Data Processing Agreement (DPA)
Last updated: 9 April 2026
This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms and Conditions ("T&C" or "Agreement") between:
- Controller: The Merchant who has accepted the T&C and uses the zynterra Platform (hereinafter the "Controller" or "Merchant").
- Processor: zynterra EOOD, UIC 208066407, with registered address at Sofia Park, Blok 121, Apt. 3, 1766 Sofia, Bulgaria (hereinafter the "Processor" or "zynterra").
This DPA sets out the terms under which zynterra processes personal data on behalf of the Merchant in connection with the provision of the Platform, in compliance with Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
1. Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the GDPR or the T&C.
| Controller | The Merchant, who determines the purposes and means of processing Personal Data of End Users through the Platform. |
| Processor | zynterra EOOD, which processes Personal Data on behalf of and under the instructions of the Controller. |
| Data Subject(s) | End Users — the individuals whose Personal Data is processed through the Platform (i.e., the Merchant's customers and store visitors). |
| Personal Data | Any information relating to an identified or identifiable natural person (Data Subject) that is processed by the Processor on behalf of the Controller through the Platform. |
| Processing | Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. |
| Sub-processor | A third party engaged by the Processor to carry out specific processing activities on behalf of the Controller. |
| Supervisory Authority | An independent public authority established by an EU/EEA Member State pursuant to Article 51 GDPR. For zynterra, the lead supervisory authority is the Commission for Personal Data Protection (КЗЛД) of the Republic of Bulgaria. |
| Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. |
| EU SCCs | The Standard Contractual Clauses for the transfer of personal data to third countries, adopted by the European Commission under Implementing Decision (EU) 2021/914. |
2. Scope
2.1 This DPA applies to all Personal Data processed by zynterra on behalf of the Merchant through the Platform, as further described in Annex A (Details of Processing).
2.2 The Merchant is the Controller of Personal Data relating to End Users. zynterra is the Processor of such data. This DPA does not apply to data for which zynterra is the controller (e.g., merchant account data, billing data), which is governed by the zynterra Privacy Policy.
2.3 The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Annex A.
3. Processor Obligations
3(a) Processing on Documented Instructions
3.1 The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Processor is subject. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2 The Merchant's instructions for processing are set out in this DPA, the T&C, and any additional written instructions provided by the Merchant through the Platform's functionality (e.g., configuring integrations, enabling shipping providers, managing customer data).
3.3 The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions.
3(b) Confidentiality
3.4 The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.5 The Processor shall ensure that access to Personal Data is limited to those personnel who need access to perform their duties in connection with the services provided under the T&C.
3(c) Security Measures
3.6 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include, as appropriate:
- (i) Encryption of Personal Data in transit (TLS) and at rest.
- (ii) Access controls based on the principle of least privilege, including multi-factor authentication for administrative access.
- (iii) Network segmentation, firewalls, and intrusion detection systems.
- (iv) Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
- (v) Pseudonymization of Personal Data where appropriate and feasible.
- (vi) Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- (vii) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
- (viii) Security logging and monitoring of access to systems that process Personal Data.
- (ix) Vulnerability management, including regular security assessments and timely application of security patches.
3.7 The Processor shall take reasonable steps to ensure that the security measures remain appropriate throughout the term of this DPA, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3(d) Sub-processors
3.8 The Controller grants the Processor a general written authorization to engage sub-processors for the purpose of providing the Platform services. The current list of sub-processors is set out in Annex B.
3.9 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes within 30 calendar days of receiving the notification.
3.10 Notifications of sub-processor changes will be made by email to the Merchant's registered email address or through the Platform's notification system.
3.11 If the Controller objects to a new sub-processor on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith with a view to achieving a commercially reasonable resolution. If no resolution can be reached within 30 calendar days of the objection, the Controller may terminate the affected services (or the T&C in its entirety) without penalty by providing written notice.
3.12 The Processor shall impose on each sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.
3(e) Assistance with Data Subject Rights
3.13 The Processor shall assist the Controller, by appropriate technical and organizational measures, insofar as is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).
