SHOPWARE NEXUS BETA PARTICIPATION TERMS (CLOSED BETA)

1. Scope, relationship to existing agreements

1.1 These Beta Participation Terms (“Beta Terms”) additionally govern participation in the closed beta of the product “shopware Nexus” including “DataBus” (together the “Nexus Beta”).

1.2 Participation is exclusively available to Customers of shopware AG (“shopware”) who have been invited by shopware to the Nexus Beta or whose Nexus Beta access request has been approved and technically activated by shopware (“Participant”).

1.3 The existing contractual framework between shopware and the Participant applies, including shopware’s General Terms and Conditions of Business, available at https://www.shopware.com/en/gtc/ (“GTC”). These Beta Terms take precedence over the GTC only insofar as they govern specific aspects of the Nexus Beta. For the processing of personal data on behalf of the Participant, the Data Processing Agreement pursuant to Section 14.1 GTC (“DPA”), including Annex 1 (Nexus Beta DPA Addendum), shall take precedence.

1.4 Access to and use of any source-code repositories, example code or other code artifacts provided by shopware in connection with the Nexus Beta is governed exclusively by the applicable repository and license terms (including any contributor or publication rules). Nothing in these Beta Terms grants any rights in source code beyond those expressly set out in the applicable repository or license terms.

2. Beta nature, scope of performance

2.1 The Nexus Beta is provided free of charge (no additional charge beyond any fees payable under the existing contractual relationship) and exclusively for testing and evaluation purposes. It is not production-ready, may contain errors, and may change at any time in function, behavior, scope and availability.

2.2 shopware does not owe any specific characteristics, error-free operation, stability, or fitness for a particular purpose for the Nexus Beta. There are no SLAs, availability, response or recovery commitments and no entitlement to support, unless expressly agreed in writing.

2.3 shopware may change, suspend or discontinue the Nexus Beta at any time in whole or in part and may block or revoke access for individual Participants, in particular in the event of breaches of these Beta Terms or the GTC.

3. Permitted use, cooperation, restrictions

3.1 The Participant uses the Nexus Beta for internal testing, evaluation, piloting, training or demonstration purposes. The Nexus Beta may be used in live system environments. However, it is not intended for mission-critical or safety-critical operations. The Participant remains solely responsible for assessing and managing all operational risks. shopware assumes no responsibility for production stability. The Participant is responsible for an appropriate risk assessment and suitable precautionary measures (in particular backups, test/staging use).

3.2 During the Nexus Beta, the Participant is expected to (a) create and publish at least three (3) workflows, (b) respond to requested feedback/surveys to a reasonable extent, and (c) report identified errors/failures via the channels designated by shopware.

3.3 The Participant shall comply with data and compliance restrictions. In particular, the Participant will not process or transmit via the Nexus Beta:

(a) special categories of personal data within the meaning of Art. 9 GDPR,

(b) data/workflows subject to special regulatory requirements (e.g., PCI-DSS), or

(c) content/data the loss, incorrect processing, or delayed processing of which could lead to material damage for the Participant or third parties.

3.4 The Participant shall comply with technical and security-related restrictions. The following are prohibited in particular:

(a) unauthorized load or stress tests,

(b) penetration or security tests without shopware’s prior written consent,

(c) circumvention of protective mechanisms, reverse engineering, or abusive use (in particular automated access outside intended interfaces), and

(d) any use in breach of the shopware Acceptable Use Policy.

For the avoidance of doubt, clause 3.4(c) does not restrict the use of any source code made available by shopware under applicable repository or license terms. All usage restrictions and security obligations set out in the GTC apply equally to the Nexus Beta.

3.5 shopware is entitled to apply reasonable usage restrictions (e.g., rate limits, quotas) to stabilize the Nexus Beta (Fair Use).

4. Third-party services / connectors

4.1 The Nexus Beta may enable integrations with third-party services (e.g., Slack, Microsoft/Business Central, HTTP endpoints, S3) (“Third-Party Services”). Such connections are configured by the Participant.

4.2 The Participant is solely responsible for the configuration and use of Third-Party Services, including the permissibility of any data transfers. shopware is not a party to any agreements between the Participant and such Third-Party Services and assumes no responsibility for their availability, functionality or compliance.

5. Confidentiality, publications

5.1 Participation in the Nexus Beta as well as all information relating thereto that is not publicly accessible (including access, documentation, screenshots, workflows, test results, roadmap information) is subject to the confidentiality obligation under the GTC and constitutes confidential information.

5.2 Without shopware’s prior written consent, the Participant may not publish or make available to third parties any confidential information regarding the Nexus Beta. This includes, in particular, the publication of benchmarks, comparative tests, or test results. This does not restrict (i) the disclosure of information that shopware has made publicly available, or (ii) the Participant’s submission of information to shopware via the feedback and support channels designated by shopware for the Nexus Beta (including third-party communication platforms), provided that the Participant does not disclose such information beyond those channels. The Participant may disclose confidential information to its affiliates and contractors (including agencies) solely as necessary for the permitted use of the Nexus Beta, provided that such recipients are subject to written confidentiality obligations no less protective than those set out in this clause and at least as protective as those under the GTC.

6. Beta data, retention, end of participation

6.1 Beta data (including workflows, configurations, credentials, logs) may be changed, reset or deleted by shopware at any time during the Nexus Beta. There is no entitlement to continued existence, export, migration, or transfer into a later product version.

