Skip to content

Data Processing Addendum

Last updated July 2026.

This Data Processing Addendum (“DPA”) forms part of the agreement between Compass (“Compass”, “we”, “us”) and the customer (“Customer”, “you”) for use of the Compass customer intelligence platform (the “Service”). It describes how Compass processes personal data on your behalf. The DPA is designed to support your obligations under applicable data protection laws; it does not by itself guarantee your compliance, which depends on how you configure and use the Service.

1. Roles of the parties

For personal data contained in Customer Data, you act as the controller (or as a processor acting for your own customers) and determine the purposes and means of processing. Compass acts as your processor and processes that personal data only on your documented instructions, including as set out in this DPA and the Terms of Service.

2. Scope and purpose of processing

Compass processes personal data to provide the Service — including unified customer profiles, audiences, campaigns, journeys, surveys, and engagement analytics — and to secure, maintain, and support it. The categories of data subjects and personal data are those you choose to connect from sources such as Shopify, Surveys, and VendorStreet. We do not use Customer Data for our own purposes, do not sell it, and do not use it to train foundation models.

3. Subprocessors

You authorize Compass to engage subprocessors to help provide the Service. Our current subprocessors — covering infrastructure, email delivery, billing, error monitoring, and analytics — are listed on our Subprocessors page. We impose data protection obligations on each subprocessor consistent with this DPA, and we notify customers of changes so you have an opportunity to object.

4. Security measures

Compass runs on Cloudflare infrastructure and maintains technical and organizational measures designed to protect personal data, including tenant isolation, encryption in transit and at rest, access controls, and auditability. You can learn more on our Security page. These measures are designed to provide a level of security appropriate to the risk.

5. Data subject requests

Taking into account the nature of the processing, Compass provides features designed to help you respond to data subject requests to access, correct, delete, or export personal data. Where a data subject contacts Compass directly about data you control, we will refer them to you and assist you in responding.

6. Breach notification

If Compass becomes aware of a personal data breach affecting Customer Data, we will notify you without undue delay and provide information reasonably available to us to help you meet any notification obligations you may have.

7. International data transfers

Compass operates on globally distributed infrastructure, and personal data may be processed in multiple locations. Where personal data is transferred across borders, we rely on appropriate safeguards designed to protect it, consistent with applicable law.

8. Deletion and return of data

On termination or expiry of the Service, Compass will delete or return Customer Data as described in the Terms and this DPA, subject to any retention required by law. Compass supports data portability so you can export your data before deletion.

9. Audit

Compass will make available information reasonably necessary to demonstrate compliance with this DPA and will cooperate with audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality, scheduling, and security requirements.

10. Contact

Questions about this DPA or Compass data protection practices can be sent to privacy@compass.st or through our contact page.