Start free 14-day trial

Data Processing Agreement

Last updated: 04/14/2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between radykal GmbH ("Chamevo", "we", "us", or "our") and the customer ("Controller", "you", or "your") for the use of Chamevo's services (the "Agreement").

This DPA reflects the parties' agreement with regard to the processing of personal data by Chamevo on behalf of the Controller in accordance with the requirements of applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR").

1. Definitions

  • "Controller" means the entity that determines the purposes and means of the processing of personal data (i.e., the customer).
  • "Processor" means the entity that processes personal data on behalf of the Controller (i.e., Chamevo / radykal GmbH).
  • "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection law.
  • "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom the personal data relates.
  • "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection law.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

2. Scope and Purpose of Processing

Chamevo processes personal data solely for the purpose of providing the services as described in the Agreement. The scope of processing includes:

  • Subject Matter: Provision of the Chamevo product customization platform and related services.
  • Duration: Processing will continue for the duration of the Agreement unless otherwise agreed in writing.
  • Nature and Purpose: Processing is performed to enable product customization, order management, design rendering, and related e-commerce functionality as specified in the Agreement.
  • Types of Personal Data: Name, email address, shipping address, order details, uploaded images and designs, IP address, browser information, and any other personal data submitted through the customization interface by end customers.
  • Categories of Data Subjects:End customers and users of the Controller's online store who interact with the Chamevo product customizer.

3. Obligations of the Processor

Chamevo shall:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organization, unless required to do so by applicable law.
  • Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as set out in Section 6 of this DPA.
  • Respect the conditions for engaging sub-processors as set out in Section 5 of this DPA.
  • Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligations to respond to requests for exercising the data subject's rights.
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Obligations of the Controller

The Controller shall:

  • Ensure that the processing of personal data is carried out in accordance with applicable data protection law, including obtaining any necessary consents from data subjects.
  • Provide documented instructions for the processing of personal data by Chamevo.
  • Ensure that the personal data provided to Chamevo is accurate, complete, and up-to-date.
  • Notify Chamevo without undue delay if it becomes aware of any data breach or suspected data breach involving personal data processed under this DPA.

5. Sub-processors

The Controller provides general authorization for Chamevo to engage sub-processors. Chamevo shall:

  • Maintain an up-to-date list of sub-processors, which is available upon request by contacting privacy@chamevo.com.
  • Inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
  • Ensure that any sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
  • Remain fully liable to the Controller for the performance of sub-processor obligations.

If the Controller objects to a new sub-processor and Chamevo cannot reasonably accommodate the objection, either party may terminate the affected service by providing written notice.

6. Security Measures

Chamevo implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

  • Encryption: Encryption of personal data in transit (TLS/SSL) and at rest where appropriate.
  • Access Controls: Role-based access controls, multi-factor authentication, and least-privilege principles for personnel accessing personal data.
  • Infrastructure Security: Use of reputable cloud hosting providers with industry-standard certifications (e.g., SOC 2, ISO 27001).
  • Monitoring and Logging: Continuous monitoring and logging of access to systems containing personal data.
  • Incident Response: Established incident response procedures for timely detection, reporting, and resolution of security incidents.
  • Business Continuity: Regular backups and disaster recovery procedures to ensure the availability and resilience of processing systems.
  • Employee Training: Regular data protection and security awareness training for all personnel.

7. Data Breach Notification

  • Chamevo shall notify the Controller without undue delay after becoming aware of a data breach affecting personal data processed under this DPA.
  • The notification shall include, to the extent available: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
  • Chamevo shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any data breach.

8. Data Subject Rights

Chamevo shall assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection law, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing

If Chamevo receives a request directly from a data subject, it shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required by applicable law.

9. International Data Transfers

Chamevo shall not transfer personal data to a country outside the European Economic Area (EEA) or the United Kingdom unless appropriate safeguards are in place, including:

  • An adequacy decision by the European Commission or the UK government, as applicable.
  • Standard Contractual Clauses (SCCs) as approved by the European Commission, or the International Data Transfer Addendum for UK transfers.
  • Other legally recognized transfer mechanisms under applicable data protection law.

Where transfers rely on Standard Contractual Clauses, the relevant SCCs are hereby incorporated by reference into this DPA.

10. Audits and Inspections

Chamevo shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, either directly or through a mandated third-party auditor, subject to reasonable advance notice and during normal business hours. Audits shall be conducted in a manner that minimizes disruption to Chamevo's operations. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by Chamevo.

11. Data Retention and Deletion

  • Chamevo shall retain personal data only for as long as necessary to provide the services under the Agreement or as required by applicable law.
  • Upon termination or expiration of the Agreement, Chamevo shall, at the Controller's choice, delete or return all personal data and delete existing copies within 30 days, unless applicable law requires continued storage.
  • Chamevo shall provide written confirmation of deletion upon the Controller's request.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under applicable data protection law.

13. Term and Termination

  • This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement.
  • Provisions of this DPA that by their nature should survive termination (including confidentiality, data deletion, and liability) shall survive.

14. Amendments

Chamevo may update this DPA from time to time to reflect changes in applicable law or our data processing practices. Material changes will be communicated to the Controller by email or through the Chamevo platform. Continued use of the services after such changes constitutes acceptance of the updated DPA.

15. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Austria, without regard to its conflict of law principles. The courts of Kufstein, Austria shall have exclusive jurisdiction over any disputes arising out of or in connection with this DPA, unless applicable data protection law requires otherwise.

16. Contact Information

For questions about this DPA or to exercise your rights, please contact us:

radykal GmbH

Sparchner Strasse 14

6330 Kufstein

Austria

Privacy Inquiries: privacy@chamevo.com

Support: support.chamevo.com

Website: chamevo.com

Partner Program

Grow with Chamevo

Build product customization into your client projects — without developing it from scratch.

Become a Partner

Ready to automate your custom product workflow?

Join 20,000+ e-commerce stores using Chamevo to sell custom products with confidence.

Start free 14-day trial

14-day free trial • Cancel anytime