Data Processing Addendum (DPA)

Last modified: 29.06.2026 | Version 2.0

1. Introduction

This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the Terms of Service ("Agreement") between Infoquest SRL, a company registered in Romania (Trade Registry No. J2003000464092, VAT ID: RO15538750), with registered office at Calea Calarasilor 319, Braila, Romania ("xConnector", "Processor", "we", "us") and the Shopify merchant using the xConnector application ("Merchant", "Controller", "you").

This DPA sets out the terms under which xConnector processes Personal Data on behalf of the Merchant in connection with the provision of the xConnector application ("App"), in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and any applicable national data protection legislation, including Romanian Law No. 190/2018.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by xConnector on behalf of the Merchant through the App.
  • "Merchant Customer Data" means Personal Data of the Merchant's customers and order recipients processed through the App (names, addresses, phone numbers, emails, order data, fiscal identifiers).
  • "Merchant Account Data" means data relating to the Merchant's own account, employees, and App users (login credentials, IP addresses, browser metadata, billing information). Merchant Account Data is processed by xConnector as an independent controller and is governed by the Privacy Policy, not this DPA.
  • "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by xConnector (not at the Merchant's direction) to process Merchant Customer Data on behalf of the Merchant.
  • "Merchant-Directed Recipient" means a third-party service (courier, ERP/invoicing system, printing service) that the Merchant connects and configures through the App, to which xConnector transmits data on the Merchant's documented instruction.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection legislation, including the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors in third countries adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).

3. Roles and Scope

3.1 Roles

The Merchant acts as the Data Controller — the Merchant determines the purposes and means of processing Merchant Customer Data by configuring the App, connecting third-party services, and initiating data processing operations (e.g., generating shipping labels, invoices, fulfillment updates).

xConnector acts as the Data Processor — xConnector processes Merchant Customer Data solely on behalf of the Merchant and in accordance with the Merchant's documented instructions as expressed through the App's configuration and usage.

xConnector acts as an independent Data Controller with respect to Merchant Account Data (see Section 2). This processing is governed by the Privacy Policy.

3.2 Distinction from Shopify

The Merchant's Shopify store is the source platform from which xConnector receives order data via Shopify's APIs. Shopify Inc. is not an xConnector sub-processor. The relationship between the Merchant and Shopify is governed by Shopify's own terms of service and Data Processing Addendum. xConnector accesses Shopify data solely through API credentials granted by the Merchant during App installation.

3.3 Duration of Processing

Processing begins when the Merchant installs the App and connects their Shopify store, and continues for the duration of the Agreement. Upon termination, processing ceases in accordance with Section 13 of this DPA.

4. Details of Processing (Annex I)

4.1 Subject Matter and Purpose

Processing of Merchant Customer Data to provide the App's middleware functionality: receiving order data from Shopify, transmitting shipping data to courier platforms, transmitting invoice data to ERP/invoicing systems, synchronizing inventory, generating documents (AWBs, invoices, picking lists, return documents), and displaying operational data within the App.

4.2 Nature of Processing

Collection (via Shopify API), storage (in xConnector's database), structuring, organization, retrieval, consultation, use, transmission (to Merchant-Directed Recipients), display (within the App interface), and erasure.

4.3 Categories of Data Subjects

  • Customers and order recipients of the Merchant
  • Shipping recipients (where different from the customer)

4.4 Types of Personal Data

Order and Shipping Data:

  • Full name (first name, last name, company name)
  • Shipping and billing addresses (street, city, county/province, postal code, country)
  • Phone number(s)
  • Email address
  • Order contents (products, quantities, prices)
  • Cash-on-delivery (COD) amounts
  • Package weight and dimensions
  • Delivery instructions or notes

Identifiers and Operational Metadata:

  • Shopify order IDs and internal xConnector reference numbers
  • AWB (tracking) numbers and courier response data
  • Fulfillment status and history
  • Return and refund records
  • Picking list assignments and warehouse operational data
  • Invoice numbers and document references

Invoice and Fiscal Data (where Merchant configures invoicing):

  • Customer name and address (as invoiced)
  • Fiscal identification codes (CUI/CIF)
  • VAT registration numbers

Note on CNP and national identifiers: The App does not collect or require the Romanian CNP (Personal Numeric Code) or equivalent national identification numbers. If the Merchant enters such identifiers in free-text fields, such data remains subject to all security, access control, and deletion obligations under this DPA. However, xConnector does not apply field-level validation or masking to free-text inputs. The Merchant is solely responsible for ensuring a lawful basis for submitting national identifiers under GDPR Article 87 and Romanian Law No. 190/2018.

