Effective automatically for any customer subject to UK GDPR, EU GDPR, or equivalent data-protection legislation. Countersigned copies are available on request at privacy@ops2sell.com.
1. Parties and scope
This Data Processing Agreement ("DPA") is entered into between Ops2Sell Ltd ("Processor") and the customer identified in the Ops2Sell subscription agreement ("Controller"). It governs all processing of personal data carried out by the Processor on behalf of the Controller in the course of delivering the Ops2Sell platform ("Service").
Where there's a conflict between this DPA and the subscription agreement, this DPA prevails for matters of personal data.
2. Definitions
"Personal data", "processing", "controller", "processor", "data subject", and "personal data breach"have the meanings given in the UK GDPR and EU GDPR. "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
3. Subject-matter and duration
The Processor processes personal data for the duration of the Controller's subscription, plus any retention period required to fulfil the Service (for example, retaining audit logs for the period specified below). Processing ceases when the subscription ends and the agreed post-termination deletion period (Clause 11) expires.
4. Nature and purpose of processing
The Processor processes personal data only to deliver the Service: authenticating users, storing and syncing commerce data, sending transactional communications, generating insights, and providing support. The Processor will not process personal data for any other purpose without the Controller's written instruction.
5. Types of personal data and categories of data subjects
Data subjects:
- Controller's employees and contractors with user accounts (admins, managers, warehouse operators).
- Controller's end customers (buyers whose orders flow through the Service).
- Controller's suppliers and business contacts.
Categories of personal data:
- Contact information: names, email addresses, phone numbers, shipping addresses, billing addresses.
- Authentication data: hashed passwords, session tokens, multi-factor authentication metadata.
- Commerce data: order histories, line items, payment status, communications.
- Behavioural data: application usage, audit logs, IP addresses, device identifiers.
- No special-category data (health, biometric, political opinions, etc.) is processed.
6. Controller obligations
The Controller warrants that it has a valid lawful basis (including a privacy notice to its own users and, where required, their consent) for every item of personal data it loads into the Service. The Processor will rely on the Controller's documented instructions — captured by the configuration choices made in the Service and by this DPA — as the sole source of instructions for processing.
7. Processor obligations
The Processor will:
- Process personal data only on the Controller's documented instructions, unless required otherwise by law (in which case it will notify the Controller first unless the law prohibits that notification).
- Ensure that personnel authorised to access personal data have committed to confidentiality.
- Implement the technical and organisational measures described in Clause 9.
- Assist the Controller in responding to data subject rights requests (Clause 10).
- Notify the Controller of any personal data breach without undue delay, and in any event within 72 hours of becoming aware of it.
- Make available all information necessary to demonstrate compliance with this DPA, including by allowing for and contributing to audits.
8. Sub-processors
The Controller grants the Processor general authorisation to engage sub-processors, subject to the following:
- A current list of sub-processors is maintained at /sub-processors.
- The Processor will give the Controller at least 30 days' notice before adding a new sub-processor (email subscription available on request).
- The Controller may object to a new sub-processor on reasonable data-protection grounds within the notice period. If the parties cannot resolve the objection in good faith, the Controller may terminate the affected portion of the Service without penalty.
- Each sub-processor will be bound by data-protection obligations no less protective than those in this DPA.
- The Processor remains fully liable to the Controller for the performance of sub-processors.
9. Security measures
The Processor implements the following technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (these measures may evolve — the baseline below will never be weakened):
- Encryption in transit (TLS 1.3 across all public endpoints).
- Encryption at rest (AES-256 on database volumes and object storage; per-secret envelope encryption for channel credentials).
- Access control via role-based permissions, multi-factor authentication for admin accounts, and least-privilege service-account scopes for sub-processors.
- Audit logging of all data-modifying actions, retained for 12 months.
- Network segmentation between public, internal, and data-tier services.
- Vulnerability management: dependency scanning on every build, weekly patch review, and annual external penetration testing.
- Backups: continuous point-in-time recovery with a Recovery Point Objective (RPO) under 5 minutes and a Recovery Time Objective (RTO) under 4 hours.
- Incident response: a published runbook, 24/7 on-call rotation, and notification obligations under Clause 7.
10. Data subject rights
The Service provides the Controller with self-service functionality to respond to rights requests from data subjects: access, export, rectification, erasure, restriction, and portability. Where the Processor receives a request directly from a data subject, it will forward the request to the Controller without responding (except to confirm receipt) and assist as reasonably required.
11. Return and deletion of personal data
On termination of the subscription, the Controller can export all personal data through the standard export endpoints for 30 days. After that period (or earlier on the Controller's written request), the Processor will delete all personal data from production systems and instruct sub-processors to do the same. Backups are purged on a 35-day rolling cycle; no personal data will survive beyond that window.
12. International transfers
The Processor will only transfer personal data outside the UK and EEA under an appropriate safeguard: the European Commission's Standard Contractual Clauses (SCCs) together with the UK International Data Transfer Addendum (IDTA), or an adequacy decision. Current transfer mechanisms for each sub-processor are documented at /sub-processors.
13. Audits
The Processor will respond to a reasonable number of questionnaire-based audits per year at no cost. On-site audits are available by prior arrangement at the requesting party's cost and must not disrupt the Processor's operations. Third-party certifications (SOC 2, ISO 27001 — where obtained) satisfy audit obligations unless specific, documented concerns make a deeper review necessary.
14. Liability
Liability under this DPA is subject to the limits and exclusions in the subscription agreement.
15. Governing law
This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with it.
16. Changes to this DPA
The Processor may update this DPA to reflect changes in law, sub-processor arrangements, or security practices. Material changes will be notified to the Controller at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
17. Countersigned copy
Most customers operate under the unsigned, publicly-posted version of this DPA, which automatically forms part of the contract. If your procurement process requires a signed copy, email privacy@ops2sell.com and we'll return a countersigned PDF within 3 working days.