Data Processing Agreement

At Corner, protecting our client's and their customers’ privacy and data security is extremely important for us. We take great care in processing and storing data in a secure, fair, and transparent way.

Messengerify Labs Pvt Ltd which operates the Corner SaaS offering is a private limited company registered in India and our primary data infrastructure is located in the United States of America.

This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service between Corner (operated by Messengerify Labs Pvt. Ltd.) and you, our client.

If you are accepting this DPA on behalf of your end users, you warrant that: (a) you have full legal authority to bind your customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of your customer, to this DPA.

  • "You" or "client" refers to the company or organization that signs up to use Corner's SaaS products.
  • Services shall mean the Software-as-a-Service (SaaS) platform under the Corner brand umbrella which includes CornerCart, SupportCorner and OffersCorner.
  • "Corner" or "us" shall mean Messengerify Labs Pvt Ltd organization which owns and operates the Corner SaaS platform and having its registered office at Suite No. 1, EN 9, East Junction, Angamaly, Kerala, India, PIN 683572
  • "Visitors" or "end users" or "buyers" shall refer to the customers of our client.
  • In the course of providing the Corner SaaS service to our client pursuant to the agreement, Corner may process visitor data on behalf of our client.
  • The applicable "Data Protection Legislation" shall refer to one of the following:
  • For clients who are residents of the European Union, “Data Protection Legislation” means the General Data Protection Regulation or GDPR (Regulation (EU) 2016/279), repealing Directive 95/46/EC and all other applicable laws relating to processing of visitor data and privacy that may exist in any relevant jurisdiction.
  • For clients who are residents of Canada, "Data Protection Legislation" shall mean the Personal Information Protection Act as per British Columbia (BC) Regulation 473/2003 of Canada, last amended March 11, 2021 by B.C. Reg. 64/2021.
  • For clients who are residents of California, "Data Protection Legislation" shall mean the California Consumer Privacy Act (CCPA).
  • "Data controller”, “Data Processor”, "Data Sub-processor", “Data Subject”, “Personal data” and “Processing” shall be interpreted in accordance with applicable Data Protection Legislation.
  • Any terms not otherwise defined in the applicable Data Protection Legislation shall have the following meaning:
  • “Personal Data” means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors. This may also be referred to as Personal Information.
  • “Processing” means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration.
  • “Data Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
  • “Data Processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
  • The parties agree that Client is the Data Controller and that Corner is its data processor in relation to visitor data that is processed in the course of providing the service, except when the Client acts as a processor of Personal Data, in which situation Corner shall be a sub-processor.
  • The terms of this Agreement shall apply to the extent Personal Data is provided to the Processor or the Processor is exposed to while providing services as defined by the applicable Data Protection Legislation.

Processor's Obligations with respect to the Controller
Data Processing
  • Corner, the Data Processor will process Personal Data only in accordance with instructions from the client through the settings of the service, i.e. (a) to operate, maintain and support the infrastructure used to provide the service; (b) to comply with client’s instructions and processing instructions in their use, management and administration of the service; (c) as otherwise instructed through settings of the service. Corner will only process visitor data in accordance with the agreement.
  • Corner shall notify the Client without undue delay if, in Corner’s opinion, an instruction for the processing of Personal Data given by Client infringes applicable Data Protection Legislation. Such notification will not constitute a general obligation on the part of the Data Processor to monitor or interpret the laws applicable to the Data Controller, and such notification will not constitute legal advice to the Data Controller.
  • Should the Data Processor reasonably believe that a specific processing activity beyond the scope of the Data Controller’s instructions is required to comply with a legal obligation to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal obligation and seek explicit authorization from the Data Controller before undertaking such processing.
  • The Data Controller has the right to access, modify, delete and transfer their Personal Data.
  • The Data Processor shall never process Personal Data in a manner inconsistent with the Data Controller’s documented instructions.
  • Corner shall not on its own authority rectify, erase or restrict the processing of visitor data that is being processed on behalf of the controller (unless this is required by law or the Processor Terms of Service), but shall only do so on documented instructions from the controller and in accordance to the data retention rules associated to the controller's subscription plan.
Confidentiality of Personal Data
  • Corner, the data processor shall guarantee the confidentiality of Personal Data processed hereunder.
  • We don’t sell or share your site data to any third-parties, and we don’t abuse your visitor’s privacy.
  • We as humans can access your data to help you with support requests you make and to maintain and safeguard Corner platform to ensure the security of your data and the service as a whole. Corner shall ensure that all Corner personnel required to access the visitor data are informed of the confidential nature of the data and comply with the obligations set out in this agreement.
  • Further, Corner shall ensure that all Corner personnel have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
Security of Personal Data
  • Corner shall implement and maintain appropriate technical and organizational security measures designed to protect Personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the visitor data and having regard to the nature of Personal data which is to be protected.
Data Transfers
  • Corner may transfer Personal Data to the United States and/or to other third countries where Corner or its Sub-processors operate for purposes of offering their services if such transfer complies with the provisions for the transfer of such data set forth by applicable Data Processing Legislation. Corner will follow the requirements of this Agreement regardless of where such Personal Data is stored or processed.