3.14 When the Processor receives a request directly from a Data Subject, the Processor shall promptly redirect the Data Subject to the Controller, unless otherwise instructed by the Controller.
3.15 The Processor shall respond to the Controller's requests for assistance with Data Subject rights within 10 business days of receiving the request.
3(f) Security Incidents and Breach Notification
3.16 The Processor shall notify the Controller of any Data Breach without undue delay, and in any event within 48 hours of becoming aware of the breach.
3.17 The notification shall include, to the extent available:
- (i) A description of the nature of the Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
- (ii) The name and contact details of the Processor's point of contact from whom more information can be obtained.
- (iii) A description of the likely consequences of the Data Breach.
- (iv) A description of the measures taken or proposed to be taken by the Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
3.18 Where it is not possible to provide all information at the same time, the Processor shall provide it in phases without undue further delay.
3.19 The Processor shall cooperate with and assist the Controller in the Controller's compliance with its obligations under Articles 33 and 34 GDPR (notification to supervisory authority and communication to Data Subjects).
3(g) Data Protection Impact Assessments
3.20 The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments ("DPIAs") and prior consultations with supervisory authorities that the Controller is required to undertake under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to the Processor.
3(h) Return and Deletion of Data
3.21 Upon termination or expiry of the T&C, and at the choice of the Controller, the Processor shall:
- (i) Return all Personal Data to the Controller in a commonly used, machine-readable format; or
- (ii) Delete all Personal Data and existing copies, unless Union or Member State law requires further storage of the Personal Data.
3.22 The Processor shall complete the return or deletion within 90 calendar days of the effective date of termination.
3.23 Upon request, the Processor shall provide written certification to the Controller that all Personal Data has been deleted in accordance with this clause.
3.24 Notwithstanding the above, the Processor may retain Personal Data to the extent and for the duration required by applicable law (e.g., backup retention schedules, tax obligations). Any such retained data shall continue to be protected in accordance with this DPA and shall be deleted when the legal retention period expires.
3(i) Audits and Compliance Demonstration
3.25 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA.
3.26 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:
- (i) The Controller shall provide at least 30 calendar days prior written notice of an audit.
- (ii) Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
- (iii) The Controller may conduct no more than one audit per calendar year, unless additional audits are required by a supervisory authority or are necessary due to a Data Breach.
- (iv) The auditor shall be bound by appropriate confidentiality obligations.
- (v) The Controller shall bear its own costs associated with the audit.
3.27 The Processor may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2 Type II), or other evidence of compliance, where reasonably sufficient to demonstrate compliance.
4. Data Breach Notification
4.1 In addition to the obligations set out in Section 3(f), the Processor's breach notification to the Controller shall include at minimum:
- (a) The nature of the Data Breach.
- (b) The categories and approximate number of Data Subjects affected.
- (c) The categories and approximate number of Personal Data records affected.
- (d) The likely consequences of the breach.
- (e) The measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.
4.2 The Processor shall document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken. This documentation shall be made available to the Controller upon request.
4.3 The Processor shall cooperate fully with the Controller in investigating and remediating any Data Breach and in complying with any notification obligations to supervisory authorities or Data Subjects.
5. International Transfers
5.1 The Processor shall not transfer Personal Data to a country outside the European Economic Area ("EEA") unless:
- (a) The European Commission has issued an adequacy decision for the destination country under Article 45 GDPR; or
- (b) Appropriate safeguards have been provided in accordance with Article 46 GDPR, including the EU Standard Contractual Clauses (SCCs).
5.2 The following sub-processors involve transfers of Personal Data outside the EEA, specifically to the United States:
| Stripe, Inc. | EU SCCs + EU-U.S. Data Privacy Framework (DPF) certification |
| SendGrid / Twilio, Inc. | EU SCCs + EU-U.S. Data Privacy Framework (DPF) certification |
| Sentry (Functional Software, Inc.) | EU SCCs + EU-U.S. Data Privacy Framework (DPF) certification |
| Anthropic, Inc. | EU SCCs + EU-U.S. Data Privacy Framework (DPF) certification |
| OpenAI, Inc. | EU SCCs + EU-U.S. Data Privacy Framework (DPF) certification |
5.3 Where required, the Processor shall enter into EU SCCs with the relevant sub-processor and shall conduct a transfer impact assessment to ensure the adequacy of protections in the destination country.