4.5 Merchant's Instructions

The Merchant's documented instructions to xConnector consist of:

  • The Agreement and this DPA;
  • The Merchant's App configuration (connected services, field mappings, automation rules);
  • The Merchant's operational use of the App (initiating label generation, invoice creation, order sync).

xConnector shall immediately inform the Merchant if, in xConnector's opinion, an instruction infringes the GDPR or other applicable data protection law.

5. Processor Obligations

5.1 Lawful Processing

xConnector shall:

  • Process Merchant Customer Data only on the Merchant's documented instructions (as defined in Section 4.5), unless required to do so by EU or Romanian law — in which case, xConnector shall inform the Merchant of that legal requirement before processing, unless prohibited by law from doing so;
  • Not process Merchant Customer Data for any purpose other than providing the App's functionality as described in this DPA.

5.2 Confidentiality

xConnector shall:

  • Ensure that all persons authorized to process Merchant Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Limit access to Merchant Customer Data to personnel who require such access to perform services under the Agreement, on a need-to-know, least-privilege basis.

5.3 Security Measures (Article 32)

xConnector shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex II (Section 18). These measures are subject to periodic review and improvement.

5.4 Sub-processing

xConnector shall:

  • Not engage a Sub-processor without the Merchant's prior general written authorization, which is granted by the Merchant's acceptance of this DPA;
  • Maintain a current list of Sub-processors (see Section 7);
  • Inform the Merchant of any intended addition or replacement of Sub-processors in accordance with Section 7.2;
  • Impose data protection obligations no less protective than those in this DPA on each Sub-processor by way of a written contract;
  • Remain fully liable to the Merchant for the performance of each Sub-processor's data protection obligations.

5.5 Data Subject Rights Assistance

Taking into account the nature of the processing, assist the Merchant by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Merchant's obligation to respond to Data Subject requests under GDPR Articles 15–22 (see Section 11).

5.6 Compliance Assistance

Assist the Merchant in ensuring compliance with its obligations under GDPR Articles 32 to 36 (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to xConnector.

5.7 Deletion and Return

Upon termination of the Agreement, delete or return Merchant Customer Data at the Merchant's choice, in accordance with Section 13.

5.8 Audit and Demonstration

Make available to the Merchant all information necessary to demonstrate compliance with this DPA and GDPR Article 28, and allow for and contribute to audits as described in Section 9.

5.9 Records of Processing Activities

Maintain a record of processing activities carried out on behalf of each Merchant (controller) in accordance with GDPR Article 30(2), including: the name and contact details of the processor and of each controller on whose behalf the processor acts, the categories of processing carried out on behalf of each controller, transfers to third countries (including the recipient and transfer mechanism), and a general description of technical and organizational security measures.

5.10 Supervisory Authority Cooperation

Cooperate, on request, with the Supervisory Authority in the performance of its tasks, in accordance with GDPR Article 31.

6. Controller Obligations

The Merchant, as Data Controller, shall:

  • Ensure that it has a lawful basis for processing Personal Data transmitted to xConnector (e.g., legitimate interest, contract performance, or consent as applicable);
  • Provide appropriate privacy notices to Data Subjects informing them of the processing carried out through the App;
  • Ensure the accuracy and completeness of Personal Data provided to xConnector;
  • Not use the App to process special categories of Personal Data (GDPR Article 9) unless separately agreed in writing;
  • Comply with all applicable data protection legislation in its capacity as Data Controller;
  • Promptly notify xConnector of any Data Subject requests that require xConnector's assistance;
  • Ensure that its instructions to xConnector comply with applicable law;
  • Maintain its own appropriate data processing agreements with each Merchant-Directed Recipient it connects through the App.

7. Sub-processors and Merchant-Directed Recipients

7.1 xConnector Sub-processors

xConnector engages the following Sub-processors for infrastructure and operational purposes. These are xConnector's own service providers, not services selected or configured by the Merchant:

Legal EntityCountryPurposeData ProcessedHetzner Online GmbHGermany (EU)Cloud infrastructure — servers, storage, networking, backupsAll Merchant Customer Data stored in the App

Services that are fully self-hosted on Hetzner infrastructure (e.g., self-hosted monitoring, self-hosted databases) are not separate Sub-processors — they are covered by the Hetzner entry above. If xConnector engages additional Sub-processors in the future, the Merchant will be notified in accordance with Section 7.2.

The current Sub-processor list is maintained in this DPA and is also available upon request via privacy@xconnector.app.

7.2 Changes to Sub-processors

xConnector shall notify the Merchant of any intended addition or replacement of Sub-processors by email or in-app notification at least fourteen (14) days in advance.

The Merchant may object to the appointment of a new Sub-processor by notifying xConnector in writing within fourteen (14) days of receiving notice. If the Merchant objects on reasonable data protection grounds and xConnector cannot reasonably accommodate the objection (e.g., by using an alternative Sub-processor or isolating the Merchant's data), either party may terminate the Agreement with respect to the affected services without penalty.

7.3 Merchant-Directed Recipients

The following third-party services are classified as Merchant-Directed Recipients (not xConnector Sub-processors) because the Merchant independently: (a) holds a direct contractual relationship and account with the service, (b) provides its own API credentials to xConnector for integration, and (c) selects and configures which service to use. xConnector acts solely as a technical conduit transmitting data on the Merchant's instruction — xConnector does not contract with, resell, or host these services.

If xConnector were to introduce a service where xConnector holds the primary contract, controls the account, or processes data independently of the Merchant's credentials, that service would be classified as a Sub-processor under Section 7.1.

CategoryExamplesData TransmittedCourier PlatformsSameday, FanCourier, Cargus, DPD, GLS, and others as configuredRecipient name, address, phone, package details, COD amountsERP/Invoicing SystemsSmartBill, Oblio, Nexus ERP, and others as configuredCustomer name, address, fiscal ID, order amounts, invoice detailsPrinting ServicesPrintNode (where enabled by Merchant)Document content (labels, invoices) sent for printing

The Merchant is responsible for:

  • Ensuring it has an appropriate legal relationship (including any necessary DPA) with each Merchant-Directed Recipient;
  • Verifying that each Merchant-Directed Recipient provides adequate data protection guarantees;
  • The accuracy and completeness of data transmitted to Merchant-Directed Recipients via the App.

xConnector facilitates the data transmission as instructed but does not control or determine the processing carried out by Merchant-Directed Recipients after transmission.

8. Shopify Platform Compliance

8.1 Shopify Privacy Webhooks

xConnector implements Shopify's mandatory privacy compliance webhooks:

  • `customers/data_request` — upon receiving a verified (HMAC-authenticated) request, xConnector provides the Merchant with the customer's stored data or confirms that export tools are available within the App;
  • `customers/redact` — upon receiving a verified request, xConnector deletes or anonymizes the identified customer's Personal Data within thirty (30) days, except where retention is required by applicable law (e.g., fiscal retention obligations for invoices);
  • `shop/redact` — upon App uninstallation and receiving a verified request, xConnector deletes or anonymizes the Merchant's store data within thirty (30) days of the verified webhook, except where retention is required by applicable law (see Section 13.3). This Shopify-mandated 30-day deadline takes precedence over the general termination timelines in Section 13.2 where applicable.

8.2 Shopify Protected Customer Data

xConnector accesses Shopify Protected Customer Data (customer name, email, phone, address) as necessary to provide the App's functionality. xConnector handles this data in accordance with Shopify's data protection requirements and the security measures described in Annex II.

9. Audits

9.1 Information Rights

xConnector shall make available to the Merchant, upon reasonable request, information necessary to demonstrate compliance with this DPA and GDPR Article 28.

9.2 Audit Procedure

The Merchant may conduct or commission an audit of xConnector's processing activities, subject to the following conditions:

  • The Merchant shall provide at least thirty (30) days' written notice;
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt xConnector's operations;
  • The auditor shall execute a confidentiality agreement before accessing xConnector's systems or documentation;
  • The audit scope shall be limited to xConnector's processing of Merchant Customer Data under this DPA;
  • The Merchant shall bear its own costs of conducting the audit.

