This is an informational English translation. In the event of any discrepancy, the Polish version is legally binding. View the Polish version
Data Processing Agreement (DPA)
Effective from: 19 March 2026
This Data Processing Agreement (hereinafter: “DPA”) forms an integral part of the Terms of Service for the electronic provision of services of the ZYNQ platform and is concluded between:
- the Controller - the User using the ZYNQ Platform, who entrusts the processing of personal data of their customers (buyers);
- the Processor - ZYNQ sp. z o.o. with its registered office in Tychy, ul. Estetyczna 4, 43-100 Tychy, KRS: 0000804450, NIP: 6462979033, REGON: 384394091.
The DPA is concluded upon acceptance of the Terms of Service and the creation of an Account in the Platform.
§ 1. Definitions
- RODO (GDPR) - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Platform - the ZYNQ software provided under the SaaS model at app.zynq.pl.
- Personal data - personal data of the Controller's customers (buyers), entrusted by the Controller for processing in connection with the use of the Platform.
- Data subject - the Controller's customer (buyer) whose data is processed in the Platform.
- Sub-processing - entrusting the processing of personal data to a further processor (sub-processor) in accordance with Article 28(2) and (4) of the RODO (GDPR).
- Other terms have the meaning assigned to them in the Terms of Service or in the RODO (GDPR).
§ 2. Subject matter, nature, and purpose of processing
- The Controller entrusts the Processor with the processing of Personal data within the scope and for the purpose specified in this DPA, solely for the performance of the Agreement for the electronic provision of services concluded between the parties.
- Nature of processing: automated processing in IT systems within the Platform.
- Purpose of processing: enabling the Controller to manage orders, products, commercial documents, shipments, and integrations with marketplaces and courier companies via the Platform.
- Duration: for the term of the Agreement and, to the extent required by law, after its termination (in particular with regard to accounting documents).
§ 3. Type of data and categories of data subjects
- Categories of data subjects: the Controller's customers (buyers) - natural persons, including natural persons conducting business activity.
- Type of Personal data entrusted for processing:
- first and last name or company name,
- delivery address and billing address,
- e-mail address,
- telephone number,
- NIP (tax identification number, if applicable),
- order data (list of items, values, status),
- bank account number (for refunds, if applicable).
- The Processor does not process special categories of personal data within the meaning of Article 9 of the RODO (GDPR), nor data relating to criminal convictions and offences within the meaning of Article 10 of the RODO (GDPR).
§ 4. Obligations of the Processor
- The Processor undertakes to:
- process the Personal data solely on documented instructions from the Controller arising from the Agreement, the Terms of Service, and the Platform configuration performed by the Controller;
- ensure that persons authorised to process the Personal data are bound by an obligation of confidentiality;
- take all measures required under Article 32 of the RODO (GDPR) (security of processing);
- assist the Controller, as far as possible, in fulfilling its obligation to respond to requests from the data subject for the exercise of their rights (Articles 12-22 of the RODO (GDPR));
- assist the Controller in complying with the obligations set out in Articles 32-36 of the RODO (GDPR) (security, breach notification, impact assessment, prior consultation);
- after the provision of services has ended, delete or return the Personal data to the Controller - in accordance with § 9 of this DPA;
- make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 of the RODO (GDPR) and allow the Controller to carry out audits on the terms set out in § 8.
- If the Processor considers that an instruction from the Controller infringes the RODO (GDPR) or other data protection provisions, it shall immediately inform the Controller.
§ 5. Security of processing
- The Processor applies appropriate technical and organisational measures ensuring a level of security appropriate to the risk of infringing the rights or freedoms of natural persons, including in particular:
- hashing of passwords using the bcrypt algorithm,
- encryption of sensitive application data (OAuth tokens, SMTP passwords) using the AES-256-GCM algorithm,
- data transmission solely over the HTTPS protocol with HSTS enabled,
- protection against XSS, CSRF, clickjacking, and MIME sniffing attacks,
- request rate-limiting mechanisms,
- logging of security events (login logs, audit logs),
- automatic logout after a period of inactivity,
- data isolation between Organisations (multi-tenancy),
- regular database backups,
- role-based access control (RBAC) and the principle of least privilege for persons authorised on the Processor's side.
- The Processor undertakes to regularly test, assess, and evaluate the effectiveness of the measures applied and to update them as necessary.
