Legal

Review the official data protection addendum (dpa) for CallFusionAI.

Data Protection Addendum (DPA) — CartEngage

Effective: Upon installation of the CartEngage Shopify application Version: 2.0 — 22 April 2026

Parties

Controller: the Merchant (Shopify store owner who installs CartEngage) Processor: Vidushi Infotech, operator of the CartEngage Shopify application Registered address: Cerebrum IT Park, Unit No-3A, Building B3, 2nd Floor, Kalyani Nagar, Pune, Maharashtra 411014, India Contact: support@vidushiinfotech.com

1. Scope and Purpose

This Data Protection Addendum ("DPA") governs Vidushi Infotech's processing of personal data on behalf of the Controller in connection with the CartEngage Shopify application ("Service"). This DPA is incorporated by reference into the CartEngage Privacy Policy and Terms & Conditions.

This DPA reflects obligations under:

  • GDPR — EU General Data Protection Regulation (Article 28)
  • UK GDPR — post-Brexit equivalent
  • CCPA / CPRA — California Consumer Privacy Act
  • Shopify Partner Program requirements for apps accessing Protected Customer Data

2. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person
  • Processing — any operation performed on Personal Data (collection, storage, use, disclosure, deletion)
  • Controller — the Merchant, who determines the purposes and means of processing their customers' Personal Data
  • Processor — Vidushi Infotech (CartEngage), processing Personal Data on behalf of the Controller
  • Sub-processor — any third party engaged by Vidushi Infotech to process Personal Data on behalf of the Controller (listed in Section 6)
  • End User — the Merchant's customer whose Personal Data is processed via the Service

3. Details of Processing

CategoryDetail
Data subjectsMerchant's customers who have abandoned shopping carts or engaged with the Service
Types of Personal DataName (first + last), email, phone, shipping/billing address (city/state/country/postal code), cart items + values, order history, call recordings, call transcripts, AI-derived sentiment + outcome classifications
Processing purposesAbandoned cart recovery via AI voice calls, SMS, and email; analytics; DNC / consent management; Shopify compliance (WhatsApp — Phase 2, not yet active)
DurationFor the duration of active app installation + 48 hours for post-uninstall deletion (per Shopify mandate); billing records retained for 7 years for legal/tax compliance
Processing locationsIndia (Pune, Maharashtra — Vidushi Infotech private server) and sub-processor regions listed in Section 6
Nature of processingAutomated data collection via Shopify webhooks; automated outbound voice calls via AI agents; transcription; sentiment analysis; storage; analytics reporting

4. Processor Obligations

Vidushi Infotech (the Processor) shall:

  1. Process Personal Data only on documented instructions from the Controller (installation of the Service + merchant configuration constitute the primary instructions)
  2. Ensure that persons authorized to process Personal Data (employees, contractors) are under binding confidentiality obligations
  3. Implement appropriate technical and organizational security measures as described in Section 8 (Technical & Organizational Measures)
  4. Engage sub-processors only under written agreements imposing data protection obligations equivalent to those in this DPA (Section 6)
  5. Notify the Controller of intended changes to sub-processors and give them a reasonable opportunity to object (at least 30 days' notice; see Section 7)
  6. Assist the Controller in responding to End User rights requests (access, rectification, erasure, portability, restriction, objection)
  7. Assist the Controller in complying with Articles 32-36 GDPR (security, breach notification, data protection impact assessments, prior consultation)
  8. Delete or return all Personal Data to the Controller upon termination of the Service, subject to the Privacy Policy retention schedule
  9. Make available all information necessary to demonstrate compliance with this DPA, including audit rights (Section 9)

5. Controller Obligations

The Controller (Merchant) shall:

  1. Provide instructions for processing in compliance with applicable data protection law
  2. Ensure there is a lawful basis for the processing of End Users' Personal Data (opt-in consent, legitimate interest, contract performance)
  3. Configure the Service (DNC list, opt-out mechanisms, recording disclosures) in compliance with applicable law (TCPA, GDPR, CCPA, CASL, PECR, etc.)
  4. Respond to End User rights requests within legal timeframes
  5. Notify the Processor promptly of any complaints or rights requests that require Processor action

6. Sub-processors

The Controller consents to Vidushi Infotech engaging the sub-processors listed below. The current list is also maintained in the Privacy Policy.

#Sub-processorPurposeCategories of Personal Data ProcessedLocation
1Shopify, Inc.Platform integration, cart/order/customer webhooks, OAuth token exchangeShop config, customer data, cart + order dataCanada / US / global
2Vapi AI, Inc.AI voice call orchestration, recording, transcriptionCustomer phone, call context (cart items, value), voice audio, transcriptsUS
3Twilio, Inc.Phone provisioning, SMS delivery (WhatsApp — Phase 2, not yet active)Customer phone, message content, call routing metadataUS / global
4OpenAI, L.L.C. (via Vapi)LLM for generating AI conversation responsesPer-turn system prompt + user utterance text (no persistent memory of End User)US
5Deepgram, Inc. (via Vapi)Real-time speech-to-textCustomer voice audio during callUS
6ElevenLabs (optional, via Vapi)Text-to-speech voice synthesis for AI agentAI agent script text only (no End User data)US
7PostgreSQL hosting provider (Vidushi Infotech private server)Primary relational database storageAll app data (access tokens Fernet-encrypted at rest)India (Pune, Maharashtra)
8CanSpace Solutions (SMTP: hades.canspace.ca)Outbound OTP, recovery, and notification emailsEmail address, email bodyCanada
9WhatsApp (via Twilio WhatsApp API)WhatsApp Business message delivery — Phase 2, not yet activePhone, message contentNot currently active — will be updated when WhatsApp is enabled

The Controller is deemed to have authorized the above sub-processors upon installation of the Service.