9.3 Alternative Evidence

xConnector may initially satisfy audit requests by providing, where available: a completed security questionnaire, a summary of technical and organizational measures, penetration test summaries (redacted for third-party confidentiality), relevant certifications (SOC 2, ISO 27001, where obtained), or other equivalent evidence of compliance. If such evidence reasonably addresses the Merchant's audit objectives, an on-site inspection may not be required for that audit cycle. However, the Merchant retains the right to conduct or commission an on-site inspection where: (i) the alternative evidence is insufficient to address the Merchant's reasonable concerns; (ii) a Data Breach has occurred; (iii) the Merchant has reasonable grounds to suspect non-compliance; or (iv) an inspection is required by the Supervisory Authority or applicable law.

9.4 Frequency

The Merchant may conduct no more than one (1) audit per twelve-month period, unless a Data Breach or Supervisory Authority investigation necessitates an additional audit.

9.5 Regulatory Audits

Notwithstanding the above limitations, xConnector shall cooperate with audits or inspections conducted by or on behalf of a Supervisory Authority, without the frequency or notice limitations in Sections 9.2–9.4.

10. Data Breach Notification

10.1 Notification Obligation

xConnector shall notify the Merchant without undue delay, and in any event within forty-eight (48) hours of becoming aware of a Data Breach affecting Merchant Customer Data. Initial notification may be made with incomplete information, followed by supplementary updates as further details become available.

10.2 Notification Content

The notification shall include, to the extent reasonably available at the time:

  • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned;
  • The name and contact details of xConnector's data protection contact;
  • A description of the likely consequences of the Data Breach;
  • A description of the measures taken or proposed to address the Data Breach, including mitigation measures.

10.3 Cooperation

xConnector shall cooperate with the Merchant and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. xConnector shall assist the Merchant in fulfilling its obligations to notify the Supervisory Authority (GDPR Article 33) and affected Data Subjects (GDPR Article 34).

10.4 Record-Keeping

xConnector shall maintain a log of all Data Breaches, including those not requiring notification, in accordance with GDPR Article 33(5).

10.5 Limitations

The notification of or response to a Data Breach shall not be construed as an acknowledgment of fault or liability by xConnector.

11. Data Subject Rights

11.1 Assistance

xConnector shall assist the Merchant in responding to Data Subject requests under GDPR Articles 15–22:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

11.2 Procedure

If xConnector receives a request directly from a Data Subject regarding Merchant Customer Data, xConnector shall:

  • Not respond to the Data Subject directly (unless required by law);
  • Promptly (within five (5) business days) redirect the Data Subject to the Merchant;
  • Notify the Merchant of the request.

11.3 Self-Service Tools

Where technically feasible, xConnector provides the Merchant with self-service tools within the App to search, access, export, and delete customer data. The Merchant should use these tools as a first step. Where self-service is insufficient, xConnector shall provide manual assistance within a reasonable timeframe (not exceeding fifteen (15) business days).

11.4 Deletion Propagation

When the Merchant requests erasure of a Data Subject's data, xConnector shall delete the data from its own systems. xConnector cannot delete data already transmitted to Merchant-Directed Recipients (couriers, ERPs) — the Merchant must contact those services directly.

12. International Data Transfers

12.1 Processing Location

xConnector processes and stores Merchant Customer Data within the European Union. Primary infrastructure is hosted in Hetzner data centers in Germany.

12.2 xConnector Transfers

xConnector shall not transfer Merchant Customer Data outside the EEA unless:

  • The transfer is to a country recognized by the European Commission as providing an adequate level of data protection (adequacy decision); or
  • Standard Contractual Clauses (SCCs), Module 3 (processor to sub-processor) as approved by Commission Implementing Decision (EU) 2021/914, are in place with the recipient.

If xConnector adds a Sub-processor outside the EEA, the notification under Section 7.2 shall include the country, the legal transfer mechanism, and a summary of any transfer impact assessment conducted.

