DATA PROCESSING AGREEMENT

Data Processing Agreement (DPA)

Read our official DPA outlining how Risify processes and protects personal data under GDPR and other privacy laws.

Effective Date: [March 30, 2026]

This Data Processing Agreement ("DPA") is entered into by and between:

Solverhood OÜ ("Processor", "Risify", "we", "us", "our"), a company incorporated under the laws of Estonia, with its registered address at Parnu mnt 12, Tallinn, Estonia, Registry Number: 14383462, VAT ID: EE102030321, and

The Client ("Client", "Merchant", "You", "Your", "Controller"), who has agreed to Risify's Terms of Service or other agreement relating to the provision of SEO, structured data, and content optimization Services.

Together with our U.S. partner entity, StatsUp, LLC, 30 North Gould Street, STE R, Sheridan, WY 82801, United States (Tax ID: 38-4336557), we operate globally to serve Shopify Merchants.

This DPA forms an integral part of the Service agreement between Risify and the Client (the "Agreement") and governs the processing of personal data by Risify on behalf of the Client in accordance with Article 28 of the General Data Protection Regulation (GDPR) and, where applicable, the Standard Contractual Clauses adopted by the European Commission (2021/914, Module 2).

By installing the Risify app from the Shopify App Store, You accept this DPA which forms part of Your agreement with Risify for the provision of SEO, structured data, and content optimization Services ("Services").

1. DEFINITIONS

1.1 GDPR Definitions

Terms defined in Regulation (EU) 2016/679 ("GDPR") have the same meaning in this DPA, including but not limited to: "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", "Supervisory Authority"

1.2 Additional Definitions

• "Services": The Risify SEO, structured data, and content optimization Services provided via the Shopify platform
• "Subprocessor": Any third party authorized by Risify to process Personal Data on behalf of the Controller
• "SCCs": Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2
• "AWS": Amazon Web Services, Inc., the cloud infrastructure provider used by Risify to process and store data
• "Data Transfer": Any transfer of personal data outside the European Economic Area (EEA) or any other jurisdiction with an adequacy decision
• "Applicable Data Protection Law": The GDPR (EU Regulation 2016/679), and where applicable, other privacy regulations such as the UK GDPR, CCPA, and local EU laws
• "AI Content Agent": Risify's AI-powered content generation features that use third-party AI services to generate FAQs, meta tags, and other content based on store product and collection data
• "AI Credits": The usage allowance for AI Content Agent features included in the Client's subscription plan or purchased separately
• "Material Changes": Modifications to these Terms that substantially alter Your rights, obligations, pricing, data handling practices, or core Service functionality
• "Shopify": Shopify Inc. and its e-commerce platform where the Risify App is installed and operates

2. APPOINTMENT AND AUTHORIZATION

2.1 Appointment as Processor The Controller appoints Risify as a Processor to process Personal Data on the Controller's behalf in connection with the Services. This appointment is made in accordance with Article 28(1) GDPR.

2.2 Authorization to Process Risify is authorized to process Personal Data only:

• To provide the Services as configured by the Controller
• In accordance with the Controller's documented instructions
• As required by applicable EU or Member State law

This fulfills the requirements of Article 28(3)(a) GDPR and SCC Clause 8.1.

3. PROCESSING INSTRUCTIONS

3.1 Documented Instructions

Risify shall process Personal Data only on documented instructions from the Controller, which include:

• This DPA and any future amendments
• Configuration settings in the Risify dashboard, including schema settings, breadcrumb configurations, FAQ management settings, and AI Content Agent usage
• Written instructions sent to [email protected]
• Instructions required to comply with applicable law

This fulfills the requirements of Article 28(3)(a) GDPR and SCC Clause 8.1(a).

3.2 Notification

Risify will notify Controllers of significant Service issues that may impact functionality. However, brief interruptions or minor technical issues may be resolved without notification if they do not materially impact the Service.

If Risify:

• Cannot comply with an instruction due to technical limitations or legal requirements
• Experiences technical issues affecting the Services
• Is required by law to process data beyond the Controller's instructions

Risify shall:

• Promptly notify the Controller of the issue via email and/or dashboard notification
• Use commercially reasonable efforts to resolve any technical issues
• Continue processing as required by applicable law (if legal obligation exists)
• Provide available workarounds or alternative solutions where feasible

3.3 Controller Obligations

The Controller shall:

• Ensure that its instructions comply with applicable data protection laws
• Determine the lawful basis for all processing activities
• Ensure that personal data transferred to Risify is accurate and kept up to date
• Provide documented instructions that are lawful and proportionate
• Remain solely responsible for determining whether its use of Risify Services complies with its legal obligations under GDPR and other applicable laws
• Review and approve AI-generated content for accuracy and legal compliance before publication

4. PURPOSE, NATURE, AND DURATION OF PROCESSING

4.1 Subject Matter

The subject matter of the processing is the provision of SEO, structured data, and content optimization Services through the Risify app, which operates on the Shopify platform.

