s just you with a side hustle. Shopify is the processor. Same logic applies to every app on your store: you decide the purpose, the app does the processing.
The full controller responsibility falls on you, including the obligation to have a DPA with every processor.
The minimum DPA stack for a Shopify store in 2026
A typical Shopify store running a basic stack needs the following DPAs:
| Processor | Type | DPA URL |
|---|---|---|
| Shopify | E-commerce platform | shopify.com/legal/dpa |
| Stripe | Payments | stripe.com/legal/dpa |
| PayPal | Payments | paypal.com/legalhub/dataprivacystatement |
| Klaviyo | Email marketing | klaviyo.com/legal/dpa |
| Mailchimp | Email marketing | mailchimp.com/legal/data-processing-addendum |
| Google Analytics 4 | Analytics | Auto-accepted via GA4 settings; download from admin |
| Meta (Facebook/Instagram) | Ads + Pixel | facebook.com/legal/terms/dataprocessing |
| Google Ads | Ads | business.safety.google/adscontrollerterms/ |
| Hotjar / Microsoft Clarity | Heatmaps | Self-serve in respective consoles |
| Shopify Inbox / Chat apps | Customer support | Per-app, in their data-processing pages |
| Shipping integrations | Shippo, ShipStation… | Per-app |
| Review apps | Judge.me, Loox, Yotpo | Per-app |
A typical Shopify Plus store with marketing automation, multi-channel ads, customer support, and shipping integrations runs 15-25 active processors. Each one needs a current DPA on file.
How to actually get a DPA from each vendor
Most reputable SaaS vendors offer one of three self-serve flows:
- Auto-accepted in Terms of Service. Shopify, Stripe, and most large vendors include the DPA as an annex to their Terms. By using the service you accept the DPA. Download the PDF dated on the day you accepted it.
- Self-serve in the admin console. Klaviyo, Mailchimp, Sendinblue, ActiveCampaign typically have a “Legal” or “Data Privacy” section in the admin where you can countersign their DPA in two clicks. The countersigned PDF is then emailed to you.
- DPA on request. Smaller vendors may not yet have a self-serve flow. Email their legal or support team requesting a signed DPA “for GDPR article 28 compliance”. Most reply within 5-10 business days. If they refuse or don’t reply, stop using that vendor for EU customer data.
A practical 1-day audit: open your Shopify admin, list every installed app + every integration (payments, analytics, marketing, support, shipping), then for each row visit the vendor’s website and find their DPA. Build the table as you go.
For an end-to-end view of Shopify GDPR obligations, see our Shopify and GDPR guide and the Shopify GDPR + CCPA 2026 fines summary.
Maintaining your processor register (article 30)
GDPR article 30 requires controllers to maintain a “record of processing activities”. This is a register, not a DPA — but the two are tightly linked: every processor in your register should have a DPA in the same row.
A useful processor register columns layout:
| Processor name | Contact | Categories of data | Purpose | Sub-processors URL | DPA version | DPA PDF | Transfer mechanism | Last reviewed |
The register is internal by default (you don’t publish it), but the regulator can request it on short notice. Keeping it as a shared Google Sheet, a Notion database, or a dedicated GRC tool is fine — but it must be:
- complete (every processor in your stack)
- current (updated when you install or remove an app)
- accessible to the regulator within reasonable notice (usually 7-14 days)
A common mistake: storing the DPA PDFs in scattered email threads. When the regulator asks for “Klaviyo’s signed DPA from August 2024”, you should be able to produce it in under 10 minutes. Use a dedicated folder structure (/dpa/<vendor>/<version>-<date>.pdf).
What if a vendor refuses or doesn’t provide a DPA?
This happens with smaller or less mature vendors, particularly outside the major hubs. The options are:
- Switch to a vendor that provides a DPA. This is the recommended path. For any function in your stack, a competing vendor with a clean DPA exists.
- Limit the processing to non-EU customer data. Technically possible but operationally fragile (data flows often mix). Not recommended.
- Negotiate a custom DPA. Realistic only if you have legal counsel and the vendor has > 50 employees. The cost rarely justifies the trouble.
In practice: a vendor that won’t provide a DPA in 2026 is not a vendor you should be using for EU customer data. The market has matured enough that this is no longer a tolerated workaround.
Beyond DPAs: the rest of your Shopify GDPR stack
DPAs are necessary but not sufficient. To pass an EU regulator audit, a Shopify store also needs:
- A clear privacy policy mentioning every processor you use and what data each receives (your store’s own art. 13/14 disclosure).
- A cookie consent banner that blocks non-essential trackers before consent (Meta Pixel, GA4, Klaviyo cookie, Hotjar). Free cookie banner that works on Shopify here.
- A working data subject rights flow (right to access, deletion, portability) — usually a contact form + an internal SLA.
- A breach-notification protocol — internal procedure to notify the regulator within 72 hours (article 33).
- A Data Protection Impact Assessment (DPIA) if you process sensitive categories or do large-scale tracking (article 35).
For points 1, 3, and 4, WebLegal.ai generates a GDPR-compliant privacy policy + cookie policy + terms of sale tailored to your Shopify store in under 10 minutes, with the processor list pre-filled from your most common Shopify apps.
Conclusion
The single most important GDPR-related habit for a Shopify merchant is keeping a complete and current processor register with a signed DPA for every active app. Without it, you’re one customer complaint away from a public CNIL sanction — and the cleanup is far more expensive than the prevention.
Audit your Shopify stack today: list every installed app, find each vendor’s DPA, store dated PDF copies, build the register. The work is mechanical but indispensable. Once done, set a quarterly reminder to refresh the register whenever your stack changes.
Run a free GDPR audit of your Shopify store with our scanner — we’ll detect which trackers are active and flag the ones that need a DPA in your register.
