Data Processing Agreement (DPA)
Data Processing Agreement — CartFlux
Last updated: May 2026 · Version: 1.0
Parties
Processor:
NOVA CRAFT STUDIO SRL ("CartFlux") Tax ID (CUI): 54452722 Registration number: J2026023506000 Registered office: Bucharest, Sector 1, Strada Pitar Moș Nr. 27
Email: contact@cartflux.eu
Controller:
The Merchant registered on the CartFlux platform, whose identification data is recorded in the account.
1. Context and purpose
This Data Processing Agreement ("DPA") governs the conditions under which CartFlux, as processor, processes personal data on behalf of the Merchant, as controller, in the context of providing CartFlux platform services.
This DPA forms an integral part of the CartFlux Terms and Conditions and applies in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).
2. Data processed
2.1 Categories of data
CartFlux processes on behalf of the Merchant the following categories of personal data of the store's end customers:
- First name and last name
- Email address
- Delivery address (street, city, county, postal code, country)
- Phone number (when provided)
- Order history (products, quantities, prices, status)
- Customer account session data (when the end customer creates an account in the store)
2.2 Categories of data subjects
End customers who place orders or create accounts in stores operated by the Merchant on the CartFlux platform.
2.3 Purpose of processing
Processing is carried out exclusively for:
- Processing and managing orders from the Merchant's store
- Providing platform functionality (orders dashboard, customers, statistics)
- Sending transactional emails related to orders
- Issuing invoices via SmartBill (when enabled by the Merchant)
3. CartFlux obligations (Processor)
CartFlux agrees to:
3.1 Documented instructions
Process personal data solely on the basis of the Merchant's documented instructions, except where EU or Romanian law requires otherwise.
3.2 Confidentiality
Ensure that persons authorized to process the data have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality.
3.3 Security
Implement appropriate technical and organizational measures to protect data, including:
- Encryption in transit (HTTPS/TLS)
- Encryption at rest for sensitive data
- Role-based access control (RLS)
- Incident monitoring and detection (Sentry)
- Regular data backups
3.4 Sub-processors
Not engage other sub-processors without prior notice to the Merchant. The current list of sub-processors is available in the CartFlux Privacy Policy. The Merchant accepts the use of the listed sub-processors by accepting this DPA.
3.5 Data subject rights
Assist the Merchant in fulfilling the obligation to respond to requests regarding the exercise of data subject rights (access, rectification, erasure, portability, etc.), within the limits of data available on the platform.
3.6 Assistance with GDPR obligations
Assist the Merchant in ensuring compliance with obligations regarding:
- Security of processing (GDPR Art. 32)
- Notification of personal data breaches (GDPR Art. 33–34)
- Data protection impact assessments (DPIA) where required (GDPR Art. 35)
3.7 Incident notification
Notify the Merchant without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach.
3.8 Data deletion
Upon termination of services, delete or return all personal data in accordance with the Merchant's instructions, except where retention is required by law.
3.9 Audit
Make available to the Merchant all information necessary to demonstrate compliance with the obligations set out in GDPR Art. 28.
4. Merchant obligations (Controller)
The Merchant, as controller, agrees to:
- Ensure that processing through CartFlux has a legal basis under the GDPR
- Inform end customers about data processing (own privacy policy in the store)
- Obtain necessary consents from end customers where applicable
- Notify CartFlux immediately if a personal data breach is discovered
- Not transmit special category data (GDPR Art. 9) to CartFlux without prior explicit agreement
5. Sub-processors
CartFlux uses the following sub-processors to provide the services:
| Sub-processor | Role | Location | DPA/Safeguards |
|---|---|---|---|
| Supabase Inc. | Database, authentication | EU (AWS Frankfurt) | DPA available |
| Vercel Inc. | Application hosting | EU/US | DPA available |
| Stripe Inc. | Payment processing | EU/US | DPA available |
| Resend Inc. | Transactional email | EU/US | DPA available |
| Functional Software (Sentry) | Error monitoring | EU/US | DPA available |
| SmartBill SRL | Electronic invoicing | Romania | DPA available |
CartFlux will inform the Merchant of any planned changes regarding the addition or replacement of sub-processors, giving the Merchant the opportunity to object.
6. International transfers
Some sub-processors may process data outside the European Economic Area (EEA). CartFlux ensures that such transfers are carried out with appropriate safeguards, in accordance with GDPR Chapter V (Standard Contractual Clauses, European Commission adequacy decisions).
7. Duration and termination
This DPA is valid for the duration of the CartFlux service agreement. Upon termination of the agreement, CartFlux will delete the Merchant's end-customer data within 30 days, except for data whose retention is required by law.
8. Liability
Each party's liability to the other under this DPA is limited in accordance with the provisions of the CartFlux Terms and Conditions. Each party is liable to supervisory authorities and data subjects in accordance with its role (controller / processor) established under the GDPR.
9. Governing law
This DPA is governed by Romanian law and Regulation (EU) 2016/679 (GDPR). Any dispute shall be resolved in accordance with the CartFlux Terms and Conditions.
10. Contact for data protection matters
NOVA CRAFT STUDIO SRL Data protection contact: Doiciu Irinel Bucharest, Sector 1, Strada Pitar Moș Nr. 27
Email: contact@cartflux.eu
By accepting the CartFlux Terms and Conditions, the Merchant also accepts this Data Processing Agreement, which becomes an integral part of the contractual relationship between the parties.