4.2 Purpose of Processing

Personal Data shall be processed exclusively for the following purposes:

• Enable schema markup management, generation, and optimization for Shopify stores
• Facilitate breadcrumb configuration, store structure optimization, and navigation improvements
• Support FAQ and meta tag management, including AI-powered content generation
• Provide store audit results, keyword tracking, and actionable recommendations
• Support Service operations, issue resolution, and improvements specific to the Controller's implementation of the Services

This fulfills the requirements of Article 28(3) GDPR and SCC Clause 8.1.

4.3 Nature of Processing

Processing operations include:

• Reading store data (products, collections, pages, themes, metaobjects, locales) via Shopify API
• Generating and injecting structured data (JSON-LD) and HTML components via Shopify App Embeds
• Sending product and collection data to third-party AI services for content generation (when AI Content Agent features are used)
• Storage in AWS infrastructure in the United States
• Deletion upon instruction

Important: Risify does not install tracking scripts on the Controller's storefront. Risify's storefront components (breadcrumbs, schema markup, FAQ displays) render as static HTML and JSON-LD code and do not collect, track, or transmit any visitor data.

4.4 Duration of Processing

• Processing shall continue for the duration of the Controller's active Risify subscription
• Data is deleted or returned upon termination as per Section 10 of this DPA

This information is required by Article 28(3) GDPR and Annex I.B of the SCCs.

5. CATEGORIES OF DATA AND DATA SUBJECTS

5.1 Categories of Data Subjects

• Controller's Personnel: Store owner and authorized team members who interact with Risify

Note: Unlike data tracking applications, Risify does not process personal data of the Controller's store visitors (end users). Risify's storefront components render without any data collection from visitors.

This information is required by Article 28(3) GDPR and Annex I.B of the SCCs.

5.2 Categories of Personal Data

From Clients (Merchants):

• Store, Merchant and app usage information: Store URL, Store plan, Store domain, Date of installation/uninstallation, Store owner name, Email address, Country
• App usage data: Operations performed inside the app (schema configurations, breadcrumb settings, FAQ management, meta tag editing, audit results, keyword tracking)
• Payment history: Excluding payment details (all billing is managed by Shopify)
• Contact emails: Via Support page

Store content data (non-personal):

• Product and collection data (titles, descriptions, images, variants, tags, types)
• Online store page content
• Theme data
• Metaobject definitions and metaobjects
• Locale and language settings

This store content data is generally not personal data, but is listed here for transparency about what data Risify accesses and processes.

This fulfills the requirements of Article 28(3) GDPR and Annex I.B of the SCCs.

5.3 Special Categories of Data

No special categories of data under Article 9 GDPR are intentionally collected or processed.

6. SECURITY OF PROCESSING

6.1 Technical and Organizational Measures

Risify shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures Currently Implemented:

• Encryption at rest using AES-256
• Encryption in transit using TLS 1.2 or higher (HTTPS for all data transfers)
• Access controls using AWS Identity and Access Management (IAM)
• Regular security patching and vulnerability management
• Web Application Firewall (WAF) protection
• AWS infrastructure redundancy and availability features

Organizational Measures:

• Personnel access on least-privilege basis
• All personnel authorized to access Personal Data are subject to confidentiality obligations
• Annual security awareness training
• Documented incident response procedures
• Regular security assessments
• Internal access is restricted to authorized personnel only

This fulfills the requirements of Article 28(3)(c) and Article 32 GDPR, and SCC Clause 8.6.

6.2 Security Updates

Risify shall regularly review and update security measures to maintain appropriate protection levels. Full technical and organizational measures are detailed in Annex II.

7. CONFIDENTIALITY

7.1 Personnel Confidentiality

Risify ensures that:

• All personnel authorized to process Personal Data have committed to confidentiality or are under statutory obligation of confidentiality
• Access is limited to personnel who need it for providing the Services
• All personnel receive appropriate data protection training

This fulfills the requirements of Article 28(3)(b) GDPR and SCC Clause 8.3.

