Last updated: 5 May 2026
This Data Processing Agreement ("DPA") is entered into between:
This DPA supplements and forms part of the Simple MFA Terms of Service. By installing or using Simple MFA you agree to this DPA. If you are accepting on behalf of a company, you represent that you have authority to bind that company.
In this DPA:
| Subject matter | Provision of the Simple MFA hosted authentication service to the Merchant's BigCommerce storefront. |
| Nature of processing | Collection, storage, retrieval, verification, encryption, and deletion of authentication credentials and login activity data. |
| Purpose | To authenticate store customers on behalf of the Merchant via password and optional TOTP multi-factor authentication; to issue BigCommerce login sessions; to send transactional emails (magic links, password resets); and to provide the Merchant with authentication audit logs. |
| Duration | For the period during which the Merchant has Simple MFA installed. On uninstallation, Personal Data is permanently deleted within 30 days. |
| Types of Personal Data | Email addresses; PBKDF2-SHA256 password hashes (original password is never stored or recoverable); AES-GCM encrypted TOTP secrets; backup code hashes; IP addresses; browser user-agent strings; BigCommerce customer IDs; first name; last name. |
| Categories of Data Subjects | Customers of the Merchant's BigCommerce storefront who interact with the Simple MFA login, registration, or account management pages. |
We will process Personal Data only on your documented instructions, which include these Terms of Service, this DPA, and any additional written instructions you provide. If we are required by law to process Personal Data for another purpose, we will inform you before doing so unless prohibited by law from doing so.
We will ensure that all personnel authorised to process Personal Data under this DPA are subject to binding confidentiality obligations and process the data only to the extent necessary to provide the Service.
We will implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, costs, and the nature of the data. Those measures currently include:
You provide general authorisation for us to engage the Sub-processors listed in section 7. We will inform you of any intended changes to Sub-processors by updating this DPA and giving at least 30 days' notice via email or in-app notice. If you reasonably object to a new Sub-processor on data protection grounds, you may notify us in writing within 14 days. If we cannot accommodate your objection, you may terminate the Service without penalty on written notice.
We will impose data protection obligations on Sub-processors that are equivalent to those in this DPA and remain liable to you for their acts and omissions.
We will promptly notify you of any data subject request received directly by us relating to Personal Data we process on your behalf. We will provide reasonable assistance to you in fulfilling your obligations to respond to such requests, including by making available the technical tools in the Simple MFA admin panel (credential deletion, MFA removal, trusted device removal, and login history).
We will notify you without undue delay — and in any event within 72 hours of becoming aware — of a Personal Data Breach affecting Personal Data processed under this DPA. The notification will include, to the extent then known: the nature of the breach; the categories and approximate number of Data Subjects and records affected; likely consequences; and measures taken or proposed to address the breach and mitigate its effects.
On termination of the Service, or on your written request, we will delete all Personal Data processed under this DPA within 30 days, unless Applicable Data Protection Law requires us to retain it for longer. We will confirm deletion in writing on request.
We will make available to you all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or a mandated auditor. You agree to: give at least 30 days' prior written notice; conduct any audit during business hours without unreasonable disruption; and keep the results confidential. We may recover our reasonable costs of supporting any audit from you.
You represent and warrant that:
Personal Data processed under this DPA may be transferred to and stored in the United States, where our infrastructure and Sub-processors are located. Such transfers are made under the mechanisms set out below.
For transfers of Personal Data from the European Economic Area to the United States, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2: Controller to Processor) are incorporated into this DPA by reference. You are the "data exporter" (Controller) and we are the "data importer" (Processor). The applicable annexes are as follows:
In the event of any conflict between the EU SCCs and this DPA, the EU SCCs shall prevail.
For transfers of Personal Data from the United Kingdom to the United States, the UK International Data Transfer Agreement (ICO, version B1.0, March 2022) is incorporated into this DPA by reference. The "Exporter" is you (Controller) and the "Importer" is The Bearded Developer Ltd (Processor). The tables required by the IDTA are populated as follows:
The following Sub-processors are authorised under this DPA:
| Sub-processor | Role | Country | Transfer mechanism |
|---|---|---|---|
| Cloudflare, Inc. | Serverless compute (Workers), database (D1), CDN and DDoS protection | USA | EU SCCs / UK IDTA (Cloudflare DPA) |
| Resend, Inc. | Transactional email delivery (magic links, password resets) | USA | EU SCCs / UK IDTA (Resend DPA) |
| Stripe, Inc. | Payment processing and billing | USA | EU SCCs / UK IDTA (Stripe DPA) |
| BigCommerce Pty Ltd | E-commerce platform API (customer lookup, session creation) | USA | EU SCCs / UK IDTA (BigCommerce DPA) |
Each Sub-processor's own Data Processing Agreement and Standard Contractual Clauses are available on their respective websites. Our use of each Sub-processor is subject to their applicable DPA terms.
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability where such limitation is not permitted by Applicable Data Protection Law (including in respect of the EU SCCs or UK IDTA).
This DPA remains in force for as long as we process Personal Data on your behalf. It terminates automatically on termination of the Terms of Service. Sections 4.7 (deletion), 4.8 (audit), 6 (international transfers), and 8 (liability) survive termination.
This DPA is governed by the laws of England and Wales, except where Applicable Data Protection Law requires a different governing law (in particular, the EU SCCs are governed by the law of the EU member state designated in Annex I.C). Any dispute arising under this DPA is subject to the exclusive jurisdiction of the courts of England and Wales, except as required otherwise by Applicable Data Protection Law.
We may update this DPA from time to time to reflect changes in Applicable Data Protection Law or our processing activities. We will give at least 30 days' notice of material changes via email or in-app notice. Continued use of the Service after a change takes effect constitutes acceptance.
For any questions about this DPA or your data protection rights: [email protected]
By installing Simple MFA you agree to this Data Processing Agreement as part of our Terms of Service. No separate signature is required. You may print or save this page for your records.