Legal
Data Processing Agreement
Effective date: July 18, 2026
1. Roles
For personal data belonging to your own end-customers — including protected customer data from a connected Shopify store — you, as the workspace owner, are the data controller, and Obriym is the data processor.
Obriym processes that data only on your documented instructions. Those instructions are given by how you configure and use the service.
2. Subject matter and purpose
Obriym processes personal data solely to provide the CRM and e-commerce workspace: lead capture, contact, company and deal management, orders, storefront-customer sync, support, and the integrations you choose to enable.
We do not process your data for our own marketing, we do not sell it, and we do not use protected customer data to train AI models.
3. Categories of data and data subjects
Data subjects are your leads, contacts, and storefront customers.
- Name, email address, and phone number
- Postal and shipping address
- Order history and interaction history
4. Our obligations
As your processor, Obriym undertakes to:
- Process personal data only on your documented instructions, and never sell it
- Bind personnel to confidentiality and least-privilege access
- Apply appropriate technical and organizational security measures, including encryption of credentials at rest and in transit
- Assist you with data-subject requests — for Shopify stores the customer data request and redaction flows are implemented and run automatically
- Notify you without undue delay after becoming aware of a personal-data breach
- Delete or return personal data when the service ends, subject to the published retention windows
5. Subprocessors
Obriym engages the subprocessors published on the Subprocessors page. By using the service you authorise those subprocessors.
Obriym remains responsible for their compliance and gives notice of material changes to the list.
6. International transfers
Where data is transferred outside its region, the transfer relies on the subprocessor's standard contractual clauses or an equivalent safeguard.
7. Security and breach notification
Third-party credentials are encrypted at rest, access tokens are short-lived and rotated, and error monitoring is configured to scrub personal data before it leaves the application.
If a personal-data breach affects your workspace, we notify you without undue delay with the facts known at that time, and we follow up as the investigation progresses.
8. Data-subject and deletion requests
You can send a request to the contact address below. For connected Shopify stores, Shopify's mandatory customer data request and redaction webhooks drive the process automatically.
You remain the controller who fulfils the request to the data subject; Obriym provides the data and performs the deletion on its side.
9. Contact
For privacy questions, data-subject requests, security reports, or a countersigned copy of this agreement, contact us at crm@obriym.com