6.2 These Beta Terms apply until shopware ends or discontinues the Nexus Beta, or blocks or revokes the Participant’s access. The Participant may stop using the Nexus Beta at any time.

6.3 The end of the Nexus Beta or the blocking or revocation of access shall not affect Sections 5 (Confidentiality, publications) and 8 (Liability). Any provisions which by their nature are intended to apply thereafter shall continue to apply, including any continuing rights and obligations under Section 7 and the DPA.

7. Data protection / processing on behalf

7.1 For processing on behalf, the DPA pursuant to Section 14.1 GTC applies (available at https://www.shopware.com/en/privacy/dpa). Annex 1 (Nexus Beta DPA Addendum) forms an integral part of the DPA and amends and supplements the DPA for the Nexus Beta. In all other respects, the DPA remains unchanged. In the event of any conflict, Annex 1 shall prevail for the Nexus Beta.

7.2 To the extent shopware processes personal data in connection with the Nexus Beta as a controller (e.g. for IT security, abuse prevention, internal operational purposes or internal operational notifications related to beta access management), such processing is carried out in accordance with applicable data protection law and is described in shopware’s Privacy Notice (available at https://www.shopware.com/en/privacy/website/).

8. Liability

The Nexus Beta is provided free of charge and on an “as is” basis. shopware does not provide any warranties or guarantees regarding the Nexus Beta, including without limitation with respect to availability, functionality, fitness for a particular purpose or error-free operation. Liability shall be governed exclusively by the provisions of the GTC, in particular Sections 11 and 12.

ANNEX 1 – NEXUS BETA DPA ADDENDUM

1. Description of processing (supplement to Annex II DPA)

1.1 Subject matter and purposes

Provision and operation of the Nexus Beta as a platform for event-driven integration and automation (workflow creation, deployment and execution), including:

- receiving and forwarding shopware events,

- streaming/processing of events and execution of configured workflow steps,

- management of projects/workflows/credentials,

- monitoring, error analysis, IT security and abuse prevention in beta operation.

1.2 Categories of data subjects

☒ users of the Participant who use the Nexus Beta (in particular admins/integration/developer roles),

☒ end customers, employees, partners and interested parties of the Participant, insofar as their data is processed in shopware events or via API actions.

1.3 Categories of personal data

(a) Platform/account data: user identifier, email address, name, if applicable company/tenant reference; authentication data (e.g., OIDC/OAuth2 attributes).

(b) Shop/tenant identifiers: tenant_id, shop_id, shop_url, company/customer references.

(c) Event/entity data from shopware: depending on the event, inter alia order/customer/product data; typically name, email, address components, telephone number, possibly date of birth, order and delivery information, as well as custom fields maintained by the Participant.

(d) Credentials/secrets for integrations: OAuth2 tokens, API keys, secrets (encrypted).

(e) Operational and security data: log data (e.g., timestamps, request metadata), IP addresses, user agent, trace/request IDs, error and diagnostic data.

Note: Processing of special categories of personal data within the meaning of Art. 9 GDPR is not intended and is excluded pursuant to the Beta Terms; the Participant ensures that such data is not transmitted.

1.4 Type of processing / data flows (short description)

- shopware webhook/event → ingestion/streaming → workflow execution (in-memory/stream-based) → optional outputs to destinations configured by the Participant (e.g., Third-Party Services, HTTP endpoints, shopware API).

- Persistent storage primarily of workflow definitions, configurations and credentials; event payloads are generally processed stream-based and only retained for a limited time in streaming/audit components (see 1.5).

1.5 Retention period

- Workflow definitions/configurations: generally for the duration of use; in beta operation, reset/deletion possible at any time (Section 6.1 Beta Terms).

- Secrets/credentials: retained for the duration of use; deleted or rendered inaccessible upon the end of the Nexus Beta or access being blocked or revoked.

- Streaming events: generally time-limited retention (currently typically up to 7 days).

- Audit/operational events: generally time-limited retention (currently typically up to 90 days for certain audit records).

- Monitoring/logs/traces: according to the systems used/retention policies (e.g., typically 15 days in APM/log systems, if used).

2. Technical and organisational measures (supplement to Annex III DPA; in addition to the TOMs described in the DPA)

☒ Encryption: TLS in transit; encryption at rest (e.g., DynamoDB SSE); secrets encrypted (envelope encryption) via KMS.

☒ Tenant separation: tenant-isolated storage/processing; role-based access controls.

☒ Logging: redaction of sensitive headers (e.g., authorization/signatures). Error messages, traces or diagnostic outputs may — in exceptional cases — contain customer identifiers (e.g. email addresses). Access to logs and monitoring systems is restricted to authorized roles only and retention follows the periods set out in Section 1.5.

☒ Browser monitoring (if used): masking of input fields according to the tool configuration.

3. Sub-processors (supplement to Annex IV DPA)

For the Nexus Beta, the list of sub-processors in Annex IV of the DPA is replaced by the table below.

Please note: Third-party services that the Participant configures itself via workflows (e.g., Slack, Microsoft/Business Central, external HTTP APIs) are recipients on the Participant’s instructions and are not sub-processors engaged by shopware under the DPA. The Participant is responsible for the permissibility and contractual safeguarding of these data transfers (see Section 4 Beta Terms).

(Version: 1.0 | 2026-02-20)