Parties: UAB Komerza, reg. code 307395204, Giedraičių g. 39, R53, LT-09302 Vilnius, Lithuania ("Komerza", "Processor") and each merchant using the Komerza platform ("Merchant", "Controller").
1. Purpose and Scope
1.1 This DPA forms part of the Komerza Terms of Service. In case of conflict, this DPA shall prevail to the extent of such conflict.
1.2 Komerza acts as Processor when handling Buyer or end-user data collected via Merchant stores or services; Merchants act as Controllers. Komerza acts as Controller for its own account management, billing, and internal analytics. Nothing in this DPA shall be construed as establishing joint controllership under Article 26 GDPR.
1.3 Processing occurs solely for providing the Komerza platform, site-builder, email-marketing add-on, and related services (collectively, the "Services").
2. Data Processing Instructions
2.1 Komerza shall process personal data only:
- (a) on documented instructions from the Merchant (including API or dashboard actions);
- (b) to provide, secure, and maintain the Services; and
- (c) where required by law or regulatory guidance.
2.2 Komerza will promptly inform the Merchant if it believes an instruction infringes the GDPR or applicable law.
3. Confidentiality and Personnel
3.1 All Komerza staff and contractors with data access are subject to confidentiality and data-protection training.
3.2 Access follows least-privilege and need-to-know principles.
4. Security of Processing
4.1 Komerza implements measures under Article 32 GDPR, including:
- Encryption at rest (LUKS2); TLS 1.3 and mTLS in transit;
- Hardware-key SSH auth; segregated environments;
- Continuous monitoring via Sentry (EU) and internal alerting.
4.2 Merchants remain responsible for their own environment security (API keys, access control).
5. Sub-processors
5.1 Merchant authorises Komerza to engage the sub-processors in Annex II.
5.2 Komerza ensures each sub-processor offers GDPR-equivalent safeguards, including Standard Contractual Clauses (EU 2021/914, Modules 2 and 3) or successor instruments.
5.3 Komerza shall notify Merchants of material sub-processor changes at least 15 days in advance via email to the registered Merchant address or by dashboard notice.
6. Data-Subject Rights and Assistance
6.1 Komerza shall assist Merchants in fulfilling rights under Chapter III GDPR.
6.2 Buyers can access, download or delete their data via Merchant store interfaces.
6.3 Komerza forwards any direct data-subject request to the Merchant and shall not respond directly without the Merchant's written authorisation, unless legally required.
7. Breach Notification
7.1 In case of personal-data breach, Komerza shall notify the Merchant without undue delay and, where feasible, within 72 hours of becoming aware, stating incident nature, scope, impact and remediation.
7.2 Komerza will co-operate in risk assessment and mitigation.
8. Audits and Compliance
8.1 Upon written request, Komerza shall make available information to demonstrate compliance and permit one audit per 12 months, and no more frequently than once every 12 months unless required by a supervisory authority or following a breach notification.
8.2 Audits occur during business hours, subject to confidentiality and at the Merchant's expense.
9. Data Retention and Deletion
9.1 Retention periods: Buyer/order data → until Merchant deletion or Buyer request; Merchant accounts → until deletion or legal expiry; logs → 14 days (info/warn), 60 days (errors/analytics).
9.2 Upon termination, Komerza shall permanently erase or effectively anonymise personal data within 30 days, unless longer retention is legally required.
9.3 Data contained in encrypted backups is isolated and deleted upon backup expiry; no active processing occurs during the retention period.
10. Liability and Governing Law
10.1 Each party is responsible for its own GDPR compliance and fines.
10.2 Governing law: Republic of Lithuania.
10.3 Disputes → arbitration before the Vilnius Court of Commercial Arbitration, language Lithuanian, seat Vilnius.
10.4 To the fullest extent permitted by applicable law, Komerza's aggregate liability under this DPA shall not exceed the greater of €1 or the total fees paid by the Merchant in the preceding 12 months.
11. Force Majeure
Komerza is not liable for delay or failure caused by events beyond its control, including failures of PSPs or infrastructure providers, pandemics, government actions, or network outages.
12. Notices
Notices under this DPA are deemed received when sent to the Merchant's registered email or published on the dashboard.
Annex I — Data Categories and Processing Activities
| Entity / Table | Data Categories | Purpose | Role |
|---|---|---|---|
| CustomerDetails | email, country, IP, login IDs | checkout & fraud prevention | Processor |
| Order, Payment, Refund, Chargeback | IP, UA, status, reason, IDs | transactions & compliance | Processor |
| Session, RefreshToken | token, IP, UA | authentication | Processor |
| Store, Product, Variant | merchant data, pricing | store configuration | Processor |
| BuilderSnapshot | HTML/CSS/JS, encrypted project files | Safe storage (encrypted on R2) | Processor |
| WebhookExecutionLog, GatewayMetadata | URLs, signatures | integration logging | Processor |
| MerchantAccount, Billing | company name, email, VAT ID | billing & management | Controller |
| Logs & Analytics (Sentry) | event ID, IP, trace data | system monitoring | Controller |
Annex II — Authorised Sub-processors
| Sub-processor | Purpose | Location / Safeguard |
|---|---|---|
| Fly.io Inc. | Ephemeral compute (preview machines) | EEA / SCCs |
| Cloudflare Inc. | CDN, DNS, R2 storage, custom hostnames | EEA + US / SCCs |
| Hetzner Online GmbH | Backend compute, DB, cache | Germany |
| Amazon Web Services (EU-North-1) | SES email delivery | Sweden |
| Functional Software, Inc. d/b/a Sentry | Error logging & analytics | Germany / SCCs |
| Revolut Bank UAB | Subscription billing | Lithuania |
| Everapi GmbH | Currency conversion (anonymised) | EU |
Annex III — Technical and Organisational Measures
| Category | Measure |
|---|---|
| Encryption | LUKS2 full-disk, TLS 1.3 + mTLS |
| Access Control | IAM, hardware SSH keys, 2FA |
| Network Security | VPC segmentation, firewalls, rate limits |
| Data Integrity | Checksums, signed audit logs |
| Monitoring | Sentry + Prometheus alerts |
| Backup & Recovery | 90-day encrypted retention |
| Confidentiality | NDA-bound staff, access logging |
| Incident Response | 24/7 SOC, ≤72 h notification |