This DPA sets out Cobay’s standard controller–processor terms. Merchants with specific data- protection requirements (or who need a countersigned copy) can request one at legal@cobay.com.

Data Processing Agreement

Effective July 2, 2026

1. Parties & roles

This Agreement is between the merchant (“Controller”) and Cobay Technology Private Limited (“Cobay” or “Processor”). It governs Cobay’s processing of personal data relating to the Controller’s customers and site visitors (“Customer Personal Data”) and forms part of the agreement under which the Controller uses Cobay.

2. Subject matter, nature & purpose

Cobay processes Customer Personal Data only to provide the Cobay assistant — answering shopper questions, recommending products, looking up order status, and maintaining per-shopper memory — for the duration of the Controller’s subscription.

3. Categories of data & data subjects

Data subjects:the Controller’s shoppers, prospective customers, and site visitors. Personal data: chat messages; a browser session identifier; order email/phone and order status when a shopper requests an order lookup; and an AI-generated summary of shopper preferences. No special-category data is intentionally processed.

4. Processor obligations

  • Process Customer Personal Data only on the Controller’s documented instructions, including those given through the Cobay product.
  • Ensure personnel authorized to process are bound by confidentiality.
  • Implement the technical and organizational measures in Annex A.
  • Not sell Customer Personal Data and not use it to train AI models.
  • Assist the Controller in responding to data-subject requests (access, deletion, correction, portability, objection).
  • Notify the Controller without undue delay after becoming aware of a personal-data breach.
  • Delete or return Customer Personal Data on termination, except as required by law.
  • Make available information needed to demonstrate compliance and allow for reasonable audits.

5. Sub-processors

The Controller authorizes Cobay to engage the sub-processors listed below, each bound by data-protection obligations no less protective than this Agreement. Cobay will give notice of intended changes and allow the Controller a reasonable opportunity to object.

  • Anthropic (AI responses) · OpenAI (search embeddings)
  • Supabase (database/auth/storage) · Vercel (hosting) · Upstash (cache/rate-limit)
  • Shopify (order/product source) · Sentry (error monitoring) · PostHog (analytics)

6. International transfers

Where Customer Personal Data is transferred across borders, the parties rely on an appropriate transfer mechanism (e.g. Standard Contractual Clauses) as required by applicable law.

Annex A — Technical & organizational measures

  • Encryption of data in transit (TLS) and at rest; third-party credentials stored encrypted.
  • Tenant isolation enforced by database row-level security; least-privilege access controls.
  • Minimal retention: live order data cached only briefly (~60s); memory/conversations deletable on request.
  • API rate limiting and abuse protection.
  • Encrypted, access-controlled backups; separation of development and production data.
  • Documented security incident-response process with breach notification to affected Controllers.