Legal · Data Processing Agreement

Data Processing Agreement

Last updated: May 31, 2026

Between:

ZeroShop E-Commerce Ltd, a company registered in Bulgaria ("Processor", "ZeroShop", "we", "us")

And:

The merchant who has accepted these terms by creating an account on ZeroShop ("Controller", "Merchant", "you")

Effective Date: The date the Merchant creates an account on the ZeroShop platform.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • "Platform" means the ZeroShop e-commerce platform, including all related services, infrastructure, and tools.

2. Scope and Purpose of Processing

2.1. This Agreement sets out the terms under which the Processor processes Personal Data on behalf of the Controller in accordance with Article 28 of the GDPR.

2.2. Nature and Purpose of Processing: The Processor provides the Platform which enables the Controller to operate an online store. Processing is carried out for the purpose of hosting, operating, and maintaining the Controller's store, including facilitating transactions, managing product data, and providing analytics.

2.3. Types of Personal Data Processed:

  • Customer names and contact details (email addresses, phone numbers, shipping addresses)
  • Order and transaction data
  • Payment references (note: full payment card data is processed by third-party payment providers, not by ZeroShop)
  • IP addresses and browser metadata (for security and analytics purposes)

2.4. Categories of Data Subjects:

  • Customers of the Controller's online store
  • Visitors to the Controller's online store

2.5. Duration of Processing: Personal Data will be processed for the duration of the Controller's use of the Platform and, where applicable, for any additional period required by applicable law or specified in Section 7 of this Agreement.

3. Processor Obligations

3.1. Instructions: The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the EU/EEA, unless required to do so by EU or Member State law. Where the Processor is required by applicable law to process Personal Data other than on the Controller's instructions, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

3.2. Confidentiality: The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security Measures: The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR, including as appropriate:

  • Encryption of Personal Data in transit and at rest
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

3.4. Data Subject Rights: The Processor shall assist the Controller, by appropriate technical and organizational measures, in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, portability, objection, etc.).

3.5. Data Breach Notification: The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach. The notification shall include:

  • A description of the nature of the Data Breach
  • The categories and approximate number of Data Subjects and records concerned
  • The likely consequences of the Data Breach
  • The measures taken or proposed to address the Data Breach

3.6. Data Protection Impact Assessment: The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities, as required by Articles 35 and 36 of the GDPR.

3.7. Audit Rights: The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and Article 28 of the GDPR. Upon reasonable prior written notice, the Controller may conduct an audit or appoint an independent auditor, provided that such auditor is not a competitor of the Processor and is bound by appropriate confidentiality obligations. Any audit shall be conducted during normal business hours, in a manner that minimizes disruption to the Processor's business operations, and no more than once per calendar year, unless otherwise required by applicable law or requested by a competent supervisory authority. Each party shall bear its own costs in connection with the audit, unless the audit reveals a material breach of this Agreement by the Processor.

4. Controller Obligations

4.1. The Controller warrants that:

  • It has a lawful basis for the processing of Personal Data under applicable data protection law
  • It has provided appropriate notice to Data Subjects regarding the processing of their Personal Data
  • It has obtained any necessary consents for the processing, where consent is relied upon as a lawful basis
  • Its instructions to the Processor comply with applicable data protection law

4.2. The Controller is solely responsible for the accuracy, quality, and legality of Personal Data provided to or collected through the Platform.

5. Sub-processors

5.1. The Controller provides general authorization for the Processor to engage Sub-processors for the purposes of delivering the Platform.

5.2. The Processor currently uses the following Sub-processors:

Sub-processor Purpose Location
Stripe Payment processing USA/EU
Hetzner Infrastructure hosting Germany

5.3. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within 14 days of notification.

5.4. Where the Processor engages a Sub-processor, the Processor shall impose on the Sub-processor, by way of contract, the same data protection obligations as set out in this Agreement.

5.5. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

6. International Data Transfers

6.1. The Processor shall not transfer Personal Data outside of the European Economic Area (EEA) unless:

  • The European Commission has determined that the third country ensures an adequate level of data protection (Article 45 GDPR), or
  • Appropriate safeguards are in place in accordance with Article 46 of the GDPR (such as Standard Contractual Clauses), or
  • A valid derogation under Article 49 of the GDPR applies.

6.2. Where Sub-processors are located outside the EEA, the Processor shall ensure that appropriate transfer mechanisms are in place.

7. Data Retention and Deletion

7.1. Upon termination of the Controller's account, the Processor shall, at the choice of the Controller, delete or return all Personal Data within 30 days, unless EU or Member State law requires further storage.

7.2. The Processor shall provide written confirmation of deletion upon request.

8. Liability

8.1. Each party's liability under this Agreement shall be subject to the limitations and exclusions set out in the Terms of Service.

8.2. Nothing in this Agreement limits either party's liability for breaches of data protection law to the extent such liability cannot be limited under applicable law, in accordance with Article 82 of the GDPR.

9. Term and Termination

9.1. This Agreement shall remain in effect for the duration of the Controller's use of the Platform.

9.2. This Agreement shall automatically terminate upon the termination of the Controller's account.

9.3. Sections 7 (Data Retention and Deletion) and 8 (Liability) shall survive termination of this Agreement.

10. General Provisions

10.1. Governing Law: This Agreement shall be governed by the laws of Bulgaria, without regard to its conflict of law provisions.

10.2. Amendments: The Processor may update this Agreement where necessary to reflect changes in applicable law, regulatory guidance, or the Services. Material changes affecting the Controller's rights or obligations shall be notified in advance.

10.3. Severability: If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

10.4. Conflicts: In the event of any conflict between this Agreement and the Terms of Service, this Agreement shall prevail with respect to data protection matters.

ZeroShop E-Commerce Ltd

Email: privacy@zeroshop.io

We value your privacy

We use cookies for essential site functionality and, with your consent, analytics to understand how our platform is used. No personal data is shared with third parties. See our Privacy Policy for details.