Data Processing Agreement (DPA)

Last updated: 2 April 2026

Doric Algorithm - Lda · VAT PT519368541

Governing law: Portugal & European Union (including GDPR)

The software and services described herein are marketed as EcomFlux.

Counsel review required for enterprise use

This page is informational and may be updated. It is not a substitute for jurisdiction-specific legal advice. Before procurement, security review, or signing a DPA or order form, have qualified counsel review this text together with your privacy, security, and commercial requirements.

  • Do not treat this as final contract language until counsel approves.
  • Sub-processor and infrastructure lists elsewhere on the site may be illustrative or non-exhaustive — confirm against your vendor due diligence.

Preamble

This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Customer”, “Controller”) and Doric Algorithm - Lda (“Processor”, “Doric Algorithm”) governing use of the EcomFlux Service. It supplements the Terms of Service and applies where Doric Algorithm processes personal data on behalf of Customer under GDPR Article 28.

By subscribing to or continuing to use the Service after this DPA is published at /legal/dpa, Customer accepts this DPA. Enterprise customers may execute a separate order form referencing this DPA.

1. Definitions

Capitalised terms not defined here have the meaning in the GDPR. “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor”, and “Data Subject” align with GDPR usage.

2. Subject matter, nature, and duration

Subject matter: processing of personal data to provide EcomFlux (B2B SaaS) including hosting, synchronisation, automation, logging, support, and security operations.

Nature of processing:collection, storage, organisation, retrieval, adaptation, disclosure by transmission, and erasure as required to operate the Service in line with Customer's configuration and documented instructions.

Duration: for the term of the subscription and as needed thereafter to comply with law, resolve disputes, and perform backups as described in the Privacy Policy.

3. Types of personal data and categories of data subjects

Depending on Customer's integrations, processing may include identifiers and contact details of Customer's personnel; and, where orders are synced, end-customer personal data such as name, delivery address, phone, and order-related identifiers strictly as necessary for fulfilment-related features Customer enables.

4. Customer instructions

Doric Algorithm processes personal data only on documented instructions from Customer, including via the Service configuration, unless EU or Portuguese law requires otherwise (in which case Doric Algorithm shall inform Customer unless prohibited).

5. Processor obligations (Article 28)

Doric Algorithm shall:

  • Ensure persons authorised to process personal data are bound by confidentiality;
  • Implement appropriate technical and organisational measures (see Section 7) taking into account the state of the art, costs, and risks;
  • Assist Customer, taking into account the nature of processing, in responding to Data Subject requests and in meeting security and breach-notification obligations, as reasonable and proportionate under the agreement;
  • At Customer's choice, delete or return personal data after the end of services, except where law requires retention;
  • Make available information reasonably necessary to demonstrate compliance and allow for audits conducted by Customer or a mutually agreed auditor, subject to confidentiality and security safeguards and reasonable frequency.

6. Sub-processors

Customer authorises Doric Algorithm to engage Sub-processors to support the Service. Doric Algorithmshall impose data protection terms on Sub-processors no less protective than this DPA.

Illustrative infrastructure Sub-processors (non-exhaustive; see also the Sub-processors page; the list may evolve with notice):

  • Render Services, Inc. — application hosting and runtime infrastructure.
  • Supabase, Inc. — managed database and related backend services (data at rest within configurations chosen for production deployments).
  • Stripe, Inc. — payment processing and billing-related personal data strictly for subscription management.

Doric Algorithm will provide reasonable advance notice of changes to Sub-processors where required by GDPR, and Customer may object on documented data-protection grounds; if no reasonable alternative can be agreed within a reasonable period, either party may terminate the affected portion of the Service.

7. Security measures

Doric Algorithm implements measures including, where applicable:

  • Encryption of data in transit (e.g. TLS) and encryption for data at rest where supported;
  • Role-based access control, least-privilege credentials, and multi-factor options;
  • Logical separation of Customer environments and production access logging;
  • Patching, vulnerability management, and incident response procedures;
  • Backups and disaster-recovery practices aligned with service tier.

8. International transfers

Where personal data is transferred outside the EEA, Doric Algorithm shall implement appropriate safeguards under Chapter V GDPR (including Standard Contractual Clauses and supplementary measures where required).

9. Personal data breach

Doric Algorithm shall notify Customer without undue delay after becoming aware of a breach affecting Customer personal data, and shall provide information reasonably required for Customer to meet regulatory obligations.

10. Liability

Liability as between the parties for processing under this DPA is subject to the limitation of liability and exclusions set out in the Terms of Service, without prejudice to mandatory rights under GDPR.

11. Governing law

This DPA is governed by the laws of Portugal and the European Union, consistent with the Terms of Service.

12. Contact

Processor contact: doricalgorithm@gmail.com

Doric Algorithm - Lda
VAT: PT519368541
Largo Barão de São Martinho, nº 13, 4º, sala H4700-306 BragaPortugal