Data Processing Agreement (DPA)

Template effective from 4 July 2026

This data processing agreement governs the processing of personal data under Article 28 of the GDPR (EU 2016/679) when you run your eshop on the Behio platform. This is a template. We issue a signed version on request at [email protected] or via the contact form.

1. The parties

This agreement is concluded between:

  • The controller: the eshop operator, that is the customer who uses the Behio platform to run their own store. The controller determines the purposes and means of processing their end customers' personal data.
  • The processor: Radovan Pelka, Company ID (IČO) 08951012, VAT ID CZ9704084500, registered office Podhoří 172/102, 664 34 Kuřim, Česká republika, operator of the Behio platform.

The processor processes personal data on behalf of the controller solely to provide the Behio platform services and to the extent described below.

2. Subject matter and duration

The subject matter is the provision of the Behio e-commerce platform: running the eshop, managing the catalog, orders, customers, invoicing, inventory and related features the controller uses within the service.

Processing takes place for the duration of the service agreement between the controller and the processor, that is for as long as the controller uses the Behio platform.

3. Nature and purpose of processing

The processor processes personal data only to enable the controller to run the eshop and use the platform's features. The nature of processing includes in particular collection, storage, organization, access, modification, transfer to authorized sub-processors and erasure of data.

The processor does not use personal data for its own purposes and does not pass it on beyond this agreement and the list of sub-processors.

4. Categories of data subjects and personal data

Categories of data subjects

  • The controller's eshop end customers.
  • Contact persons and buyers within the controller's B2B relationships.
  • Users of accounts the controller creates in the platform.

Categories of personal data

  • Identification data: first name, surname, company name, company ID and VAT ID.
  • Contact data: e-mail, phone, delivery and billing address.
  • Order data: order contents, purchase history, order-related communication.
  • Payment metadata: payment status, transaction identifiers and payment method (card details themselves are processed by certified payment gateways, not by Behio).

The processor does not process special categories of personal data unless the controller enters them into the platform as part of the eshop content.

5. Obligations of the processor

The processor undertakes in particular to:

  • Process personal data only on documented instructions from the controller, including instructions on transfers to a third country, unless required to do otherwise by EU or Member State law.
  • Ensure that persons authorized to process the personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement technical and organizational measures to secure processing under Article 32 GDPR (see section 7).
  • Engage further sub-processors only under the conditions in section 6 and bind them to the same level of protection.
  • Assist the controller by appropriate measures in fulfilling its obligation to respond to data subjects' requests to exercise their rights.
  • Assist the controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, impact assessment), taking into account the nature of processing and available information.
  • Notify the controller without undue delay of any personal data breach after becoming aware of it.
  • On termination of the service, at the controller's choice, erase or return all personal data and delete existing copies, unless a legal obligation requires storage.
  • Make available to the controller the information needed to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits or inspections conducted by the controller or an auditor mandated by it, to a reasonable extent and by prior arrangement.

6. Sub-processors

The controller grants the processor a general authorization to engage sub-processors necessary to operate the platform (hosting, file storage, payment gateways, e-mail delivery, AI features, carriers and comparison sites where the controller uses them).

The current list of sub-processors is part of the privacy policy. The processor informs the controller of any intended change of sub-processors, and the controller has the right to raise reasoned objections to the change.

Each sub-processor is bound to the same level of personal data protection as follows from this agreement.

7. Technical and organizational measures

Taking into account the state of the art and the nature of processing, the processor implements in particular the following measures under Article 32 GDPR:

  • Transport encryption: all communication runs exclusively over the TLS protocol.
  • Encryption of sensitive data: access keys and credentials to integrations are encrypted at the application level with AES-256-GCM.
  • Data isolation: every query is strictly bound to the controller's organization, access is governed by roles and permissions.
  • Dedicated EU infrastructure: the application runs on our own dedicated servers in Germany, file storage is under EU jurisdiction, and traffic is protected by Cloudflare infrastructure.
  • Backups: regular data backups to restore availability and access to data in case of an incident.
  • Access management: only authorized persons bound by confidentiality have access to production data, to the extent necessary to run the service.

8. Duration and termination

This agreement is effective for the duration of the service agreement and for as long as the processor processes personal data on behalf of the controller.

On termination of the service, the processor handles the personal data according to the controller's instruction, that is erases or returns it, unless a legal obligation requires further storage.

9. Final provisions

This agreement is governed by the law of the Czech Republic and by the GDPR. Matters not covered here are governed by the processor's privacy policy and the service's terms.

This is a template. We will issue a signed data processing agreement on request at [email protected] or via the contact form.