Onward transfers of personal data

In order to provide our services to you effectively, the personal data that you provide to the Shopify entity that you contract with is transferred to the following recipients:

  • certain other Shopify entities, and
  • carefully selected and trusted subprocessors

This section provides information on how onward transfers are governed.

Onward transfers of personal data from the European Economic Area (EEA) and the United Kingdom (UK)

International Limited, an Irish-registered entity, is Shopify's primary contracting entity with merchants in EMEA (Europe, the Middle East, and Africa) and LATAM (Latin America). International Limited also acts as Shopify’s main establishment for General Data Protection Regulation (GDPR) purposes.

The GDPR, and its UK equivalent, requires that when personal data is shared with an entity outside of the EEA and the UK, there must be an essentially equivalent level of protection in the destination country. For this reason, such international transfers must be protected by strong legal mechanisms.

How Shopify meets the GDPR requirements for international data transfers

To meet this requirement, Shopify relies on the European Commission’s adequacy decision for Canada when International Limited transfers personal data to its Canadian-registered corporate parent Shopify Inc. Learn more about adequacy decisions.

In addition to this, Shopify also employs comprehensive data transfer and processing agreements (DPAs) incorporating the latest version of the Standard Contractual Clauses (SCCs) approved by the European Commission to govern:

  • any transfers within the Shopify group, and
  • onward transfers to our subprocessors

We carefully assess our subprocessors to ensure they have appropriate technical and organizational measures to protect personal data and perform appropriate transfer impact assessments. Learn more about SCCs

Both the adequacy decision and SCCs are considered legally valid and sufficient transfer mechanisms by data protection authorities in the EEA and UK.

As a supplementary measure, Shopify has also applied for Binding Corporate Rules to further govern transfers within the Shopify group. That application has been made to Shopify’s lead supervisory authority for GDPR purposes, the Irish Data Protection Commission. These will be an additional legal transfer mechanism to secure the transfers within our group of companies. We are in the final stages of this application and expect that it will be approved soon.

Onward transfers of personal data from all other regions

Certain privacy laws in jurisdictions other than the EEA and UK also require specific protections when it comes to international transfers of personal data. To meet these requirements, Shopify’s DPAs governing transfers within the Shopify group, and its DPAs governing onward transfers to our subprocessors, include appropriate protections to ensure compliance with privacy laws in Canada, the United States (US), and Singapore, as applicable. We also update and maintain these DPAs as required.

Data hosting locations

Shopify dynamically rebalances storage between multiple Google Cloud Platform regions to ensure that we can offer a reliable and scalable infrastructure that can handle unpredictable volumes across our entire merchant database. We need to be able to move data geographically in order to operate our services, and we have mechanisms in place to do so in accordance with applicable laws and regulations, including GDPR.

Shopify now stores certain merchant and customer personal data in Europe (namely the EEA, UK and/or Switzerland), as follows:

  • New merchants in Europe automatically avail of this new infrastructure and now have their store data, order data and customer personal data stored at rest in Europe by default.
  • All existing Shopify features will continue to work.
  • Even where merchant customer personal data is stored in Europe, we will rely on international data transfers for processing that personal data.

How Shopify chooses its Subprocessors

In line with the GDPR and other applicable data protection laws, Shopify adopts a range of best practice measures when enlisting subprocessors:

  • We choose the companies we work with carefully.
  • We only use a limited number of third-party service providers.
  • We insist that subprocessors sign a comprehensive DPA, incorporating SCCs in addition to appropriate protections to ensure compliance with privacy laws in Canada, US and Singapore.
  • We limit the use of our subprocessors to technical services: cloud hosting, error logging, load balancing, content delivery, mapping delivery, data analysis, and internal logging (log files).
  • The transfer occurs on a continuous and secure basis.
  • No sensitive or special categories of personal data are intentionally processed, unless directed by the controller.
  • We carefully review the privacy and security programs of our subprocessors.

Learn more about Shopify’s core subprocessors.

Can't find answers you're looking for? We're here to help you.