To guarantee the security and privacy of information, there are different roles in the possession, control, and processing of personal data. In the table below, we explain each role in the data protection ecosystem:
| Role | Description |
|---|---|
| Data subject | The data subject is the owner of their personal data. For example, a customer in a store is the owner of their personal data, which they use to make a purchase. |
| Data controller | The data controller is the person who decides the purposes and criteria for using personal data in compliance with data protection laws. The controller also determines how the processors will use the data. For example, a merchant is a data controller, since they decide which customer data is required for placing an order. |
| Data processor | The processor is a third-party company that processes personal data on behalf of the controller. For example, VTEX is the processor that processes end-customer data on behalf of the store. VTEX does not process sensitive end-customer data at its own discretion but only on the direct instructions of the store administrators. This processing by VTEX is outlined in the Data Processing Addendum (DPA). |
| Data subprocessors | The subprocessor is a third-party company that processes personal data on behalf of the processor. The controller must have visibility and agree with the selection of a subprocessor. Infrastructure providers and VTEX affiliates are subprocessors. See the full list of VTEX subprocessors. |
Data Processing Addendum (DPA)
The Data Processing Addendum (DPA) is the agreement between the data controller (merchant) and the processor (VTEX), which regulates how VTEX processes personal data on behalf of the merchant.
This document is an appendix to the Master Services Agreement (MSA), the agreement that regulates the relationship between VTEX and the merchants. It establishes the rules for using the VTEX platform and any other requested services or products.
The DPA follows the General Data Protection Regulation (GDPR) standard, the most restrictive legislation on data privacy.
It includes information on:
- Processor and controller roles.
- Compliance with the rights of data subjects.
- Subprocessors.
- Our technical and administrative data security measures.
- Security incident management.
- Limitations of liability:
- Audit requests.
- International data transfers.
- VTEX's liability in the event of compensation for security incidents.
- Integrity and confidentiality of personal data on VTEX.
VTEX does not use end-customer data for any purpose other than to perform ecommerce operations as instructed by merchants.
The DPA used must correspond to the specific region of the data subject (store customer).
Check the Data Processing Addendum - VTEX to view the standard VTEX DPA for each region.
Shared responsibilities
Both VTEX and merchants must ensure the security of personal data, each within a defined scope. VTEX's scope includes the platform infrastructure and its features, while the merchant's scope covers the storefront, Admin settings, access credentials, and local privacy regulations. Learn more in the following sections.
VTEX responsibilities
VTEX, as the processor, can assist the merchant in complying with the data subject's rights, conducting privacy impact reports, and notifying the merchant of any incidents involving personal data of which it is aware. In addition, we are committed to complying with the technical and administrative security measures established in the DPA.
Merchant responsibilities
Merchants, as controllers, determine the purposes and means of processing personal data. Therefore, merchants must instruct VTEX, under the terms of the DPA, so that personal data can be used on the platform to perform ecommerce operations.
In the commercial context, the merchant defines the legal basis for using the personal data of customers (data subjects). Legal bases are the cases in which the law allows the use of personal data, such as consent. Legal bases do not apply to VTEX, as it only acts as a processor under the terms of the DPA and does not decide the purposes for using personal data.
Privacy regulations
Each merchant must conduct its own Privacy Impact Assessments, privacy policies, and technical and organizational measures and comply with the rights of the data subjects registered in their store. It is up to the merchant to choose the terms of their privacy policy and make it available on their website in compliance with local privacy laws.
Merchants must implement their own security measures and, in the event of incidents involving personal data, must notify the data protection authorities and data subjects in compliance with the applicable laws. If you have specific questions about the laws applicable to your store, your end consumers, or other aspects of your business, contact a professional specialized in personal data protection.
VTEX will support the merchant in some of these obligations under the DPA terms, such as responses to subject rights and notification of security incidents.
Platform access
Merchants play a crucial role in data security, as their decisions directly impact data protection. For example, by giving specific users or teams access to the platform or sharing application keys (appKeys), the merchant affects the security of the data stored in that environment.
To understand how to manage access credentials and ensure data integrity properly, see the following articles: