Cordon

DPA & GDPR compliance

Last updated: July 15, 2026

If you run a store that serves EU customers, visitor IP addresses are personal data and any app that processes them is your data processor. This page summarizes how Cordon meets that responsibility and how to get a signed DPA.

The processing relationship

  • You (the merchant)are the data controller for your store's traffic.
  • Cordon is your data processor: we process visitor data only to deliver the blocking service you configured, and for nothing else.

Technical measures

  • IP minimization: visitor logs store SHA-256 hashed IPs computed with a daily-rotating salt. After rotation, hashes are permanently irreversible. Raw IPs exist only transiently to make the block decision.
  • No PII coupling: traffic data is never stored alongside customer names, emails, or orders.
  • Automatic expiry: log entries are deleted on a rolling schedule without merchant action.
  • Shopify GDPR webhooks:Cordon implements customers/data_request, customers/redact, and shop/redact in full, so uninstalling triggers deletion on Shopify's mandated timeline.

Operations

Cordon operates from the Netherlands, with infrastructure in the EU and US. Subprocessors are limited to the hosting and detection-data providers required to run the service; the current list is included in the DPA document.

Getting a signed DPA

Email support@usecordon.com with the subject "DPA request" and your shop domain. You will receive the current DPA for countersigning, usually within one business day.

For the plain-language version of our data practices, see the privacy policy.