Data Processing Agreement (DPA)

Data Processor

WebInnovator ApS

CVR: 44574187

Venusvej 7, 4040 Jyllinge, Denmark

support@webinnovator.dk

Data Controller

The legal entity or organization using the Money Leak platform and submitting or making personal data available through the service.

Money Leak processes personal data solely for the purpose of providing the Money Leak platform and related operational services, including:

• ecommerce data synchronization
• operational analytics
• anomaly detection
• reporting
• account management
• support and maintenance
• AI-assisted explanatory functionality
• infrastructure and security operations

Money Leak shall not process personal data for purposes unrelated to delivery of the service.

Depending on the customer’s integrations and usage, processed data may include:

• customer identifiers
• customer email addresses
• usernames
• billing and company information
• order information
• order line items
• product information
• pricing and discount information
• ecommerce operational metadata
• user access and authentication metadata
• technical logs and diagnostics

Sensitive personal data should not intentionally be submitted to the platform unless explicitly agreed in writing.

Data subjects may include:

• customers of the Customer
• ecommerce end-users
• employees or authorized users
• operational staff
• administrators

The Customer confirms and warrants that:

• it has a lawful basis for processing personal data
• it has the right to transfer personal data to Money Leak
• it complies with applicable privacy and data protection laws
• it is responsible for the accuracy and legality of submitted data
• it remains the Data Controller for customer-submitted data

The Customer is responsible for responding to requests from data subjects unless otherwise required by law.

Money Leak shall:

• process personal data only on documented instructions from the Customer
• implement reasonable technical and organizational security measures
• restrict access to authorized personnel
• assist the Customer where reasonably necessary in relation to GDPR obligations
• notify the Customer of confirmed personal data breaches where legally required
• ensure confidentiality obligations apply to personnel with access to data

Money Leak implements technical and organizational measures designed to protect personal data, including:

• authenticated access controls
• role-based access management
• encrypted transport security (HTTPS/TLS)
• customer/shop isolation
• infrastructure access restrictions
• operational monitoring
• backup and recovery mechanisms

No system can guarantee absolute security.

The Customer authorizes Money Leak to use subprocessors necessary for operation of the service.

Subprocessors may include providers related to:

• hosting
• databases
• authentication
• analytics
• AI functionality
• email delivery
• infrastructure monitoring

These may include:

• Render
• Vercel
• Clerk
• OpenAI
• Simply.com

Money Leak may update subprocessors over time as operational requirements evolve.

Certain subprocessors may process data outside the EU/EEA.

Where applicable, Money Leak relies on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs)
• contractual protections
• reasonable security measures

Money Leak may provide AI-assisted summaries and explanatory functionality through OpenAI API services.

The Customer acknowledges that:

• AI functionality is assistive only
• AI operates in read-only mode
• AI does not autonomously execute actions
• AI-generated content may contain inaccuracies
• operational decisions remain the Customer’s responsibility

Money Leak does not use customer-submitted API data to train proprietary AI models.

Money Leak shall ensure that persons authorized to process personal data are subject to confidentiality obligations.

The Customer acknowledges that Money Leak’s:

• software
• workflows
• methodologies
• reports
• prompts
• systems
• platform logic

constitute confidential proprietary information belonging to WebInnovator ApS.

Money Leak retains customer data only for as long as reasonably necessary for:

• delivery of the service
• operational continuity
• legal obligations
• backup retention
• dispute resolution

Upon termination of the service, data may be deleted after a reasonable retention period unless retention is required by law or operational necessity.

Where reasonably required and technically feasible, Money Leak may assist the Customer with:

• access requests
• deletion requests
• correction requests
• GDPR-related inquiries

Such assistance may be subject to reasonable administrative or operational limitations.

Money Leak may provide reasonable information regarding security and data handling practices upon written request.

The Processor is not obligated to disclose:

• proprietary systems
• source code
• internal architecture
• trade secrets
• security-sensitive operational details

Any audit rights must be reasonable, proportionate, and not compromise platform security or other customers.

Liability under this DPA shall be subject to the limitations and exclusions set out in the applicable Terms of Service.

Money Leak shall not be liable for:

• Customer misuse of the platform
• unlawful Customer data processing
• Customer configuration errors
• decisions made based on platform outputs
• AI-generated inaccuracies

This DPA shall be governed by Danish law.

Any disputes shall be subject to the jurisdiction of the Danish courts.

Questions regarding this DPA may be directed to:

WebInnovator ApS

support@webinnovator.dk

(+45) 42 74 59 54