6. Duration
6.1 This DPA shall come into effect on the date the Merchant accepts the T&C and shall remain in force for the duration of the T&C.
6.2 The obligations of the Processor with respect to the return or deletion of Personal Data (Section 3(h)) and confidentiality (Section 3(b)) shall survive the termination or expiry of this DPA.
7. Liability
7.1 The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the T&C.
7.2 Nothing in this DPA limits or excludes either party's liability for breaches of the GDPR to the extent that such limitation is not permitted by applicable law.
Annex A — Details of Processing
| Subject matter of processing | Provision of e-commerce platform services by zynterra to the Merchant, including hosting the Merchant's online store, processing orders, managing deliveries, and sending transactional communications. |
| Duration of processing | For the term of the T&C between the Merchant and zynterra, plus the data return/deletion period specified in Section 3(h). |
| Nature of processing | Hosting, displaying, and transmitting Merchant storefront data; receiving, storing, and managing order information; coordinating with delivery partners for fulfillment; sending transactional email and messaging notifications on behalf of the Merchant; AI-assisted content generation and translation. |
| Purpose of processing | To enable the Merchant to operate an online store, process customer orders, fulfill deliveries, communicate with customers, and manage returns and refunds. Providing AI-powered tools for product description generation, content translation, and text optimization. |
| Types of Personal Data | Names (first name, last name), email addresses, phone numbers, physical addresses (delivery and billing), order history and details, payment references (transaction IDs — not card numbers, which are processed solely by Stripe), IP addresses, device and browser information, customer account data. |
| Categories of Data Subjects | End Users — customers and visitors of the Merchant's online store. |
Annex B — Sub-processors
The following sub-processors are authorized by the Controller to process Personal Data on behalf of the Controller, as part of the Platform services:
| Amazon Web Services EMEA SARL | Luxembourg (EU) | Cloud hosting, data storage, computing infrastructure | All Personal Data stored and processed on the Platform (encrypted at rest and in transit) |
| Stripe, Inc. | USA (EU SCCs + DPF) | Payment processing | Payment references, billing details, fraud-prevention data. Card numbers are processed solely by Stripe and are not stored by zynterra. |
| SendGrid / Twilio, Inc. | USA (EU SCCs + DPF) | Transactional email delivery | Email addresses, names (as used in email content), email metadata |
| Sentry (Functional Software, Inc.) | USA (EU SCCs + DPF) | Error monitoring and performance tracking | IP addresses (anonymized), device/browser information, error context data (may incidentally include Personal Data in error reports) |
| Speedy AD | Bulgaria (EU) | Logistics and delivery | Recipient names, phone numbers, delivery addresses, order reference numbers, cash-on-delivery amounts |
| Sameday Courier | Romania (EU), with Bulgarian operations | Logistics and delivery | Recipient names, phone numbers, delivery addresses, order reference numbers |
| BOX NOW | Greece (EU), with Bulgarian operations | Logistics and delivery (automated locker network) | Recipient names, phone numbers, delivery addresses (locker selection), order reference numbers |
| Generic Soft | Bulgaria (EU) | Viber messaging API | Phone numbers, message content (as configured by the Merchant) |
| Anthropic, Inc. | USA (EU SCCs + DPF) | AI content generation and translation | Product descriptions, translation content, merchant-provided text |
| OpenAI, Inc. | USA (EU SCCs + DPF) | AI content generation and translation | Product descriptions, translation content, merchant-provided text |
| Netim | France (EU) | Domain registration services | Domain registrant information (Merchant data, not End User data — included for completeness) |
This list is current as of the date indicated at the top of this DPA. The Processor will notify the Controller of any changes in accordance with Section 3(d).
End of Data Processing Agreement