§ 6. Sub-processing (sub-processors)
- The Controller gives general consent to the Processor's use of the services of further processors (sub-processors) in accordance with Article 28(2) of the RODO (GDPR).
- Current list of sub-processors as of the conclusion date of the DPA:
Sub-processor Purpose Location Hetzner Online GmbH Hosting of servers and the database Germany / EEA Stripe, Inc. Subscription payment processing USA (SCCs) Functional Software, Inc. (Sentry) Application error monitoring USA (SCCs) - The Processor concludes an agreement with each sub-processor imposing on it data protection obligations at least equivalent to those arising from this DPA.
- The Processor informs the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, via the Platform or by e-mail. The Controller has the right to object to such changes within 14 days of receiving the information.
- In the event of a justified objection that the parties are unable to jointly resolve, the Controller has the right to terminate the Agreement.
- External entities selected by the Controller through the configuration of integrations (e.g. Allegro, Amazon, Erli, Empik, InPost, DPD, DHL, KSeF) are not sub-processors of the Processor - they process the Personal data as separate controllers or processors on the basis of separate legal relationships with the Controller.
§ 7. Breach notification
- The Processor notifies the Controller of a Personal data breach without undue delay, no later than within 48 hours of becoming aware of the breach.
- The notification contains at least:
- a description of the nature of the breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of records concerned,
- the contact details of the person providing the information,
- a description of the likely consequences of the breach,
- a description of the measures taken or proposed to address the breach and to minimise its possible adverse effects.
- Notifications are sent to the e-mail address of the Controller assigned to the Account. The Controller is obliged to keep this address up to date.
§ 8. Audit
- The Controller has the right to audit - including to inspect - the Processor's activities within the scope covered by this DPA. The audit may be conducted by the Controller or by an independent auditor authorised by it.
- The Controller notifies the Processor of its intention to carry out an audit at least 30 days in advance. The audit is carried out on business days, during the Processor's working hours, in a manner that does not disrupt its ongoing operations.
- As part of the audit, the Processor makes available to the Controller reports, certificates, and technical documentation to the extent confirming compliance with the obligations set out in Article 28 of the RODO (GDPR). The Processor may, in the first instance, provide the Controller with reports from internal audits or independent external audits instead of conducting a separate audit, provided that they cover the scope of the Controller's request.
- The costs of the audit are borne by the Controller, unless the audit reveals material breaches of the Processor's obligations.
§ 9. After the end of processing
- Upon termination of the Agreement, the Processor, at the Controller's choice, deletes or returns to the Controller the Personal data and deletes all existing copies thereof, unless Union law or the law of a Member State requires its further storage.
- The Controller's choice should be communicated to the Processor electronically no later than within 30 days of the termination of the Agreement. In the absence of such a choice, the Processor deletes the Personal data after 60 days from the termination of the Agreement.
- The provision of paragraph 1 does not apply to Personal data contained in accounting and tax documents, the retention of which is required under applicable law (in particular for 5 years from the end of the tax year).
- The Processor confirms to the Controller the deletion of the Personal data upon written request.
§ 10. Liability
- Each party is liable to the other party for damage caused as a result of a breach of the provisions of this DPA under the general principles of the Civil Code and to the extent arising from Article 82 of the RODO (GDPR).
- The Processor's total liability under this DPA is subject to the limitations specified in the Terms of Service.
§ 11. Final provisions
- This DPA enters into force upon acceptance of the Terms of Service and the creation of an Account in the Platform.
- The DPA remains in force for the entire term of the Agreement and, to the extent that this results from mandatory provisions of law, also after its termination.
- In the event of a conflict between the provisions of the DPA and the Terms of Service, the provisions of the DPA take precedence in matters of personal data protection.
- Matters not regulated herein are governed by the provisions of the RODO (GDPR), the Act of 10 May 2018 on the protection of personal data, and the generally applicable provisions of Polish law.
- The Processor reserves the right to amend the DPA, in particular in order to adapt its content to changes in the law. The Controller is informed of any changes at least 30 days in advance, via the Platform or by e-mail.
Processor: ZYNQ sp. z o.o. · NIP: 6462979033 · REGON: 384394091 · KRS: 0000804450
ul. Estetyczna 4, 43-100 Tychy · District Court Katowice-Wschód in Katowice, VIII Commercial Division of the National Court Register · Share capital: PLN 5,000
E-mail: kontakt@zynq.pl