Data Processing Agreement
Last updated: March 19, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you and Gezar.
1. Parties
- Data Controller ("Controller"): The Merchant who installs and uses the Teamco application
- Data Processor ("Processor"): Gezar / Magnus Bo Nielsen, CVR 42476226, Denmark
2. Scope and Purpose
This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Teamco B2B employee purchasing portal service. The Processor processes personal data solely to provide the Service as described in the Terms of Service.
3. Processing Instructions
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country. The Controller's instructions are defined by the configuration and use of the Teamco application. The Processor shall not process personal data for any other purpose.
4. Types of Personal Data Processed
- Employee names (first name, last name)
- Email addresses
- Phone numbers and country codes
- Company affiliation and role (Employee, Buyer, Admin)
- Language preference
- Order history and order details
- Budget allocations and usage records
- Size preferences
- Group membership information
- Shipping and billing addresses
5. Categories of Data Subjects
- Employees of the Controller's B2B customers
- Buyers and administrators designated by the Controller's customers
- Applicants requesting company access through the portal
6. Duration of Processing
The Processor shall process personal data for the duration of the Controller's use of the Teamco service. Upon termination, the Processor shall delete all personal data within 30 days, unless the Controller requests data export (see Section 11).
7. Sub-Processors
The Controller authorizes the Processor to engage the following sub-processors:
| Service | Purpose | Location |
|---|---|---|
| Shopify | E-commerce platform | Canada / US |
| Railway | Application hosting | US / EU |
| PostgreSQL (Railway) | Database storage | EU |
| Redis (Railway) | Caching | EU |
| Resend | Email delivery | US |
The Processor shall notify the Controller at least 30 days in advance before adding or replacing a sub-processor. If the Controller objects to a new sub-processor, the Controller may terminate the Service.
8. Security Measures
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption in transit: All data transmitted over TLS 1.2 or higher
- Encryption at rest: Database encryption provided by hosting infrastructure
- Access control: Role-based access with tenant isolation ensuring complete data separation between merchants
- Authentication: Shopify OAuth for merchant access; token-based authentication for employee portal access
- Security audits: Regular code review and vulnerability scanning
- Timing-safe comparisons: All secret/token comparisons use cryptographically safe methods
- Input validation: Parameterized queries, HTML sanitization, and XSS prevention
- Incident response: Documented procedures for security incident handling
9. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours after becoming aware of a personal data breach. The notification shall include:
- The nature of the breach, including categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
- Contact details for further information
10. Audit Rights
The Controller has the right to verify the Processor's compliance with this DPA. The Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations. Upon reasonable request, the Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.
11. Data Deletion and Return
Upon termination of the Service:
- The Controller may request a data export within 30 days of termination
- After the 30-day period, the Processor shall permanently delete all personal data
- The Processor shall confirm deletion in writing upon request
- Data in backups will be deleted according to the backup rotation schedule (maximum 30 additional days)
12. International Transfers
Where personal data is transferred to sub-processors outside the EEA (specifically the United States), the Processor ensures adequate protection through the EU–US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) as approved by the European Commission.
13. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Denmark. Any disputes arising from this DPA shall be submitted to the exclusive jurisdiction of the courts of Copenhagen, Denmark.
14. Contact
For questions about this Data Processing Agreement:
- Email: magnus@gezar.dk
- Company: Gezar / Magnus Bo Nielsen (CVR 42476226)
- Location: Denmark