7.2 Ongoing Obligations

Confidentiality obligations survive termination of employment or engagement.

8. SUBPROCESSORS

8.1 General Authorization

The Controller provides general written authorization for Risify to engage Subprocessors, subject to the requirements in this section. This implements Option 2 under SCC Clause 9(a).

8.2 Current Subprocessors

The Controller acknowledges that Risify engages multiple Subprocessors to provide the Services, including but not limited to Amazon Web Services (AWS) as our primary infrastructure provider for cloud hosting and data storage in the United States. The complete and current list of all Subprocessors, including their specific processing activities and locations, is provided in Annex III of this DPA.

8.3 Adding or Replacing Subprocessors

• Risify shall notify the Controller at least 15 days before adding or replacing any Subprocessor
• Notification shall be provided via email and dashboard notification
• Notification shall include the Subprocessor's name, location, and processing activities

This fulfills the requirements of Article 28(2) GDPR and SCC Clause 9(a) Option 2.

8.4 Right to Object

• The Controller may object within the notification period on reasonable grounds relating to data protection
• If the objection cannot be resolved, either party may terminate the affected Services
• Continued use after the objection period constitutes acceptance

This fulfills the requirements of Article 28(2) GDPR and SCC Clause 9(a) Option 2.

8.5 Subprocessor Obligations

Risify shall:

• Ensure that any Subprocessor is contractually bound by data protection obligations no less protective than those set out in this DPA
• Remain fully liable for Subprocessor performance
• Conduct appropriate due diligence before engagement
• Where a Subprocessor processes Personal Data outside the EEA, ensure appropriate transfer mechanisms are in place (such as SCCs Module 3 or adequacy frameworks)

This fulfills the requirements of Article 28(4) GDPR and SCC Clause 9(b) and (c).

9. INTERNATIONAL TRANSFERS

9.1 Transfer Mechanism

Personal Data is transferred to and processed in the United States through Amazon Web Services, Inc. (AWS). Additional Subprocessors may process data in other locations as specified in Annex III. All data transfers outside of Europe are protected by:

• Standard Contractual Clauses (Module 2: Controller to Processor) as incorporated in this DPA
• The technical and organizational measures described in this DPA
• AWS's participation in the EU-U.S. Data Privacy Framework (DPF), which provides an additional adequacy mechanism recognized by the European Commission

This fulfills the requirements of Articles 44-46 GDPR and implements the SCCs.

9.2 SCC Implementation Details

The parties specifically adopt Module Two: Transfer from Controller to Processor, and agree to the following selections:

• Clause 7 (Docking clause): Included
• Clause 9 (Use of Subprocessors): Option 2 - General written authorization
• Clause 11 (Redress): Not included
• Clause 17 (Governing law): Option 1 - Laws of Estonia
• Clause 18 (Choice of forum): Courts of Estonia

9.3 Supplementary Measures

In addition to the SCCs, Risify implements supplementary safeguards, including:

• Encryption in transit and at rest
• Access control and monitoring
• Geographic restriction to known AWS regions
• Personnel training and confidentiality agreements

10. DATA RETENTION AND DELETION

10.1 Deletion or Return Upon Termination

Upon termination or expiry of the Services, Risify shall, at the choice of the Controller:

• Return all personal data processed on behalf of the Controller, or
• Delete such data, unless retention is required by applicable law

Risify shall inform the Controller if it is legally obligated to retain any personal data after the termination of processing activities. This fulfills the requirements of Article 28(3)(g) GDPR and SCC Clause 8.5.

10.2 Deletion on Request During Active Service

During the term of Service, the Controller may request the deletion of personal data at any time through the Risify App or by written instruction. Risify shall delete such data without undue delay, unless retention is required by applicable law. If immediate deletion is not technically feasible, Risify shall inform the Controller of the reason and the expected timeline.

This fulfills the requirements of Article 28(3)(f) GDPR and SCC Clause 8.5.

10.3 Deletion Timing and Method

Unless otherwise agreed in writing, Risify shall delete personal data:

• Within 30 days following Service termination or final instruction from the Controller
• Using secure deletion methods appropriate to the nature and format of the data

10.4 Data Export During Service

To exercise data access rights, Controllers can go to Risify App > Settings > Account or contact [email protected].

10.5 Retention Periods

In accordance with the Terms of Service Section 11.4.2, Risify retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected and processed. Specifically:

• Merchant data (including Store and app usage information) is retained for the duration of the Service agreement

Clients may request deletion of their data at any time via the Risify Settings. All data retention is subject to legal obligations, dispute resolution needs, enforcement of agreements, security requirements, or legitimate business interests (including backups, audit logs, and fraud prevention).

11. ASSISTANCE WITH DATA SUBJECT RIGHTS

11.1 Assistance Obligation

Risify shall provide reasonable assistance to the Controller in fulfilling its obligations to respond to data subject requests regarding:

• Access to Personal Data (Article 15 GDPR)
• Rectification (Article 16 GDPR)
• Erasure (Article 17 GDPR)
• Restriction of processing (Article 18 GDPR)
• Data portability (Article 20 GDPR)
• Objection to processing (Article 21 GDPR)

This fulfills the requirements of Article 28(3)(e) GDPR and SCC Clause 8.4.

11.2 Procedure for Requests

If Risify receives a request directly from a data subject, it shall promptly inform the Controller without undue delay and not respond to the request itself unless instructed in writing by the Controller.

11.3 Technical Assistance

Risify provides tools and technical measures to enable the Controller to respond to data subject requests in a timely and legally compliant manner.

12. SECURITY BREACH NOTIFICATION

12.1 Notification Timeline

Risify shall notify the Controller without undue delay, and in any case within 48 hours, after becoming aware of a Personal Data Breach. The notification will be delivered via email. This fulfills the requirements of Article 28(3)(f) and Article 33 of the GDPR, as well as SCC Clause 8.6(c).

12.2 Initial Notification Content

The initial breach notification shall include, to the extent known:

• A description of the breach, including the type of incident, categories of data subjects, and estimated number of records affected
• The likely consequences of the breach
• Measures taken or planned to address the breach and mitigate potential harm
• Contact information for follow-up

This fulfills the requirements of Article 33(3) GDPR and SCC Clause 8.6(c).

12.3 Ongoing Cooperation

Risify shall:

• Cooperate fully with the Controller in fulfilling any regulatory notification duties
• Document all breaches regardless of notification requirement
• Implement measures to prevent recurrence

This fulfills the requirements of Article 28(3)(f) GDPR.

12.4 Exclusions

Risify is not required to notify the Controller of:

• Failed login attempts or port scans that do not compromise personal data
• Internal testing or security exercises
• Minor incidents that do not affect personal data or fall below regulatory reporting thresholds

13. AUDIT AND INSPECTION RIGHTS

13.1 Audit Rights

The Controller has the right to conduct audits or inspections of Risify's data processing activities and relevant systems, as required under Article 28(3)(h) GDPR and SCC Clause 8.9.

13.2 Audit Procedures

Audits shall be:

• Limited to once per year (unless legally required more frequently)
• Conducted with 30 days' written notice, during normal business hours
• Performed in a manner that does not unreasonably disrupt Risify's operations
• Subject to appropriate confidentiality obligations

13.3 Documentation

Risify shall maintain appropriate records of processing activities and make them available to the Controller or competent supervisory authority upon request. This fulfills the requirements of Article 28(3)(h) GDPR and SCC Clauses 8.9(b) and 8.9(e).

14. COMPLIANCE ASSISTANCE

14.1 General Assistance

Taking into account the nature of the processing, Risify shall assist the Controller, upon request, in ensuring compliance with:

• Implementing appropriate technical and organizational security measures (Article 32 GDPR)
• Notifying the supervisory authority and data subjects in the event of a personal data breach (Articles 33 and 34 GDPR)
• Conducting data protection impact assessments (Article 35 GDPR)
• Consulting the supervisory authority prior to processing where required (Article 36 GDPR)

This assistance shall be provided in accordance with SCC Clauses 8.6, 8.7, 10(b), and 10(c), and Article 28(3)(f) GDPR.

14.2 Information Provision

Risify shall provide all information necessary to demonstrate compliance with Article 28 GDPR obligations. This fulfills the requirements of Article 28(3)(h) GDPR.

15. PROHIBITED USES

15.1 Restrictions on Processing

Risify shall not:

• Use personal data for its own purposes
• Sell, license, or share personal data with third parties except as necessary to perform the Services in accordance with this DPA and the Controller's instructions
• Combine or enrich data in a way that violates data protection laws
• "Sell" or "share" Personal Data as those terms are defined under U.S. Privacy Laws, including the California Consumer Privacy Act (CCPA)

16. LIABILITY AND INDEMNIFICATION

16.1 Statutory Liability

Each Party shall be liable for the damages it causes through an infringement of this DPA, Applicable Data Protection Laws, or the Standard Contractual Clauses (SCCs). Nothing in this DPA limits either party's liability under Articles 82 and 83 GDPR.

