Special Contractual Terms for Shopware Nexus

Special Contractual Terms for Shopware Nexus

1. Scope of Application, Relationship to the GTC

1.1. These Special Contractual Terms for Shopware Nexus (“SCT-SN”) govern the contractual relationship between shopware AG, Ebbinghoff 10, 48624 Schöppingen, Germany (“shopware”) and its customers (“Customer”) with regard to Shopware Nexus.

1.2. These SCT-SN supplement the General Terms and Conditions of Business of shopware (“GTC”). In the event of conflicts, these SCT-SN shall take precedence over the GTC. In all other respects, the GTC and the further contractual components referenced therein shall remain applicable without change.

1.3. For the processing of personal data on behalf of Customer, the data processing agreement pursuant to Section 14.1 GTC (“DPA”) applies. The Annex “Supplementary Agreement to the Data Processing Agreement for Shopware Nexus” (“DPA Supplementary Agreement Shopware Nexus”) forms part of the DPA and supplements it for Shopware Nexus. In the event of conflicts, the DPA Supplementary Agreement Shopware Nexus shall take precedence over the DPA to the extent that it specifically governs Shopware Nexus.

2. Subject Matter of the Contract, Requirements and Supplementary Conditions

2.1. shopware provides Shopware Nexus to Customer as a Service in accordance with these special provisions and the contract.

2.2. The availability of the Service and the respectively applicable conditions may vary depending on whether Customer uses the free Community Edition or proprietary shopware software. Within the proprietary shopware software, availability and conditions may also vary further.

2.3. The Terms of Use for Services of shopware AG apply in addition to the use of Shopware Nexus, unless these SCT-SN provide otherwise. Notwithstanding Section 1.1 of the Terms of Use for Services, Shopware Nexus as a whole shall not be deemed an AI System. The Terms of Use for AI-Based Systems may apply in addition to individual functions expressly designated as AI-based.

3. Scope of Services, Service Description, Documentation

3.1. The condition of Shopware Nexus is determined by the service description/documentation published at the time of contract conclusion or provision at https://docs.shopware.com/en/shopware-6-en/shopware-services/shopware-nexus.

3.2. The documentation for Shopware Nexus is provided “as is” on the internet for retrieval at docs.shopware.com/en. shopware is only obliged to provide other documentation if expressly agreed between the parties in writing.

3.3. shopware is entitled to change, further develop, replace or add to Shopware Nexus in the course of product development, provided that this is reasonable for Customer taking into account the interests of both parties. In all other respects, Section 3.5 and Section 17 of the GTC apply.

3.4. shopware strives for an annual availability of 99% for Shopware Nexus (based on 24 hours per day, 365 days per year). Excluded are routine, necessary and planned maintenance and repair measures (no more than a total of eight hours per month). Where possible, necessary maintenance and repair measures will be announced in good time at https://status.shopware.com. shopware does not owe uninterrupted availability of Shopware Nexus at all times.

4. Commencement of Contract, Free Introductory Phase and Termination

4.1. The contractual relationship for Shopware Nexus begins upon conclusion of the contract, generally with the booking by Customer.

4.2. shopware provides Shopware Nexus within a free introductory phase without additional remuneration. Paid use of Shopware Nexus shall only take place if Customer separately accepts a corresponding offer for paid use. There shall be no automatic conversion to paid use after the end of the free introductory phase. Section 31.4 GTC shall not apply in this respect.

4.3. There is no entitlement to the duration, maintenance, extension or a specific scope of the free use. shopware is entitled, at its reasonable discretion and taking into account Customer’s legitimate interests, to change, restrict, suspend, extend or terminate the free introductory phase in whole or in part. To the extent reasonable, shopware will announce this in an appropriate manner.

4.4. Notwithstanding Section 10.1 GTC, shopware is entitled to terminate the contractual relationship for the free use of Shopware Nexus by ordinary termination vis-à-vis individual Customers by giving two weeks’ notice. The right to restrict, suspend, block or extraordinarily terminate for good cause remains unaffected.

4.5. After the end of the free introductory phase or after termination of the free use, shopware may make further use of Shopware Nexus subject to Customer’s acceptance of an offer for paid use. If Customer does not accept an offer for paid use, shopware is entitled to restrict or block access to Shopware Nexus. Tacit continuation through continued use is excluded. Deletion or further retention of data shall be governed by the GTC, the DPA, the DPA Supplementary Agreement Shopware Nexus, these SCT-SN and applicable law.

5. Requests, Usage Measurement and Fair Use

5.1. The terms “Services” and “Requests (Services)” within the meaning of the GTC apply accordingly to Shopware Nexus. The specific unit by which use of Shopware Nexus is measured is determined by the documentation.

5.2. Where Shopware Nexus is designated as “unlimited” or “unlimitiert”, there are no fixed quantitative request quotas for Shopware Nexus. Requests may nevertheless be measured, in particular for displaying and managing usage, capacity planning, ensuring the stability, security and integrity of the systems, detecting misuse, reviewing atypical or excessive use, and contract-related communication with Customer.

5.3. During a free introductory phase, a review threshold applies to Shopware Nexus. Unless shopware announces a different threshold in the documentation, in the product, in the Shopware Account or in another appropriate manner, this threshold shall be 10,000 Requests per Customer per calendar month. The review threshold is not a hard usage limit.

