VTEX operates in different countries and has the necessary tools to meet the privacy demands of each location. For this reason, VTEX always takes the necessary measures to ensure its platform is secure and complies with data protection laws.

The tools we provide on the platform are designed to ensure that stores comply with privacy laws. However, merchants must also implement additional measures to comply with personal data processing laws. To understand these requirements, see Data protection roles. Note that these are general guidelines and that specific regulations may impose other obligations.

VTEX maintains appropriate technical and organizational measures to protect the security, confidentiality, and integrity of personal data when providing services.

See below the practices adopted by VTEX, detailed in the DPA:

• Antivirus policy.
• Information classification.
• Vulnerability management.
• Encryption of personal data at rest and in transit.
• Data backup and redundancy. VTEX has a specific tool to provide customers with the means to obtain a full copy of all personal data stored on the platform.
• Disaster recovery and incident recovery.
• Segregation of clients and networks.
• Physical security measures.
• Guaranteed deletion of all personal data after the end of service provision.
• Ensuring that any employee who accesses personal data is bound by confidentiality agreements with VTEX.
• Specific incident management and notification process and informing the customer, as required by data protection laws, if they become aware of any personal data breach.
• Support for merchants in conducting a Data Protection Impact Assessment (DPIA).

For more information, see Security Practices - VTEX.

The hosting provider used by VTEX is Amazon Web Services (AWS), which stores data in the Northern Virginia region of the United States. The AWS platform is a benchmark in the cloud hosting sector and has important certifications, such as ISO 27001, PCI DSS, CSA, NIST, etc. For a detailed list of certifications, see AWS Compliance Programs. Authorization for data storage on AWS can be found in our DPA.

VTEX only stores personal data for as long as necessary to process the service provided.

Data retention limits define the duration data can be stored on VTEX. These limits are influenced by multiple factors, such as legal and compliance requirements, data privacy considerations, and costs. By setting data retention limits, we aim to ensure regulatory compliance, protect user privacy, and maintain efficient resource allocation.

Responsibility for compliance with applicable laws and regulations lies with the merchants themselves. This includes defining and respecting data retention periods, which may vary according to the specific legislation each store is subject to.

VTEX makes data available based on the technical capacity of each module. However, if specific legislation needs to be complied with, merchants need to extract the relevant data from the platform. Therefore, each merchant must manage their own retention periods as required by the applicable legislation, using the resources available on the platform accordingly.

VTEX must store customer personal data for the duration of the MSA. In the event of contract termination with VTEX, the merchant must ensure that the data is extracted from the Master Data within thirty (30) days before the MSA termination date, in compliance with Clause 7 of the DPA.