7. Sub-processor Changes

If Vidushi Infotech intends to engage a new sub-processor or replace an existing one:

  1. We shall notify the Controller at least 30 days in advance via in-dashboard notice and/or email
  2. The Controller may object to the change within that 30-day period on reasonable data-protection grounds
  3. If the Controller objects, Vidushi Infotech may offer a workaround or, if unavoidable, the Controller may terminate the Service without penalty before the change takes effect
  4. Absent timely objection, the change takes effect as notified

8. Technical and Organizational Measures (TOMs)

Vidushi Infotech implements the following measures to ensure a level of security appropriate to the risk:

Encryption

  • At rest — sensitive credentials (Shopify access tokens, API keys, webhook secrets, Twilio SID + auth tokens) encrypted with AES-128 Fernet; key stored as environment variable separate from database
  • In transit — all connections over HTTPS/TLS 1.2+; database connections over SSL

Access Control

  • Authentication — bcrypt-hashed password login for merchants; admin portal access separately authenticated
  • Tokens — JWT access tokens expire after 30 minutes; refresh tokens after 7 days
  • Tenant isolation — all database queries scoped by store_id + merchant_id; merchants cannot access each other's data
  • Principle of least privilege — employee/contractor database access is role-based and audit-logged

Webhook Authenticity

  • All incoming Shopify webhooks are verified via HMAC-SHA256 signature validation before processing
  • Invalid-signature requests are rejected with HTTP 401 and logged for monitoring

Network Security

  • Backend deployed behind HTTPS-only ingress; no unencrypted endpoints exposed
  • Rate limiting with 429 retry + exponential backoff on outbound API calls

Operational

  • Audit logs — all merchant + admin actions recorded in tamper-evident system log
  • Backups — (--- specify frequency and retention: e.g., daily DB snapshots retained 30 days ---)
  • Incident response plan — 72-hour breach notification per Section 10

Secure Development

  • Secrets never hardcoded; loaded from environment variables
  • Dependencies scanned for vulnerabilities via (--- specify tool if any: Dependabot, Snyk, etc. ---)
  • Parameterized SQL queries only; no string concatenation in queries (protects against SQL injection)

9. Audit Rights

  1. Vidushi Infotech shall make available to the Controller all information necessary to demonstrate compliance with this DPA
  2. The Controller may request information about sub-processor arrangements, security measures, and processing activities
  3. For material audit requests beyond this, Vidushi Infotech may fulfill audit obligations through third-party compliance certifications or self-attestations
  4. On-site audits may be requested at the Controller's expense, subject to reasonable prior notice (minimum 30 days) and mutual confidentiality obligations

10. Data Breach Notification

In the event of a Personal Data breach, Vidushi Infotech shall:

  1. Notify the affected Controller(s) without undue delay and in any event within 72 hours of becoming aware of the breach
  2. Provide details of:
  • Nature of the breach
  • Affected categories and approximate number of Personal Data records
  • Likely consequences
  • Measures taken or proposed to address the breach and mitigate adverse effects
  1. Cooperate with the Controller in notifying supervisory authorities (data protection authorities) and End Users where required by law

Emergency contact for breach notification: support@vidushiinfotech.com

11. International Data Transfers

Where Personal Data is transferred outside the EEA, UK, or other restricted jurisdictions, Vidushi Infotech ensures appropriate safeguards via:

  • Standard Contractual Clauses (SCCs) with sub-processors, or
  • Other mechanisms approved by relevant data protection authorities (e.g., adequacy decisions)

A list of transfer mechanisms per sub-processor is available upon request.

12. GDPR Webhook Endpoints (Shopify-required)

The following endpoints are registered with the Shopify Partner Dashboard and respond within 5 seconds with HMAC signature verification:

Webhook TopicEndpointBehavior
customers/data_requestPOST /api/v1/shopify/gdpr/customers/data_requestAcknowledges request; prepares data export
customers/redactPOST /api/v1/shopify/gdpr/customers/redactAnonymizes customer data — matches by email or phone; affects merchant_store_customer, merchant_store_cart, ai_call_interaction (transcripts + recordings nulled)
shop/redactPOST /api/v1/shopify/gdpr/shop/redactFull shop data deletion within 48 hours of uninstallation

13. Return or Deletion of Data

Upon termination of the Service:

  1. The Controller's stored data, including End User Personal Data, is deleted within 48 hours (matching Shopify's shop/redact mandate)
  2. Billing records may be retained up to 7 years for legal/tax compliance
  3. Backup copies containing Personal Data are overwritten per the next scheduled backup rotation
  4. Upon request, Vidushi Infotech will provide written confirmation of data deletion

14. Term

  • This DPA is effective from the moment of CartEngage Shopify app installation
  • Remains in force for the duration of the Service
  • Sections relating to confidentiality, liability, audit rights, and breach notification survive termination to the extent required for post-termination compliance

15. Conflict with Terms & Conditions

In the event of a conflict between this DPA and the CartEngage Terms & Conditions regarding Personal Data processing, this DPA shall prevail with respect to Personal Data matters.

16. Contact

Company: Vidushi Infotech Product: CartEngage Registered address: Cerebrum IT Park, Unit No-3A, Building B3, 2nd Floor, Kalyani Nagar, Pune, Maharashtra 411014, India Data protection contact: support@vidushiinfotech.com Data Protection Officer (DPO): (--- name and email, or write "Not designated under applicable law" ---)

CartEngage Data Protection Addendum — v2.0 — 22 April 2026 This DPA is incorporated by reference into the CartEngage [Privacy Policy](PRIVACY_POLICY.md) and [Terms & Conditions](TERMS_AND_CONDITIONS.md).