Data Processing Agreement (DPA)

Last updated: 2 April 2026

Solarisflux - Unipessoal Lda · VAT PT518304426

Governing law: Portugal & European Union (including GDPR)

The software and services described herein are marketed as EcomFlux.

Preamble

This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Customer”, “Controller”) and Solarisflux - Unipessoal Lda(“Processor”, “Solarisflux”) governing use of the EcomFlux Service. It supplements the Terms of Service and applies where Solarisflux processes personal data on behalf of Customer under GDPR Article 28.

By subscribing to or continuing to use the Service after this DPA is published at /legal/dpa, Customer accepts this DPA. Enterprise customers may execute a separate order form referencing this DPA.

1. Definitions

Capitalised terms not defined here have the meaning in the GDPR. “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor”, and “Data Subject” align with GDPR usage.

2. Subject matter, nature, and duration

Subject matter: processing of personal data to provide EcomFlux (B2B SaaS) including hosting, synchronisation, automation, logging, support, and security operations.

Nature of processing:collection, storage, organisation, retrieval, adaptation, disclosure by transmission, and erasure as required to operate the Service in line with Customer's configuration and documented instructions.

Duration: for the term of the subscription and as needed thereafter to comply with law, resolve disputes, and perform backups as described in the Privacy Policy.

3. Types of personal data and categories of data subjects

Depending on Customer's integrations, processing may include identifiers and contact details of Customer's personnel; and, where orders are synced, end-customer personal data such as name, delivery address, phone, and order-related identifiers strictly as necessary for fulfilment-related features Customer enables.

4. Customer instructions

Solarisflux processes personal data only on documented instructions from Customer, including via the Service configuration, unless EU or Portuguese law requires otherwise (in which case Solarisflux shall inform Customer unless prohibited).

5. Processor obligations (Article 28)

Solarisflux shall:

  • Ensure persons authorised to process personal data are bound by confidentiality;
  • Implement appropriate technical and organisational measures (see Section 7) taking into account the state of the art, costs, and risks;
  • Assist Customer, taking into account the nature of processing, in responding to Data Subject requests and in meeting security and breach-notification obligations, as reasonable and proportionate under the agreement;
  • At Customer's choice, delete or return personal data after the end of services, except where law requires retention;
  • Make available information reasonably necessary to demonstrate compliance and allow for audits conducted by Customer or a mutually agreed auditor, subject to confidentiality and security safeguards and reasonable frequency.

6. Sub-processors

Customer authorises Solarisflux to engage Sub-processors to support the Service. Solarisflux shall impose data protection terms on Sub-processors no less protective than this DPA.

Illustrative infrastructure Sub-processors (non-exhaustive; the list may evolve with notice):

  • Render Services, Inc. — application hosting and runtime infrastructure.
  • Supabase, Inc. — managed database and related backend services (data at rest within configurations chosen for production deployments).
  • Stripe, Inc. — payment processing and billing-related personal data strictly for subscription management.

Solarisflux will provide reasonable advance notice of changes to Sub-processors where required by GDPR, and Customer may object on documented data-protection grounds; if no reasonable alternative can be agreed within a reasonable period, either party may terminate the affected portion of the Service.

7. Security measures

Solarisflux implements measures including, where applicable:

  • Encryption of data in transit (e.g. TLS) and encryption for data at rest where supported;
  • Role-based access control, least-privilege credentials, and multi-factor options;
  • Logical separation of Customer environments and production access logging;
  • Patching, vulnerability management, and incident response procedures;
  • Backups and disaster-recovery practices aligned with service tier.

8. International transfers

Where personal data is transferred outside the EEA, Solarisflux shall implement appropriate safeguards under Chapter V GDPR (including Standard Contractual Clauses and supplementary measures where required).

9. Personal data breach

Solarisflux shall notify Customer without undue delay after becoming aware of a breach affecting Customer personal data, and shall provide information reasonably required for Customer to meet regulatory obligations.

10. Liability

Liability as between the parties for processing under this DPA is subject to the limitation of liability and exclusions set out in the Terms of Service, without prejudice to mandatory rights under GDPR.

11. Governing law

This DPA is governed by the laws of Portugal and the European Union, consistent with the Terms of Service.

12. Contact

Processor contact: privacy@ecom-flux.com

Solarisflux - Unipessoal Lda
VAT: PT518304426
Rua Dom Afonso Henriques 1324950-854 MonçãoPortugal