16.2 Responsibility Allocation

• The Controller shall be responsible for obtaining a valid legal basis for processing and for ensuring that its instructions are lawful
• The Processor shall be responsible for processing personal data in accordance with the Controller's instructions and with the obligations set forth in this DPA

This allocation reflects Article 82 GDPR and SCC Clause 12.

17. TERM AND TERMINATION

17.1 Term

This DPA:

• Takes effect upon installation of the Risify app
• Continues for the duration of the Services
• Supersedes any previous data processing terms

17.2 Survival

The following sections survive termination:

• Data deletion obligations (Section 10)
• Confidentiality (Section 7)
• Liability provisions (Section 16)
• Any terms that by nature should survive

17.3 Termination

Termination of this DPA shall be governed by the termination provisions in the Terms of Service (Section 11). Specifically:

• For breach of terms, security risks, or legal requirements: Immediate termination without prior notice
• For termination without cause: 30 days' written notice as specified in Terms of Service Section 11.3.2

Upon termination, data deletion obligations in Section 10 of this DPA shall apply.

18. MISCELLANEOUS

18.1 Governing Law This DPA shall be governed by the laws of Estonia, without regard to its conflict of law principles. This implements SCC Clause 17, Option 1.

18.2 Jurisdiction Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Estonia. This selection satisfies Clause 17 of the Standard Contractual Clauses, which requires the law of an EU Member State that allows for third-party beneficiary rights under the SCCs.

18.3 Modification Risify will provide 30 days advance notice for any material changes to this DPA via email or dashboard notification. Non-material changes (such as clarifications, typo corrections, or formatting updates) may be made without advance notice. Material changes require Your acceptance through continued use of the Services after the notice period. If You do not agree to the modified DPA, You must discontinue use of the Services before the effective date of the changes.

18.4 Links to Other Websites Our Service may contain links to third-party websites or Services that are not owned or controlled by Risify. Risify has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party websites or Services.

18.5 Order of Precedence For matters related to data protection and privacy, the following order of precedence shall apply:

• Mandatory provisions of applicable data protection law (including GDPR)
• Standard Contractual Clauses (where applicable)
• This DPA
• Terms of Service (for data protection matters specifically addressed therein)
• Any other agreement between the parties

This order of precedence applies only to data protection matters. For all other matters, the order of precedence in Section 14.13 of the Terms of Service shall apply.

ANNEX I - DESCRIPTION OF THE PROCESSING

A. List of Parties

Data Exporter (Controller):

• Identity: The Merchant or Client installing and using Risify's Shopify app
• Contact: As provided in Risify account
• Role: Controller

Data Importer (Processor):

• Identity: Solverhood OÜ
• Address: Parnu mnt 12, Tallinn, Estonia
• Registration: 14383462
• VAT ID: EE102030321
• Contact: [email protected]
• Data Protection Contact: [email protected]
• Role: Processor

B. Description of Processing

Categories of Data Subjects:

• The Controller's staff (e.g., store owner or team members who are logged into Shopify and the Risify app)

Categories of Personal Data Processed:

The categories of personal data processed are detailed in Section 5.2 of this DPA, which includes merchant contact information (name, email address), store information (URL, domain, plan), and app usage data. Please refer to Section 5.2 for the complete list.

Sensitive Data (Special Categories):

Risify does not require or intend to process special categories of data under Article 9 GDPR.

Nature and Purpose of Processing:

Risify processes personal data strictly for:

• Managing merchant accounts and providing customer support
• Delivering SEO, structured data, and content optimization Services
• Powering AI Content Agent features (using product/collection data, not personal data)
• Monitoring and improving app performance and functionality

Duration of Processing:

• For the duration of the Controller's active use of Risify
• Data is deleted or returned upon termination as per Section 10 of this DPA

Transfers to Third Countries:

Personal data may be transferred to subprocessors (e.g., AWS in the United States) under:

• Standard Contractual Clauses (Module 3: Processor to Subprocessor), or
• Adequacy mechanisms (e.g., EU-U.S. Data Privacy Framework)

C. Competent Supervisory Authority

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

Risify implements the following technical and organizational measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and Services, in accordance with Article 32 of the GDPR:

1. Access Control and Authentication

• Role-based access control (RBAC) is applied to internal systems and databases.
• Unique user accounts are assigned to all team members; shared logins are prohibited.
• Multi-factor authentication (MFA) is enforced via Shopify's secure login system, with optional two-factor authentication (2FA) for Merchants.
• Access rights are reviewed regularly and revoked promptly upon role change or offboarding.
• The principle of least privilege (PoLP) is enforced across all systems.

