Review Tomato
Sign in Install on Shopify
Legal

Data processing addendum

Last updated: May 2026

This DPA forms part of the agreement between Review Tomato Inc. ("Processor") and the customer ("Controller") under which Review Tomato processes personal data on the Controller's behalf.

Sub-processors

The following sub-processors are used:

  • Supabase Inc. - database hosting, file storage (US-East).
  • Vercel Inc. - application hosting (US-East).
  • Resend Inc. - transactional email delivery (US-East).
  • Anthropic, Inc. - AI inference for reply suggestions and summaries (US-only API; no model training on customer data).
  • Cloudflare, Inc. - CDN and DDoS protection (global).

Data handling

  • All data encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Anonymous usage analytics only - no personally identifiable information sent to analytics providers.
  • Shopify GDPR webhooks fully implemented and honored: customers/data_request, customers/redact, shop/redact.
  • 30-day data retention after uninstall, then permanent deletion.

Standard contractual clauses

For Controllers in the EU/EEA/UK, the EU Standard Contractual Clauses (2021/914) apply to any transfer of personal data to a sub-processor located outside the EU. Module Two (Controller-to-Processor) is incorporated by reference.

Need a signed DPA on letterhead? Email legal@review-tomato.com with your company details and we'll send one within 1 business day.