5.4. Exceeding the review threshold does not automatically result in blocking, restriction or an obligation to pay remuneration. However, shopware is entitled to contact Customer in order to better understand the usage, coordinate technical or organizational measures, review misconfigurations, ensure system stability and coordinate further use of Shopware Nexus.

5.5. Notwithstanding Sections 5.2 to 5.4, shopware is entitled, in the event of atypically high or abusive use, to temporarily reduce the request rate or to take other appropriate measures in order to safeguard the integrity, security and stability of Shopware Nexus and availability for other Customers. This includes, in particular, measures in cases of abusive use, automated mass retrieval, circumvention of technical protective measures, or other use contrary to the shopware Acceptable Use Policy or the Terms of Use for Services.

5.6. In cases pursuant to Section 5.5, shopware may temporarily restrict or block the use of Shopware Nexus until the cause has been remedied. shopware will inform Customer in advance, to the extent this is reasonable and the purpose of the measure is not thereby jeopardized, and will give Customer the opportunity to adjust its use.

6. Permitted Use and Restrictions

6.1. Customer is responsible for the workflows, configurations, authorizations, data flows, connected target systems and use of third-party services via Shopware Nexus configured by Customer, including the permissibility of data transfers to such third-party services. shopware is not a party to agreements between Customer and third-party providers and assumes no responsibility for their availability, functionality or compliance.

6.2. Customer must not use Shopware Nexus to process special categories of personal data within the meaning of Art. 9 GDPR. Customer must also not use Shopware Nexus to process data and workflows where processing via Shopware Nexus is subject to special regulatory requirements, unless this is expressly permitted.

6.3. In all other respects, the use restrictions and security obligations under the GTC, the shopware Acceptable Use Policy and the Terms of Use for Services apply.

Annex – Supplementary Agreement to the Data Processing Agreement for Shopware Nexus (“DPA Supplementary Agreement”)

1. Description of the Processing (Supplement to Annex II DPA)

1.1 Subject Matter and Purposes

Provision and operation of Shopware Nexus as a platform for event-driven integration and automation (creation, provision and execution of workflows), including:

• receipt and forwarding of Shopware events,

• streaming/processing of events and execution of configured workflow steps,

• management of projects/workflows/credentials,

• monitoring, error analysis, IT security and misuse prevention in the operation of Shopware Nexus.

1.2 Categories of Data Subjects

☒ Users of Customer who use Shopware Nexus (in particular admin/integration/developer roles), ☒ end customers, employees, partners and prospects of Customer, to the extent their data is processed in Shopware events or via API actions.

1.3 Categories of Personal Data

(a) Platform/account data: user ID, email address, name, where applicable company/client reference; authentication data (e.g. OIDC/OAuth2 attributes). (b) Shop/client identifiers: tenant_id, shop_id, shop_url, company/customer references. (c) Event/entity data from Shopware: depending on the event, including order/customer/product data; typically name, email, address components, telephone number, where applicable date of birth, order and delivery information as well as custom fields maintained by Customer. (d) Credentials/secrets for integrations: OAuth2 tokens, API keys, secrets (encrypted). (e) Operational and security data: log data (e.g. timestamps, request metadata), IP addresses, user agent, trace/request IDs, error and diagnostic data. Note: The processing of special categories of personal data within the meaning of Art. 9 GDPR is not intended and is excluded pursuant to the SCT-SN; Customer shall ensure that such data is not transmitted.

1.4 Type of Processing / Data Flows (Brief Description)

• Shopware webhook/event

  →

  capture/streaming

  →

  workflow execution (in-memory/stream-based)

  →

  optional outputs to targets configured by Customer (e.g. third-party services, HTTP endpoints, Shopware API).

• Permanent storage primarily of workflow definitions, configurations and credentials; event payloads are generally processed on a stream-based basis and stored only for a limited period in streaming/audit components (see 1.5).

1.5 Retention Period

• Workflow definitions/configurations: generally for the duration of use of Shopware Nexus.

• Secrets/credentials: retained for the duration of use; deleted or made inaccessible after the end of use of Shopware Nexus or after blocking or revocation of access.

• Streaming events: generally limited retention (currently usually up to 7 days).

• Audit/operational events: generally limited retention (currently usually up to 90 days for certain audit records).

• Monitoring/logs/traces: in accordance with the systems used/retention policies (e.g. generally 15 days in APM/logging systems, if used).

2. Technical and Organizational Measures (Supplement to Annex III DPA; in Addition to the TOMs Described in the DPA)

☒ Encryption: TLS during transmission; encryption at rest (e.g. DynamoDB SSE); secrets are encrypted via KMS (envelope encryption). ☒ Client separation: client-separated storage/client-separated processing; role-based access controls. ☒ Logging: redaction of sensitive headers (e.g. authorization/signatures). Error messages, traces or diagnostic outputs may, in exceptional cases, contain customer identifiers (e.g. email addresses). Access to logs and monitoring systems is restricted to authorized roles, and retention is carried out in accordance with the periods specified in Section 1.5. ☒ Browser monitoring (if used): masking of input fields in accordance with the tool configuration.

3. Sub-processors (Supplement to Annex IV DPA)

For Shopware Nexus, the list of sub-processors in Annex IV of the DPA is supplemented as follows.

(Version 1.0 | 2026-05-20)