We have adequated our Master Agreement to European Union Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers who operate in the E.U. The original standard clauses are focused in the case of moving the data to countries that don't have proper regulation on data security and privacy. Therefore, we don't use the clauses verbatim, but we have reviewed our Master Agreement to verify that the principles behind those clauses are there.
First it is very important to notice that every data stored under VTEX's custody is a property of the Controller. With that in mind, VTEX provides a comprehensive set of APIs as an interface to get to all of that data. These APIs lets the Controller get whatever data from wherever they are operating, including Europe.
Although GDPR allows the processing and storage of personal data outside of the EU, we understand that Union Members may extend the requirements of the law by mandating that this data is made available within the Union territory, or even more specifically within that given Union Member territory.
The workflow of a store operating on VTEX sets very well defined responsibilities between VTEX and our tenants. While we are responsible to acquire the orders, including customer personal data, and interfacing with payment processors, and doing all the supporting tasks to hava that happening, our tenant, the Controller, is responsible for processing that order for fulfillment.
The fulfillment processing of an order happens in backoffice systems owned and usually hosted by the Controller in their contry of origin. As soon as the order is captured by VTEX and the payment is confirmed, the order is download for processing by the Controller, what makes all of the order data, including customer personal information, be transfered to the Controller's facilities in their country.
As a consequence to this workflow, all personal information collected by VTEX is, by design, made available both from Europe, through the APIs, and in Europe when downloaded by the Controller for fulfillment processing.
In the case of smaller Controllers, that don't use an external Backoffice System integrated with VTEX, they can always use the APIs to export the data in JSON format and store it wherever they see fit.