Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service and applicable order between Zonkraft LLC ("Zonkraft", "we", "us") and the merchant entity that installs or connects the Zonkraft application or service ("Merchant", "you"). This DPA governs Zonkraft's processing of personal data of the Merchant's end-customers in the course of providing order fulfillment services, including through integrations with Shopify and other supported platforms. By installing or continuing to use the Zonkraft service, the Merchant agrees to the terms of this DPA.
1. Definitions
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK Data Protection Act 2018, the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"), and any other applicable U.S. state privacy laws.
"Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given to them under Applicable Data Protection Law.
"End-Customer Data" means Personal Data relating to the Merchant's customers that Zonkraft processes on the Merchant's behalf in order to perform fulfillment services, including name, shipping address, phone number, and email address.
"Sub-processor" means a third party engaged by Zonkraft to process End-Customer Data on behalf of the Merchant.
2. Roles of the Parties
The Merchant is the Controller of End-Customer Data. Zonkraft is the Processor and processes End-Customer Data solely on the Merchant's documented instructions, which are established by the Merchant's use of the Zonkraft service (for example, by installing the Shopify app, placing a fulfillment request, or configuring integrations).
3. Scope and Purpose of Processing
Zonkraft processes End-Customer Data only for the following purposes: (a) receiving and accepting fulfillment requests from the Merchant's platform; (b) generating carrier shipping labels (primarily via UPS); (c) producing customs documentation for international shipments; (d) updating tracking information and communicating shipment status back to the Merchant's platform; (e) resolving delivery-related issues such as undeliverable packages, address corrections, returns, and replacements; and (f) complying with legal and regulatory obligations.
Zonkraft will not process End-Customer Data for marketing, advertising, profiling, resale, statistical analysis, or any purpose not described in this DPA or instructed by the Merchant. Zonkraft does not sell End-Customer Data.
4. Categories of Data Subjects and Personal Data
Data Subjects: Merchant's end-customers who have placed orders with the Merchant.
Categories of Personal Data processed: first and last name; shipping address (address lines, city, state/province, postal code, country); phone number; email address; order identifiers and line items.
5. Sub-processors
The Merchant authorizes Zonkraft to engage the following Sub-processors, which are subject to data protection obligations that are no less protective than those in this DPA:
· Amazon Web Services, Inc. — cloud infrastructure, storage, and encryption services (United States).
· United Parcel Service (UPS) — carrier label generation, tracking, and delivery.
· Stripe, Inc. — merchant payment processing (End-Customer Data is not shared with Stripe).
· Shopify Inc. — platform from which fulfillment requests and End-Customer Data are received at the Merchant's direction.
Zonkraft will notify Merchants of any intended changes concerning the addition or replacement of Sub-processors through the Zonkraft website or by email. The Merchant may object to such changes on reasonable grounds related to data protection within thirty (30) days.
6. Security Measures
Zonkraft implements appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including:
· Encryption of End-Customer Data in transit (TLS 1.2 or higher) and at rest (AES-256 via AWS KMS-managed keys).
· Encryption of database backups with the same standards applied to production data.
· Strict segregation of production and non-production environments; non-production environments do not contain real End-Customer Data.
· Data loss prevention controls and technical safeguards on the data stores containing End-Customer Data.
· Role-based access controls and principle of least privilege for staff access to End-Customer Data.
· Enforcement of strong password policies and multi-factor authentication for employee accounts with access to systems containing End-Customer Data.
· Access logging for queries on End-Customer Data, retained for audit and incident response purposes.
· A documented security incident response policy and procedures for timely detection, investigation, and remediation.
7. Confidentiality
Zonkraft ensures that personnel authorized to process End-Customer Data are bound by obligations of confidentiality and receive appropriate training in data protection.
8. Data Subject Requests
Taking into account the nature of the processing, Zonkraft will provide reasonable assistance to the Merchant in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection. If Zonkraft receives a request directly from a Data Subject, Zonkraft will, where permitted by law, forward the request to the Merchant without undue delay.
9. Personal Data Breach Notification
Zonkraft will notify the Merchant without undue delay after becoming aware of a Personal Data breach affecting End-Customer Data. The notification will include the information required by Applicable Data Protection Law to the extent reasonably available to Zonkraft.
10. Data Retention and Deletion
Zonkraft retains End-Customer Data only for as long as necessary to (a) fulfill the order; (b) support post-delivery operations such as returns, replacements, and customer service; and (c) comply with tax, accounting, and other legal obligations.
On termination of the Merchant's use of the Zonkraft service, or upon the Merchant's written request, Zonkraft will delete or return all End-Customer Data, except to the extent that retention is required by applicable law. Zonkraft honors the Shopify customer data request webhooks (customers/data_request, customers/redact, shop/redact) and other equivalent mechanisms provided by supported platforms.
11. International Data Transfers
End-Customer Data may be transferred to and processed in the United States and other jurisdictions where Zonkraft or its Sub-processors operate. Where required, such transfers are made pursuant to appropriate safeguards recognized under Applicable Data Protection Law, including the Standard Contractual Clauses adopted by the European Commission.
12. Audits
Zonkraft will make available to the Merchant, on reasonable request, information necessary to demonstrate compliance with the obligations in this DPA. The Merchant may audit Zonkraft's compliance once per year on reasonable prior notice, subject to appropriate confidentiality obligations and at the Merchant's expense.
13. Liability and Governing Law
The liability of each party under this DPA is governed by the liability terms of the Zonkraft Terms of Service. This DPA is governed by the same law as the Terms of Service unless Applicable Data Protection Law requires otherwise.
14. Contact
Questions, requests, or notices under this DPA may be sent to:
Zonkraft LLC
8 The Green, Suite B
Dover, Delaware 19901
Email: privacy@zonkraft.com
Effective as of April 24, 2026