How Bamzal processes personal data on a merchant's behalf (GDPR Article 28).
Last updated: June 19, 2026
This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Terms of Service (the "Agreement") between the merchant ("Controller", "you") and Bamzal Ltd. ("Processor", "Bamzal", "we"). It governs Bamzal's processing of personal data on the Controller's behalf and is designed to satisfy Article 28 of the EU/UK GDPR and equivalent requirements of other applicable data-protection laws ("Data Protection Law"). Where this DPA conflicts with the Agreement on data protection, this DPA prevails.
The merchant is the controller and Bamzal is the processor of the personal data the merchant makes available through the service. For limited processing Bamzal carries out for its own purposes (account, billing, security, fraud prevention, aggregated/de-identified data, and independently-collected public market data), Bamzal is an independent controller as described in the Privacy Policy, outside this DPA. The merchant is responsible for the lawfulness of the data and instructions it provides, including a valid legal basis and all required notices and consents from data subjects.
Bamzal processes personal data only on the merchant's documented instructions — the Agreement, this DPA, the Privacy Policy, and the merchant's configuration and actions in the service — unless required otherwise by law. Bamzal will inform the merchant if, in its opinion, an instruction infringes Data Protection Law.
Persons authorized to process the data are bound by confidentiality. Bamzal implements appropriate technical and organizational measures (Annex B) under Article 32, including TLS 1.2+ in transit, encryption at rest, AES-256-GCM for stored tokens, tenant isolation, least-privilege access, rate limiting, audit logging, and kill-switches.
The merchant generally authorizes Bamzal to engage sub-processors (Annex C and the Privacy Policy; specific list on request). Bamzal imposes data-protection terms on each that are no less protective than this DPA and remains responsible for them. Bamzal gives reasonable notice of new or replacement sub-processors and the merchant may object on reasonable data-protection grounds; if unresolved, the merchant may stop the affected feature or terminate.
Taking into account the nature of processing, Bamzal assists the merchant (so far as reasonably possible) with data-subject requests and with security, breach notification, and DPIAs (Articles 32–36). Bamzal notifies the merchant without undue delay of a personal data breach affecting the merchant's data. On termination, Bamzal deletes or returns the data (and deletes copies) unless retention is legally required; standard behavior is deletion per the Privacy Policy (token revocation on uninstall; shop deletion on Shopify shop/redact). Bamzal makes available information to demonstrate compliance and allows audits on reasonable notice, subject to confidentiality, and may satisfy them via certifications or written responses.
Bamzal operates from Israel (EU adequacy) and uses sub-processors in various countries, including the US and EU. Where Data Protection Law requires a transfer mechanism, the European Commission's Standard Contractual Clauses (and the UK Addendum, where applicable) are incorporated into this DPA by reference, and Bamzal ensures equivalent mechanisms with sub-processors.
Liability under this DPA is subject to the limitations in the Agreement. This DPA applies for as long as Bamzal processes personal data on the merchant's behalf and is governed by the law and jurisdiction of the Agreement, except where Data Protection Law requires otherwise.
TLS 1.2+; encryption at rest; AES-256-GCM for stored OAuth tokens/credentials (no platform passwords stored); least-privilege authenticated access; tenant isolation; rate limiting; audit logging; kill-switches and per-lever authority/approval controls; error monitoring and a secure CI/CD pipeline; retention windows and automated deletion paths; alignment with Shopify Protected Customer Data requirements.
A current, specific sub-processor list is available at legal@bamzal.com.