OmniDrop

The all-in-one AI-powered dropshipping platform. Find winning products, generate marketing content, and scale your store — all on autopilot.

Stay in the loop

Get product updates, growth tips, and exclusive offers. No spam — unsubscribe anytime.

Product

  • Features
  • Pricing
  • Documentation
  • Blog

Company

  • About
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • GDPR
  • DPA

© 2026 OmniDrop Inc. All rights reserved.

PrivacyTermsCookiesSOC 2 Type II
Back to home

DPA

Last updated: April 1, 2026OmniDrop Inc.

Legal Documents

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • GDPR
  • DPA

Questions about our legal policies? Contact us at legal@omnidrop.io

This Data Processing Agreement ("DPA") is an addendum to the OmniDrop Terms of Service ("Agreement") and governs the processing of personal data by OmniDrop Inc. ("Processor") on behalf of the customer ("Controller") when using the OmniDrop platform (the "Service").

This DPA is entered into by and between the Controller and the Processor, and is effective as of the date the Controller accepts the Agreement or begins using the Service.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Service as described in the Agreement, including:

  • Account management and authentication
  • Subscription billing and payment processing
  • AI-powered content generation and marketing automation
  • Store integration and order management
  • Customer support and communication

2.2 Duration

This DPA shall remain in effect for the duration of the Agreement. Upon termination, the Processor shall delete or return all Personal Data within 30 days, unless retention is required by applicable law.

2.3 Categories of Data Subjects

CategoryDescription
Controller's employees / team membersIndividuals who access the Service on behalf of the Controller
Controller's end customersIndividuals whose order or contact data is processed through connected stores
Marketing leads / influencersIndividuals whose public profile data is used in outreach campaigns

2.4 Types of Personal Data

  • Name, email address, phone number
  • IP address and device identifiers
  • Billing and payment information (processed via Stripe)
  • Order information (shipping address, purchase history)
  • Usage analytics and activity logs
  • Profile photos and avatar images

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law. If required by law, the Processor shall inform the Controller before processing (unless legally prohibited).
  • Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement and maintain appropriate technical and organizational security measures as described in Section 5.
  • Engage Sub-Processors only with prior written consent of the Controller (see Section 4).
  • Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability) within the timeframes specified by the GDPR.
  • Assist the Controller in ensuring compliance with Articles 32-36 of the GDPR (security, breach notification, impact assessments, prior consultation).
  • Delete or return all Personal Data upon termination of the Agreement, and certify deletion upon request.
  • Make available all information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or an appointed auditor.

4. Sub-Processors

4.1 Authorization

The Controller grants general written authorization for the Processor to engage Sub-Processors, subject to the conditions in this Section. A current list of Sub-Processors is available in our GDPR Compliance page and upon request.

4.2 Notification of Changes

The Processor shall notify the Controller at least 30 days before adding or replacing a Sub-Processor, providing the Controller an opportunity to object. If the Controller objects on reasonable data protection grounds, the parties shall work in good faith to resolve the concern. If no resolution is reached, the Controller may terminate the affected portion of the Service.

4.3 Sub-Processor Obligations

The Processor shall impose data protection obligations on each Sub-Processor that are materially equivalent to those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-Processor's obligations.

5. Security Measures

The Processor implements and maintains the following technical and organizational measures to protect Personal Data:

5.1 Encryption

  • AES-256 encryption for data at rest (database, backups, file storage)
  • TLS 1.3 for data in transit (all API calls, webhooks, dashboard access)
  • End-to-end encryption for stored API keys and OAuth tokens

5.2 Access Controls

  • Role-based access control (RBAC) with principle of least privilege
  • Multi-factor authentication required for all administrative access
  • Automated access revocation upon employee offboarding
  • Audit logging of all access to Personal Data

5.3 Infrastructure Security

  • SOC 2 Type II compliant infrastructure
  • Regular penetration testing (annually, at minimum)
  • Automated vulnerability scanning and patching
  • DDoS protection and Web Application Firewall (WAF)
  • Network segmentation between production and development environments

5.4 Business Continuity

  • Automated daily backups with geographically redundant storage
  • Disaster recovery plan with documented recovery time objectives (RTO: 4 hours, RPO: 1 hour)
  • 99.9% uptime SLA

6. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

  • Notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach.
  • Provide the Controller with sufficient information to fulfill its breach notification obligations under Articles 33 and 34 of the GDPR, including: the nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed to mitigate the breach.
  • Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
  • Document the breach in the Processor's internal breach register.

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Articles 15-22 of the GDPR, including requests for access, rectification, erasure, restriction, portability, and objection. The Processor shall respond to the Controller's requests for assistance within 5 business days.

8. International Transfers

When Personal Data is transferred outside the EEA/UK, the Processor shall ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914)
  • Supplementary technical and organizational measures as recommended by the EDPB
  • Transfer Impact Assessments (TIAs) for each relevant transfer

9. Audits

The Controller (or its appointed third-party auditor) may conduct audits to verify the Processor's compliance with this DPA, subject to reasonable notice (minimum 30 days), scope limitations, and confidentiality obligations. The Processor shall cooperate and provide necessary access and information. Audit costs are borne by the Controller.

10. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA excludes or limits either party's liability for breaches of its obligations under applicable data protection law.

11. Contact & Execution

To sign a DPA, request a copy with pre-filled details, or ask questions about our data processing practices, contact our Legal Team:

  • Email: legal@omnidrop.io
  • DPO: dpo@omnidrop.io
  • Address: OmniDrop Inc., Legal Department, 548 Market Street, Suite 36879, San Francisco, CA 94104, United States