Magento Data Processing Agreement

Responsible and processor (a) For the purposes of this DPA, the customer is the controller of the customer`s personal data and Mailgun is the processor of such data, unless the customer acts as a processor of the customer`s personal data, in which case Mailgun is a subcontractor. The law requires all organizations that process personal data in Brazil to stop a DSB. At this point, the LGPD is more stringent than the GDPR, which only requires a DSB in some cases. In order to help merchants comply with the GDPR, Magento has provided information for the Magento software so that you can identify where information is stored in our application. These mappings are available for Magento 1.x and Magento 2.x and cover Magento Commerce Cloud, On-Premise and Magento Open Source. When using our service, customers may use or store personal data (PII) about consumers or confidential data of Magento customers. The protection of customer and consumer data is a critical obligation for Magento in general and in the context of Magento Commerce in particular. Magento and our customers have legal obligations in the vicinity of personal data. In addition to the security features of the architecture, there are other controls to limit the distribution and access to personal and/or confidential data. Magento has requested verification of the areas of your business services related to data processing.

What for? As all Magento Marketplace extensions are developed by 3 parties, they can store personal data in places other than the magento kernel. And the data can continue to be sent to external services.