Data Processing Agreement (DPA)
Last updated: 20 April 2026
Effective date: the date of the Merchant's acceptance of the Terms of Service.
This Data Processing Agreement ("DPA") is entered into pursuant to the Terms of Service between:
- The Merchant that has accepted the Terms of Service and uses the zynterra Platform, hereinafter referred to as the "Controller" or "Merchant", and
- Zynterra Ltd., UIC 208066407, with registered office and address of management at Sofia Park, Block 121, Apt. 3, 1766 Sofia, Bulgaria, hereinafter referred to as the "Processor" or "zynterra".
Note on Merchant identification: This DPA is the public, template form of the agreement. Upon registration on the Platform, each Merchant provides its identifying details (name, UIC/BULSTAT, registered address, contact person) and accepts the Terms of Service and this DPA. These details are stored by zynterra and bind the Merchant to the DPA from the date of acceptance. Upon request, the Merchant can obtain a personalised copy of its DPA through the admin panel.
This DPA sets out the terms under which zynterra processes personal data on behalf of the Merchant in connection with the provision of the Platform Services, in accordance with Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
1. Definitions
In this DPA, the following terms shall have the meanings set out below. Terms not defined herein may be found in the GDPR or in the zynterra Terms of Service.
| Controller | The Merchant, who determines the purposes and means of processing the personal data of end users through the Platform. |
| Processor | Zynterra Ltd., which processes personal data on behalf of and on the instructions of the Controller. |
| Data subject(s) | End users — natural persons whose personal data are processed through the Platform (i.e. customers and visitors of the Merchant's store). |
| Personal data | Any information relating to an identified or identifiable natural person (data subject) processed by the Processor on behalf of the Controller through the Platform. |
| Processing | Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure or destruction. |
| Sub-processor | A third party engaged by the Processor to carry out specific processing activities on behalf of the Controller. |
| Supervisory authority | An independent public authority established by an EU/EEA Member State pursuant to Article 51 GDPR. For zynterra, the lead supervisory authority is the Commission for Personal Data Protection (CPDP) of the Republic of Bulgaria. |
| Personal-data breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. |
| EU SCCs | The Standard Contractual Clauses for the transfer of personal data to third countries, adopted by the European Commission in Implementing Decision (EU) 2021/914. |
2. Scope
2.1. This DPA applies to all personal data processed by zynterra on behalf of the Merchant through the Platform — as set out in Annex A (Processing Details).
2.2. The Merchant is the Controller of personal data relating to end users, and zynterra is the Processor of such data. This DPA does not apply to data for which zynterra is the controller (e.g. merchant account data, billing data), the processing of which is governed by zynterra's Privacy Policy.
2.3. The subject matter, duration, nature, purpose, types of personal data and categories of data subjects subject to processing are set out in Annex A.
3. Obligations of the Processor
3.1. Processing on documented instructions
3.1.1. The Processor processes personal data solely on the documented instructions of the Controller, including with regard to the transfer of personal data to a third country, unless required to do so by Union or Member-State law to which the Processor is subject. In such case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.1.2. The Merchant's processing instructions are set out in this DPA, in the Terms of Service, and in additional written instructions provided by the Merchant through Platform functionalities (e.g. configuring integrations, activating courier providers, managing customer data).
3.1.3. The Processor shall promptly inform the Controller if, in the Processor's opinion, an instruction of the Controller violates the GDPR or other Union or Member-State data-protection provisions.
3.2. Confidentiality
3.2.1. The Processor warrants that all persons authorised to process personal data have committed themselves to confidentiality or are bound by confidentiality obligations under the law.
3.2.2. The Processor warrants that access to personal data is restricted to those staff members who have authorised access for the performance of their duties in connection with the services provided under the Terms of Service.
3.3. Security measures
3.3.1. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and in accordance with Article 32 GDPR. Such measures include, where applicable:
- (i) Encryption of personal data in transit (TLS) and at rest.
- (ii) Access control based on the principle of least privilege, including multi-factor authentication for administrative access.
- (iii) Network segmentation, firewalls and intrusion-detection systems.
- (iv) Regular testing, assessment and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing.
- (v) Pseudonymisation of personal data where appropriate and feasible.
- (vi) Measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- (vii) Ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
- (viii) Logging and security monitoring of access to systems processing personal data.
- (ix) Vulnerability management, including regular security assessments and timely application of security patches.
3.3.2. The Processor shall take reasonable steps to ensure that the security measures remain appropriate throughout the term of this DPA, taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.4. Sub-processors
3.4.1. The Controller grants the Processor a general written authorisation to engage sub-processors for the purposes of providing the Platform services. The current list of sub-processors is set out in Annex B.
3.4.2. The Processor shall inform the Controller of any planned changes regarding the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes within 30 calendar days of receiving the notice.