12.3 Merchant-Directed Transfers

When the Merchant connects a Merchant-Directed Recipient that processes data outside the EEA, the Merchant acknowledges that the transfer is made on the Merchant's instruction. The Merchant is responsible for ensuring that adequate safeguards (adequacy decision, SCCs, or other lawful mechanism) are in place with the Merchant-Directed Recipient.

xConnector shall, upon request, inform the Merchant of the known processing locations of Merchant-Directed Recipients to the extent this information is publicly available or known to xConnector.

12.4 Government Access Requests

If xConnector receives a request from a law enforcement or government authority for access to Merchant Customer Data, xConnector shall:

  • Notify the Merchant promptly, unless prohibited by law;
  • Challenge the request where there are reasonable grounds to consider it unlawful;
  • Provide only the minimum amount of data required to comply;
  • Document and log all such requests.

13. Data Retention and Deletion

13.1 Retention During the Agreement

Data TypeRetention PeriodOrder data (customer name, address, phone, email, order details)Duration of the AgreementGenerated documents (AWBs, invoices, picking lists)Duration of the AgreementAWB tracking numbers and courier responsesDuration of the AgreementPrint job records90 daysApp usage logs and audit trails12 months rollingSystem backups containing Merchant Customer DataMaximum 30 days (backup rotation)

The Merchant may delete individual orders or customer records through the App's interface where such functionality is available.

13.2 Upon Termination — Merchant's Choice

Upon termination of the Agreement (uninstallation of the App), the Merchant may, within thirty (30) days of termination:

(a) Request data return then deletion: xConnector shall provide the Merchant with an export of Merchant Customer Data in a structured, commonly used, machine-readable format (JSON or CSV). The Merchant should use in-App export tools before uninstallation where possible. After confirming successful delivery of the export, xConnector shall delete all active copies of Merchant Customer Data within thirty (30) days. Data in system backups shall be purged through the standard backup rotation schedule (maximum 30 days after active deletion).

(b) Request immediate deletion (no return): xConnector shall delete Merchant Customer Data from its active systems within thirty (30) days of receiving the request. Data in system backups shall be purged through the standard backup rotation schedule (maximum 30 days after active deletion).

(c) No request: If the Merchant does not make a request within thirty (30) days of termination, xConnector shall delete Merchant Customer Data within sixty (60) days of termination. Backup purge follows the standard rotation schedule.

13.3 Lawful Retention Exceptions

xConnector may retain Merchant Customer Data beyond the periods above where required by applicable law, including:

  • Fiscal and accounting retention obligations under Romanian law;
  • Legal proceedings, regulatory investigations, or dispute resolution;
  • Obligations under tax, anti-money laundering, or other regulatory frameworks.

Retained data shall be processed only for the legally required purpose and shall be deleted when the retention obligation expires.

13.4 Deletion Confirmation

Upon the Merchant's written request, xConnector shall confirm in writing that the deletion of Merchant Customer Data has been completed, specifying any data retained under lawful retention exceptions.

13.5 Anonymized Data

xConnector may retain data that has been irreversibly anonymized such that it can no longer be attributed to any identifiable natural person, even in combination with other data. Anonymized data is not Personal Data and is not subject to this DPA. xConnector shall not attempt to re-identify anonymized data.

14. Data Protection Impact Assessments

Where the Merchant is required to carry out a Data Protection Impact Assessment (DPIA) under GDPR Article 35 in relation to processing performed through the App, xConnector shall provide reasonable assistance and information necessary for the Merchant to complete the assessment, taking into account the nature of processing and the information available to xConnector. xConnector shall maintain records relevant to DPIA support.

15. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement (Terms of Service), except that the following carve-outs override both the liability caps and the category exclusions in the Agreement:

  • Breaches of confidentiality obligations under this DPA;
  • Breaches of GDPR obligations that cannot be limited by applicable law;
  • Indemnification obligations arising from a party's breach of this DPA;
  • Liability to Data Subjects under GDPR Article 82 (right to compensation);
  • Regulatory fines or penalties imposed by a Supervisory Authority to the extent attributable to a party's breach.

For these carve-outs, neither party's aggregate liability shall be limited below the total fees paid by the Merchant to xConnector during the twelve (12) months preceding the event giving rise to the claim. Nothing in this DPA limits either party's liability to Data Subjects or Supervisory Authorities where such limitation is prohibited by applicable law.