2. Data Encryption

• All data in transit is protected using TLS 1.2 or higher (HTTPS).
• Data at rest is encrypted using AES-256 encryption within the AWS infrastructure.
• Access to cryptographic keys is strictly limited, monitored, and logged.

3. Infrastructure and Hosting Security

• Risify is hosted on Amazon Web Services (AWS), which complies with GDPR and holds certifications such as SOC 2 and ISO 27001.
• AWS provides encryption in transit and at rest, and uses AWS Identity and Access Management (IAM) for granular access control.
• Regular infrastructure updates and vulnerability patching are performed.
• Security updates are deployed promptly following vendor advisories or internal risk assessments.

4. Data Processing Security

• Data minimization principles are applied by default, collecting only the data necessary for the stated processing purpose.
• When AI Content Agent features are used, only non-personal product and collection data is sent to third-party AI services.

5. Organizational Security Measures

• All employees are bound by confidentiality agreements and access control policies.
• Employees undergo onboarding and recurring GDPR and data protection training.
• Access to personal data is limited to authorized personnel only on a need-to-know basis.

6. Incident Detection and Response

• An internal incident response plan is maintained and regularly reviewed.
• Post-incident reviews and root cause analyses are documented to prevent recurrence.
• Any personal data breaches are reported to the Controller without undue delay, in accordance with Article 33 of the GDPR.

7. Data Segregation

• Only the data necessary for SEO, structured data, and content optimization services is collected and processed.
• Merchant-specific data is logically segregated within multi-tenant systems.

8. Payment Security

• All payment processing is handled via Shopify, which is PCI DSS compliant.
• Risify does not process, store, or access payment card information.

9. Subprocessor Security Oversight

Risify ensures that all Subprocessors implement equivalent technical and organizational measures to protect personal data. Our Subprocessor management includes:

Due Diligence and Selection:

• All Subprocessors undergo security assessment prior to engagement, evaluating their compliance certifications, security practices, and data protection measures
• Priority is given to Subprocessors with recognized certifications (SOC 2, ISO 27001, ISO 27018, or equivalent)
• Subprocessors must demonstrate GDPR compliance and provide appropriate contractual guarantees

ANNEX III - LIST OF SUBPROCESSORS

Authorized Subprocessors as of [March 30, 2026]:

| Processor Name | Description of Processing | Location |

|—|—|—|

| Amazon Web Services, Inc. (AWS) | Cloud infrastructure, hosting, data storage and processing of Client Data | United States |

| MailerSend (The Remote Company, Inc.) | Transactional email delivery for Client communications (e.g., onboarding, notifications) | United States |

| Zoho Corporation Pvt. Ltd. (Zoho Desk) | Customer support ticketing system for handling Client inquiries | United States |

| PostHog, Inc. | Product analytics for app improvement and functionality monitoring | United States |

| Third-party AI service provider(s) | AI content generation for FAQ and meta tag features (receives only product/collection data, not personal data) | United States |

Risify will provide advance notice of any intended additions or replacements, allowing the Controller to object in accordance with Section 8 of this DPA.

ANNEX IV - STANDARD CONTRACTUAL CLAUSES

Commission Implementing Decision (EU) 2021/914 of 4 June 2021

Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679

Module selected: Module 2 (Controller to Processor)

The following standard clauses apply without modification:

• Clause 8 (Data processing) - Including all sub-clauses 8.1 through 8.9
• Clause 10 (Data subject rights)
• Clause 12 (Liability)
• Clause 13 (Supervision)
• All other standard clauses not requiring selection

By installing the Risify app, You acknowledge that You have read, understood, and agree to be bound by this Data Processing Agreement.

Contact Us

Risify is developed and maintained by two partner entities:

Solverhood OÜ

Parnu Mnt 12, Tallinn, Estonia

Registry Number: 14383462

VAT ID: EE102030321

StatsUp, LLC

30 North Gould Street, STE R, Sheridan, WY 82801, United States

Tax ID: 38-4336557

Together, we operate globally to serve Shopify merchants while complying with data protection laws.

If you have any questions about Terms of Service or privacy documents, you can reach us at: [email protected]

Last Updated: [March 30, 2026]