Data Processing Addendum

1. Scope and roles

This Data Processing Addendum applies when Bonsai Studio processes personal data on behalf of a merchant customer using Bonsai WMS. It is intended to form part of the agreement between Bonsai Studio and that customer.

For merchant operational data, the merchant is the controller and Bonsai Studio is the processor. Bonsai Studio processes that data only to provide, secure, support and improve Bonsai WMS, or where required by law.

2. Processing details

• Subject matter: cloud warehouse management, order fulfilment, inventory control, shipping workflows and connected sales-channel synchronization.
• Duration: for the term of the customer account, plus the retention periods described in the Bonsai data retention policy.
• Nature and purpose: hosting, syncing, displaying and updating warehouse, product, order, inventory, shipment and fulfilment data so the merchant can operate its warehouse.
• Data subjects: merchant staff and users; the merchant's customers and recipients of fulfilled orders.
• Personal data: names, email addresses, phone numbers, billing and shipping addresses, order contents, order references, fulfilment status, account identifiers, login metadata, support communications and technical logs.
• Special category data: Bonsai WMS is not designed to collect or process special category data. Customers should not enter it into the service.

3. Customer instructions

The customer instructs Bonsai Studio to process personal data as necessary to provide Bonsai WMS, including connecting to Shopify, Sendcloud and other services chosen by the customer. Bonsai Studio will not sell customer data or use shoppers' personal data for advertising.

4. Confidentiality and access

Bonsai Studio restricts production access to people who need it to operate, secure or support the service. Production customer data should not be accessed casually. Support access is limited to the customer issue being investigated.

5. Security measures

• TLS encryption in transit for public application traffic.
• Encrypted database storage through managed infrastructure providers.
• Encrypted marketplace access tokens and carrier credentials at rest.
• Tenant isolation by organisation ID throughout the application and service APIs.
• Authentication through Auth0 and least-privilege service credentials for internal service calls.
• Webhook signature verification for Shopify webhooks.
• Audit-style records for inventory and fulfilment activity where the product records operational movements.
• Operational logging and error monitoring to detect failures and abuse.

6. Sub-processors

Bonsai Studio uses the sub-processors listed on the sub-processors page. We choose providers that are necessary to run, host, secure, bill and support the service.

We will update the sub-processors page when we add a material new provider that processes customer personal data. If a customer has a reasonable data protection objection, they should contact us before continuing to use the affected functionality.

7. International transfers

Bonsai Studio uses UK/EU data regions where practical. Some providers may process data outside the UK or EEA. Where that happens, we rely on the provider's published transfer safeguards, such as adequacy regulations, the UK International Data Transfer Addendum or standard contractual clauses.

8. Data subject requests and Shopify privacy requests

Where Bonsai Studio receives a request relating to end-customer data held on behalf of a merchant, we will direct the requester to the merchant where appropriate and provide reasonable assistance to the merchant. Shopify privacy webhooks are handled through the Bonsai marketplace service for customers/data_request, customers/redact and shop/redact.

9. Deletion and return

On account closure or written request, Bonsai Studio will export, delete or anonymise customer data according to the retention policy. Some residual copies may remain in encrypted backups until those backups expire.

10. Incidents

If we become aware of a confirmed personal data breach affecting customer data processed by Bonsai WMS, we will notify affected customers without undue delay and provide information reasonably available to us so they can meet their own obligations.

11. Audits and information

Bonsai Studio will provide reasonable information needed to demonstrate compliance with this DPA. For early customers, this is handled through written answers, security summaries and support conversations rather than formal on-site audits unless separately agreed.