16. Amendments

xConnector may update this DPA from time to time to reflect changes in data protection legislation, regulatory guidance, or xConnector's processing activities. Updates shall not materially reduce the data protection safeguards provided under this DPA without the Merchant's consent.

Material changes will be communicated to the Merchant with at least thirty (30) days' advance notice through email, in-app notification, or notice on the xConnector website. If the Merchant objects to a material change on reasonable data protection grounds, the Merchant may terminate the Agreement without penalty within thirty (30) days of the notice.

Continued use of the App after the effective date of non-objected changes constitutes acceptance of the updated DPA.

17. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Romania, without regard to its conflict of law principles. For matters relating to GDPR enforcement, the provisions of GDPR and the applicable decisions of the relevant Supervisory Authority shall prevail.

Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts at xConnector's registered seat in Romania, unless mandatory provisions of applicable law require otherwise.

18. Annex II — Technical and Organizational Measures (TOMs)

xConnector implements the following technical and organizational measures to protect Merchant Customer Data. These measures are reviewed periodically and updated as appropriate.

18.1 Encryption

  • In transit: All data transmitted between the App and external services (Shopify, couriers, ERPs, browsers) is encrypted using TLS 1.2 or higher.
  • At rest: Database storage and backups are encrypted using AES-256 or equivalent.

18.2 Access Control

  • Authentication: App users authenticate via Shopify OAuth. API access requires unique API keys per merchant.
  • Role-based access: The App supports role-based access control; merchants configure user permissions within the App.
  • Least privilege: Internal staff access to production systems and Merchant Customer Data is restricted to personnel who require it for operational support, on a need-to-know basis.
  • Multi-factor authentication (MFA): Required for xConnector staff accessing production infrastructure.

18.3 Infrastructure Security

  • Hosting: Production infrastructure hosted in Hetzner data centers in Germany (EU), with physical security measures managed by Hetzner.
  • Network security: Firewall rules, network segmentation, and restricted access to production environments.
  • Environment separation: Production, staging, and development environments are logically separated. Merchant Customer Data is not used in development or testing.

18.4 Credential and Secret Management

  • Merchant API keys, courier credentials, and ERP credentials are stored encrypted and are not accessible in plaintext through the App interface.
  • xConnector staff do not have routine access to merchant third-party credentials.

18.5 Monitoring and Logging

  • Access to Merchant Customer Data is logged.
  • System and security logs are maintained and reviewed for anomalies.
  • Automated monitoring for infrastructure availability and security events.

18.6 Vulnerability Management and Regular Testing

  • Dependencies and infrastructure are updated regularly to address known vulnerabilities.
  • Security patches for critical vulnerabilities are applied promptly.
  • Regular testing and evaluation of the effectiveness of technical and organizational measures is conducted in accordance with GDPR Article 32(1)(d).
  • Access rights are reviewed periodically and revoked when no longer required.

18.7 Incident Response

  • xConnector maintains an incident response procedure covering identification, containment, eradication, recovery, notification, and post-incident review.
  • Data Breach notification follows the timeline in Section 10.

18.8 Business Continuity

  • Regular automated backups with tested restoration procedures.
  • Backup retention does not exceed 30 days.
  • Recovery procedures documented and periodically tested.

18.9 Staff and Organizational Measures

  • All xConnector personnel with access to Merchant Customer Data are bound by confidentiality obligations.
  • Data protection awareness is part of onboarding and ongoing operations.

18.10 Tenant Isolation

  • Merchant data is logically isolated using merchant-specific identifiers (merchantId). All data queries are scoped to the authenticated merchant.

19. Contact

For questions or requests related to this DPA or data protection:

  • Data Protection Contact: privacy@xconnector.app
  • Support: support@xconnector.app
  • Company: Infoquest SRL
  • Registered office: Calea Calarasilor 319, Braila, Romania
  • Trade Registry: J2003000464092
  • VAT ID: RO15538750
  • Supervisory Authority: ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal), Bucharest, Romania — www.dataprotection.ro

This Data Processing Addendum was last reviewed on 29.06.2026.