Skip to main content
Jetpack’s Data Processing Agreement (DPA) outlines our commitment to protecting your data and your customers’ data in compliance with global privacy regulations including GDPR, CCPA, and other applicable data protection laws.

Overview

A Data Processing Agreement is a legally binding contract between a data controller (you, the merchant) and a data processor (Jetpack) that governs how personal data is processed, stored, and protected.

What is Covered

The Jetpack DPA covers:
  • Customer names and addresses
  • Order and shipment information
  • Contact details (email, phone numbers)
  • Transaction records
  • Any other personal data shared through the platform
  • Technical and organizational security measures
  • Data encryption standards
  • Access controls and authentication
  • Incident response procedures
  • Data breach notification protocols
  • Right to access personal data
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to data portability
  • Right to object to processing
  • GDPR compliance (European Union)
  • CCPA compliance (California)
  • UK GDPR compliance
  • Other applicable regional data protection laws
  • List of approved sub-processors
  • Sub-processor due diligence
  • Notification of sub-processor changes
  • Sub-processor compliance requirements

Key Terms

Data Controller: The merchant (you) determines the purposes and means of processing personal data.Data Processor: Jetpack processes personal data on behalf of the merchant according to documented instructions.

Processing Activities

Jetpack processes personal data for the following purposes:
  • Order fulfillment and shipping
  • Inventory management
  • Returns processing
  • Customer service support
  • Analytics and reporting (aggregated, anonymized)
  • System optimization and performance improvement

Data Retention

Personal data is retained according to:
  • Merchant instructions and configurations
  • Legal and regulatory requirements
  • Business necessity for service delivery
  • Data minimization principles

Security Commitments

Jetpack implements industry-standard security measures to protect personal data:
  • Technical Measures
  • Organizational Measures
  • Incident Management
Data Protection:
  • Encryption at rest and in transit
  • Secure API connections (TLS 1.2+)
  • Regular security audits
  • Penetration testing
  • Vulnerability management
Access Controls:
  • Role-based access control (RBAC)
  • Multi-factor authentication
  • Principle of least privilege
  • Regular access reviews

Merchant Responsibilities

Under the DPA, merchants are responsible for:
1

Lawful Data Collection

Ensure you have legal basis to collect and process customer personal data under applicable privacy laws.
2

Privacy Notices

Provide clear privacy notices to customers explaining how their data will be processed and shared with fulfillment partners.
3

Consent Management

Obtain necessary consents for data processing activities, particularly for marketing or non-essential processing.
4

Data Subject Requests

Handle data subject access requests (DSARs) and coordinate with Jetpack for data retrieval or deletion.
5

Data Accuracy

Ensure personal data provided to Jetpack is accurate, current, and necessary for fulfillment services.

Data Subject Rights Support

Jetpack assists merchants in fulfilling data subject rights requests:
Merchants can request copies of personal data processed by Jetpack within 30 days. Contact Merchant Care with specific data subject details.
Merchants can update or correct personal data through the Jetpack dashboard or by contacting Merchant Care.
Merchants can request deletion of personal data subject to legal retention requirements. Deletion requests processed within 30 days.
Merchants can export personal data in machine-readable formats through dashboard exports or API access.
Merchants can object to certain processing activities. Contact Merchant Care to discuss processing limitations.

International Data Transfers

Jetpack processes data in multiple jurisdictions and implements appropriate safeguards for international data transfers.
Transfer Mechanisms:
  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable
  • Additional safeguards for high-risk transfers
  • Data localization options for certain regions
Supported Regions:
  • United States
  • European Union
  • United Kingdom
  • Canada
  • Australia

Downloading the DPA

Download Jetpack DPA

Download the complete pre-signed Data Processing Agreement (PDF)
The DPA is pre-signed by Jetpack and becomes effective when you begin using Jetpack’s fulfillment services. No additional signature is required from merchants.

DPA Review and Updates

  • Review the DPA thoroughly before using Jetpack services
  • DPA updates communicated via email and dashboard notifications
  • Material changes require 30 days notice
  • Continued use of services constitutes acceptance of updates

Sub-Processors

Jetpack engages sub-processors to provide fulfillment services across our network: Categories of Sub-Processors:
  • Warehouse and logistics partners
  • Shipping carriers
  • Technology infrastructure providers
  • Payment processors
  • Analytics and monitoring services
A current list of sub-processors is available upon request through Merchant Care. Jetpack provides notice of new sub-processors with opportunity to object.

Audit Rights

Merchants have the right to audit Jetpack’s data processing activities, subject to:
  • Reasonable notice (minimum 30 days)
  • Confidentiality agreements
  • Limited scope to relevant processing activities
  • Frequency limitations (maximum once per year)
Jetpack undergoes regular third-party audits and can provide:
  • SOC 2 Type II reports (under NDA)
  • Compliance certifications
  • Security assessment summaries
  • Penetration test results (redacted)

Data Breach Notification

In the event of a personal data breach, Jetpack will notify affected merchants within 72 hours of becoming aware of the breach.
Breach Notification Includes:
  • Nature of the breach
  • Categories and approximate number of affected data subjects
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for further information

Term and Termination

The DPA remains in effect for the duration of your service agreement with Jetpack. Upon Termination:
  • Personal data deleted or returned as instructed
  • Standard deletion timeline: 90 days
  • Option for expedited deletion (upon request)
  • Deletion certification provided
  • Backup retention per legal requirements
If you have questions about Jetpack’s Data Processing Agreement, data security practices, or compliance requirements, contact our Privacy Team at privacy@jetpack.com or through Merchant Care.

Terms and SLAs

Review all Jetpack terms and service level agreements

Account Setup

Learn about account setup and configuration

Order Management

Understand how customer data is used in order fulfillment

API Documentation

Review API security and data handling practices