  • In addition, Corner may process and disclose Personal Data:
  • in connection with any anticipated or actual merger, acquisition, sale, bankruptcy or other reorganization of some or all of its business, subject to the obligation to protect Personal Data consistent with the terms of the Agreement.
  • for legal purposes, including enforcement of its rights, detecting and preventing fraud, protecting against harm to the rights or property of Corner, or the Controller’s users, or the public.
  • as required by law, including in response to a subpoena, judicial or administrative order, or other binding instrument (each a “Demand”). Except where prohibited by law, Corner will promptly notify the Data Controller of any Demand and provide the Controller reasonable assistance to facilitate timely response to the Demand.
Incident Management
  • If Corner, the data processor becomes aware of any accidental, unauthorized or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by Corner in the course of providing the service, it shall without undue delay (not later than 48 hours after having become aware of it), notify clients by email and provide clients with a description of the incident as well as periodic updates to information about the incident, including its impact on client content. Corner shall additionally take action to investigate the incident and reasonably prevent or mitigate the effects of the incident.
  • Corner, the Data Processor may limit the scope of, or refrain from delivering, any disclosures to the extent reasonably necessary to avoid compromising the integrity of its security, an ongoing investigation, or any client’s or end user’s data.
Data Sub Processors
  • Here at Corner, we do work with data sub-processors. With each vendor, we assess their commitment to privacy and we sign a data processing agreement with them that include the controller-processor Standard Contractual Clauses. Any such subcontractors will be permitted to process data only to deliver the services Corner has retained them to provide, and they shall be prohibited from using data for any other purpose.
  • You can request for a current list of data sub-processors by sending an email to
Returning or Destruction of Personal Data
  • You can choose to delete your account and uninstall the Corner apps from your website at any time.
  • All Personal Data is promptly deleted upon uninstalling all Corner apps installed on your website via Shopify app store. We cannot recover this information once it has been permanently deleted.
  • Corner shall also notify all third parties supporting its own processing of the Personal Data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller

Data Controller Undertakings

The Data Controller warrants that it has all necessary rights to provide to Corner the visitor data for processing in connection with the provision of the Corner Services.

The data controller shall comply at all times with the applicable Data Protection Legislations in respect of all visitor data it provided to Corner pursuant to the Agreement.

The Client understands, as a controller, that it is responsible (as between the client and Corner) for:

  • determining the lawfulness of any processing, performing any required data protection impact assessments, and accounting to regulators and individuals, as may be needed;
  • providing relevant privacy notices to data subjects as may be required in your jurisdiction;
  • implementing your own appropriate technical and organizational measures to ensure and demonstrate processing in accord with this DPA;
  • notifying any relevant regulators or authorities of any incident as may be required by law in your jurisdiction.

Assistance to Data Controller
  • The Data Processor will ensure the availability of a “Data Protection Officer” who will be in-charge of the Data security and whom the Data Controller can approach by sending an email to in case of any queries relating to their Data.
  • The Data Controller may, prior to the commencement of Processing, and at regular intervals, audit the technical and organizational measures taken by Corner and for such purposes, the Data Controller may:
  • obtain information from the Processor,
  • request the Processor to submit to the Controller an existing attestation or certificate by an independent professional expert, or
  • upon reasonable and timely advance agreement, during regular business hours and without interrupting Processor’s business operations, conduct an on-site inspection of Processor’s business operations or have the same conducted by a qualified third party which shall not be a competitor of the Processor and such third party shall enter into appropriate confidentiality agreements with Processor.
  • Upon receiving the written request from the Data Controller, the Data Processor will provide with all information necessary for such audit, to the extent that such information is within the Processor’s control and Processor is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party. Provided, the Controller bears any and all costs involved for conducting the same.

Requests from Data Subjects
  • The Processor will make available to the Controller, Personal Data of Data Subjects and support the Controller to fulfill requests by Data Subjects to exercise their rights under the applicable Data Protection Legislation in a manner consistent with the functionality of the software product and Corner’s role as a Processor. Corner shall comply with reasonable requests of the Controller.
  • If Corner receives a request from the Data Subject to exercise its rights under the relevant Data Protection Legislation, Corner will redirect such requests to the Controller.
Liability and Indemnity

Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.

Duration and Termination

The Data Processing Agreement is effective as of November 25, 2021 and replaces and supersedes any previously agreed data processing agreement between you and Corner relating to privacy of Personal Data.

Termination or expiration of this Data Processing Agreement shall not discharge the parties from the confidentiality obligations herein.

  • In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of other Services agreements, the provisions of this Data Processing Agreement shall prevail.
  • In order to use our products and services, you need to accept our Data Processing Agreement. By using our product you are agreeing to our terms of service, and you are automatically accepting our Data Processing Agreement and do not need to sign a separate document. We provide the same privacy rights and protection to all our clients.
  • A copy of this Data Processing Agreement signed on behalf of Corner can be obtained by sending an email request to
  • This Data Processing Agreement from Corner is a publicly available document and clients who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.
  • You are not required to notify us or any third party upon accepting our Data Processing Agreement though, you are free to do so.
  • If you have a question about the Data Processing Agreement (DPA), please contact us at