← Back to CartFlux

Data Processing Agreement (DPA)

Data Processing Agreement — CartFlux

Last updated: May 2026 · Version: 1.0

Parties

Processor:

NOVA CRAFT STUDIO SRL ("CartFlux") Tax ID (CUI): 54452722 Registration number: J2026023506000 Registered office: Bucharest, Sector 1, Strada Pitar Moș Nr. 27

Email: contact@cartflux.eu

Controller:

The Merchant registered on the CartFlux platform, whose identification data is recorded in the account.

1. Context and purpose

This Data Processing Agreement ("DPA") governs the conditions under which CartFlux, as processor, processes personal data on behalf of the Merchant, as controller, in the context of providing CartFlux platform services.

This DPA forms an integral part of the CartFlux Terms and Conditions and applies in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).

2. Data processed

2.1 Categories of data

CartFlux processes on behalf of the Merchant the following categories of personal data of the store's end customers:

2.2 Categories of data subjects

End customers who place orders or create accounts in stores operated by the Merchant on the CartFlux platform.

2.3 Purpose of processing

Processing is carried out exclusively for:

3. CartFlux obligations (Processor)

CartFlux agrees to:

3.1 Documented instructions

Process personal data solely on the basis of the Merchant's documented instructions, except where EU or Romanian law requires otherwise.

3.2 Confidentiality

Ensure that persons authorized to process the data have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality.

3.3 Security

Implement appropriate technical and organizational measures to protect data, including:

3.4 Sub-processors

Not engage other sub-processors without prior notice to the Merchant. The current list of sub-processors is available in the CartFlux Privacy Policy. The Merchant accepts the use of the listed sub-processors by accepting this DPA.

3.5 Data subject rights

Assist the Merchant in fulfilling the obligation to respond to requests regarding the exercise of data subject rights (access, rectification, erasure, portability, etc.), within the limits of data available on the platform.

3.6 Assistance with GDPR obligations

Assist the Merchant in ensuring compliance with obligations regarding:

3.7 Incident notification

Notify the Merchant without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach.

3.8 Data deletion

Upon termination of services, delete or return all personal data in accordance with the Merchant's instructions, except where retention is required by law.

3.9 Audit

Make available to the Merchant all information necessary to demonstrate compliance with the obligations set out in GDPR Art. 28.

4. Merchant obligations (Controller)

The Merchant, as controller, agrees to:

5. Sub-processors

CartFlux uses the following sub-processors to provide the services:

Sub-processorRoleLocationDPA/Safeguards
Supabase Inc.Database, authenticationEU (AWS Frankfurt)DPA available
Vercel Inc.Application hostingEU/USDPA available
Stripe Inc.Payment processingEU/USDPA available
Resend Inc.Transactional emailEU/USDPA available
Functional Software (Sentry)Error monitoringEU/USDPA available
SmartBill SRLElectronic invoicingRomaniaDPA available

CartFlux will inform the Merchant of any planned changes regarding the addition or replacement of sub-processors, giving the Merchant the opportunity to object.

6. International transfers

Some sub-processors may process data outside the European Economic Area (EEA). CartFlux ensures that such transfers are carried out with appropriate safeguards, in accordance with GDPR Chapter V (Standard Contractual Clauses, European Commission adequacy decisions).

7. Duration and termination

This DPA is valid for the duration of the CartFlux service agreement. Upon termination of the agreement, CartFlux will delete the Merchant's end-customer data within 30 days, except for data whose retention is required by law.

8. Liability

Each party's liability to the other under this DPA is limited in accordance with the provisions of the CartFlux Terms and Conditions. Each party is liable to supervisory authorities and data subjects in accordance with its role (controller / processor) established under the GDPR.

9. Governing law

This DPA is governed by Romanian law and Regulation (EU) 2016/679 (GDPR). Any dispute shall be resolved in accordance with the CartFlux Terms and Conditions.

10. Contact for data protection matters

NOVA CRAFT STUDIO SRL Data protection contact: Doiciu Irinel Bucharest, Sector 1, Strada Pitar Moș Nr. 27

Email: contact@cartflux.eu

By accepting the CartFlux Terms and Conditions, the Merchant also accepts this Data Processing Agreement, which becomes an integral part of the contractual relationship between the parties.