3.4.3. Notices of changes to sub-processors will be made by email to the Merchant's registered email address or through the Platform's notification system.
3.4.4. If the Controller objects to a new sub-processor on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith with a view to reaching a solution. If no solution can be reached within 30 calendar days of the objection, the Controller may terminate the services to which it objects (or the Terms of Service in their entirety) without penalty by giving written notice.
3.4.5. The Processor shall impose on each sub-processor, by way of a written contract, data-protection obligations adequate to those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.
3.5. Assistance with data-subject rights
3.5.1. The Processor shall assist the Controller, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for the exercise of data-subject rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).
3.5.2. Where the Processor receives a request directly from a data subject, the Processor shall promptly redirect the data subject to the Controller, unless the Controller has instructed otherwise.
3.5.3. The Processor shall respond to the Controller's requests for assistance with the exercise of data-subject rights within 14 working days of receiving the request.
3.6. Security incidents and breach notification
3.6.1. The Processor shall notify the Controller of any personal-data breach without undue delay and in any case within 48 hours of becoming aware of the breach.
3.6.2. The notification shall include, to the extent information is available:
- (i) A description of the nature of the personal-data breach, including, where possible, the categories and approximate number of affected data subjects and the categories and approximate number of affected personal-data records.
- (ii) The names and contact details of the Processor's contact person, from whom further information may be obtained.
- (iii) A description of the likely consequences of the personal-data breach.
- (iv) A description of the measures taken or proposed by the Processor to address the personal-data breach, including, where appropriate, measures to mitigate any adverse effects.
3.6.3. Where it is not possible to provide all the information at the same time, the Processor shall provide it in stages without undue further delay.
3.6.4. The Processor shall cooperate with and assist the Controller in the Controller's compliance with its obligations under Articles 33 and 34 GDPR (notification to the supervisory authority and notification to data subjects).
3.7. Data Protection Impact Assessments
3.7.1. The Processor shall provide reasonable assistance to the Controller in carrying out data-protection impact assessments (DPIAs) and prior consultations with supervisory authorities that the Controller is required to carry out under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to the Processor.
3.8. Return and deletion of data
3.8.1. Upon termination or expiry of the Terms of Service, and at the Controller's choice, the Processor shall:
- (i) Return all personal data to the Controller in a commonly used, machine-readable format; or
- (ii) Delete all personal data and existing copies, unless Union or Member-State law requires further storage of the personal data.
3.8.2. The Processor shall carry out the return or deletion within 90 calendar days of the effective date of termination.
3.8.3. Upon request, the Processor shall provide the Controller with a written certification that all personal data have been deleted in accordance with this clause.
3.8.4. Notwithstanding the foregoing, the Processor may retain personal data to the extent and for the period required by applicable law (e.g. backup-retention schedules, tax obligations). Any data so retained shall continue to be protected in accordance with this DPA and shall be deleted upon expiry of the legal retention period.
3.9. Audits and demonstration of compliance
3.9.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR and this DPA.
3.9.2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or by an auditor mandated by the Controller, subject to the following conditions:
- (i) The Controller shall give at least 30 calendar days' prior written notice of an audit.
- (ii) Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
- (iii) The Controller may conduct no more than one audit per calendar year, unless additional audits are required by a supervisory authority or are necessary due to a personal-data breach.
- (iv) The auditor shall be bound by appropriate confidentiality obligations.
- (v) The Controller shall bear its own costs in connection with the audit.
3.9.3. The Processor may satisfy audit requests by providing relevant certifications, audit reports (e.g. SOC 2 Type II) or other evidence of compliance, where these are reasonably sufficient to demonstrate compliance.
4. Personal-data breach notification
4.1. In addition to the obligations set out in Section 3.6, the Processor's breach notification to the Controller shall include at a minimum:
- (a) The nature of the personal-data breach.
- (b) The categories and approximate number of affected data subjects.
- (c) The categories and approximate number of affected personal-data records.
- (d) The likely consequences of the breach.
- (e) The measures taken or proposed to address the breach, including measures to mitigate any adverse effects.
4.2. The Processor shall document, in accordance with the GDPR's record-keeping requirements, all personal-data breaches, including the facts surrounding the breach, its effects and the remedial actions taken. This documentation shall be made available to the Controller upon request.
4.3. The Processor shall fully cooperate with the Controller in investigating and remedying the consequences of any personal-data breach and in complying with the obligations to notify supervisory authorities or data subjects.
5. International transfers
5.1. The Processor shall not transfer personal data to a country outside the European Economic Area ("EEA") unless:
- (a) The European Commission has issued an adequacy decision for the destination country pursuant to Article 45 GDPR;
- (b) The Controller has given express consent, having previously provided a legal basis for the transfer of personal data to the Processor; or
- (c) Appropriate safeguards are in place in accordance with Article 46 GDPR, including EU Standard Contractual Clauses (SCCs).
