Managed integration platform · GDPR data processor1,653+ integrations · one engine
MEGZO IV
ENROHU
ContactGet started
MEGZO IV › Data Processing Agreement
Data Processing Agreement

Data Processing Agreement (DPA)

Last updated: 2026-06-23 · Applies to: vortex.megzo.biz and the managed Vortex service

This Data Processing Agreement (DPA) is entered into between you (the data controller) and ICS4BIZ & IT SRL (company reg. no. 40365405), operating as MEGZO Integrator Vortex (the data processor). It governs the processing of personal data by MEGZO on your behalf and forms part of, and is incorporated into, the per-client service agreement.

Roles of the parties

This Data Processing Agreement governs MEGZO's processing of personal data on your behalf. You are the controller; MEGZO is the processor. MEGZO processes personal data only on your documented instructions, including the configuration you set in your vendor panel and the integration flows you enable.

Subject-matter, nature & purpose

Subject-matter: synchronising order, catalog, stock and price data between your ERP and your sales channels. Nature & purpose: performing the integration service — creating Sales Orders from channel orders, syncing stock and prices, attaching already-produced invoice PDFs, and handing back tracking data. Duration: for the term of the service.

Categories of data & data subjects

Data subjects: the buyers behind orders placed on your sales channels. Categories of personal data (minimised to what an order requires):

  • Identifiers — buyer name and the channel's order/customer reference.
  • Contact details — email and/or phone where the channel provides them.
  • Delivery / billing address.
  • Order content — products, quantities, prices, currency and status.

No special-category data is sought, and no payment-card data is stored by MEGZO.

Processor obligations

MEGZO will:

  • process personal data only on your documented instructions;
  • ensure personnel are bound by confidentiality;
  • implement the technical and organisational measures described below;
  • assist you, taking account of the nature of processing, with data-subject requests and with your security, breach-notification and impact-assessment obligations;
  • notify you without undue delay on becoming aware of a personal-data breach;
  • make available the information needed to demonstrate compliance.

Technical & organisational measures

MEGZO maintains, at minimum, the following measures — all implemented in the platform itself:

  • Encryption at rest: AES-256-GCM for credentials; the master key in Worker Secrets, per-tenant ciphertext in the database; secrets decrypted in-memory only, never logged, never returned to the UI.
  • Encryption in transit: TLS for all external and admin traffic.
  • Tenant isolation: database row-level security (RLS) keyed on tenant.
  • Boundary authentication: Standard-Webhooks HMAC verification of every inbound webhook, with a replay window, before processing.
  • Log hygiene: no bodies, credentials, tokens or auth headers in logs — references and hashes only.
  • Least privilege: scoped service credentials; admin UI behind Cloudflare Access with a locked CSP.
  • Observability: one trace per flow execution for auditable, end-to-end traceability.

Sub-processors

You authorise MEGZO to engage the infrastructure sub-processors below. MEGZO imposes data-protection obligations on each sub-processor and remains responsible for their performance. MEGZO will inform you of intended changes and give you the opportunity to object.

Sub-processorPurposeRegion
Cloudflare, Inc.Edge compute & storage (Workers, R2 blob, Queues, Durable Objects, Hyperdrive)Global (EU data localization available)
Neon, Inc.Managed PostgreSQL control-plane database (accessed via Cloudflare Hyperdrive)EU region

International transfers

Where personal data is transferred outside the EEA via a sub-processor, the transfer relies on an appropriate safeguard under Chapter V of the GDPR, such as EU Standard Contractual Clauses. EU regions are used for the control-plane database; client-specific data-localisation can be agreed in the per-client service agreement.

Retention, return & deletion

MEGZO does not retain order PII as a standalone archive. The dead-letter queue, used to retry failed syncs, is purged automatically on a rolling window enforced in code (DLQ_RETENTION_DAYS, default 30 days). On termination, MEGZO returns and/or deletes control-plane personal data per your instruction, save where retention is required by law.

Audit & demonstrating compliance

MEGZO will make available the information reasonably necessary to demonstrate compliance with this DPA and will contribute to audits and inspections conducted by you or an auditor appointed by you, provided that (a) reasonable advance notice is given, (b) audits are conducted during business hours and do not unreasonably disrupt operations, and (c) the parties agree on the cost-allocation in advance. MEGZO may satisfy an audit request by providing a current third-party certification or audit report where available.

Contact

Questions about this document or a data-subject / data-controller request: office@megzo.biz. We respond as described above and route requests to the responsible operator. Data controller and service operator: ICS4BIZ & IT SRL (operator of MEGZO Integrator Vortex, company reg. no. 40365405).

Last updated: 2026-06-23