5.2. The following sub-processors involve transfers of personal data outside the EEA, specifically to the United States of America:
| Stripe, Inc. | EU SCCs + EU-US Data Privacy Framework (DPF) certification |
| SendGrid / Twilio, Inc. | EU SCCs + EU-US Data Privacy Framework (DPF) certification |
| Sentry (Functional Software, Inc.) | EU SCCs + EU-US Data Privacy Framework (DPF) certification |
| Anthropic, Inc. | EU SCCs + EU-US Data Privacy Framework (DPF) certification |
| OpenAI, Inc. | EU SCCs + EU-US Data Privacy Framework (DPF) certification |
5.3. Where necessary, the Processor shall enter into EU SCCs, together with such other measures as required under the GDPR, with the relevant sub-processor and shall carry out a transfer impact assessment to ensure the adequacy of protection in the destination country.
6. Term
6.1. This DPA shall enter into force on the date of acceptance of the Terms of Service by the Merchant and shall remain in force for the duration of the Terms of Service.
6.2. The obligations of the Processor in respect of the return or deletion of personal data (Section 3.8) and confidentiality (Section 3.2) shall survive the termination or expiry of this DPA.
7. Liability
7.1. The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
7.2. Nothing in this Agreement shall limit or exclude the liability of either party for breaches of the GDPR, to the extent such limitation is not permitted by applicable law.
Annex A — Processing Details
| Subject matter of processing | The provision of e-commerce platform services by zynterra to the Merchant, including hosting the Merchant's online store, processing orders, managing deliveries and sending transactional communications. |
| Duration of processing | For the term of the Terms of Service between the Merchant and zynterra, plus the data return / deletion period set out in Section 3.8. |
| Nature of processing | Hosting, displaying and transmitting data from the Merchant's site; receiving, storing and managing order information; coordinating with courier partners for delivery fulfilment; sending transactional emails and messages on behalf of the Merchant; AI-assisted content generation and translation. |
| Purpose of processing | To enable the Merchant to operate an online store, process customer orders, fulfil deliveries, communicate with customers, and manage returns and refunds. To provide AI tools for product description generation, content translation and text optimisation. |
| Types of personal data | Names (first name, last name), email addresses, phone numbers, physical addresses (for delivery and billing), order history and details, payment references (transaction identifiers — not card numbers, which are processed solely by Stripe), IP addresses, device and browser information, customer-account data. |
| Categories of data subjects | End users — customers and visitors of the Merchant's online store. |
Annex B — Sub-processors
The following sub-processors are authorised by the Controller to process personal data on behalf of the Controller as part of the Platform services of the Processor:
| Amazon Web Services EMEA SARL | Luxembourg (EU) | Cloud hosting, data storage, computing infrastructure | All personal data stored and processed on the Platform (encrypted at rest and in transit) |
| Stripe, Inc. | USA (EU SCCs + DPF) | Payment processing | Payment references, billing data, fraud-prevention data. Card numbers are processed solely by Stripe and are not stored by zynterra. |
| SendGrid / Twilio, Inc. | USA (EU SCCs + DPF) | Delivery of transactional emails | Email addresses, names (used in email content), email metadata |
| Sentry (Functional Software, Inc.) | USA (EU SCCs + DPF) | Error monitoring and performance tracking | IP addresses (anonymised), device / browser information, contextual error data (which may incidentally contain personal data in error reports) |
| Speedy AD | Bulgaria (EU) | Logistics and delivery | Recipient names, phone numbers, delivery addresses, order reference numbers, cash-on-delivery amounts |
| Sameday Courier | Romania (EU), with operations in Bulgaria | Logistics and delivery | Recipient names, phone numbers, delivery addresses, order reference numbers |
| BOX NOW | Greece (EU), with operations in Bulgaria | Logistics and delivery (parcel-locker network) | Recipient names, phone numbers, delivery addresses (locker selection), order reference numbers |
| Generic Soft | Bulgaria (EU) | Viber messaging API | Phone numbers, message content (configured by the Merchant) |
| Anthropic, Inc. | USA (EU SCCs + DPF) | AI content generation and translation | Product descriptions, content for translation, text provided by the merchant |
| OpenAI, Inc. | USA (EU SCCs + DPF) | AI content generation and translation | Product descriptions, content for translation, text provided by the merchant |
| Netim | France (EU) | Domain-name registration services | Domain registrant information (Merchant data, not end-user data — included for completeness) |
This list is current as of the date set out at the beginning of this DPA. The Processor will notify the Controller of any changes in accordance with Section 3.4.
This Data Processing Agreement is an integral part of the Terms of Service of zynterra.