Data Processing Addendum
1. Introduction
This Data Processing Addendum (“DPA”) forms part of the Retail Stack Terms of Service (the “Agreement”) entered into between the Merchant (“Controller” or “you”) and the relevant Retail Stack contracting entity (“Processor”, “Retail Stack”, “we”, or “us”) and applies to the extent we process Personal Data on your behalf in providing the Service.
This DPA reflects the parties’ agreement on processing of Personal Data in accordance with applicable Data Protection Laws, including the Nigeria Data Protection Act 2023, the EU General Data Protection Regulation (Regulation (EU) 2016/679) where applicable, the UK GDPR where applicable, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and any other applicable data protection laws (together, “Data Protection Laws”).
Where there is a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data.
2. Definitions
Capitalised terms used in this DPA but not defined here have the meaning given to them in the Agreement or in applicable Data Protection Laws.
Term | Meaning |
|---|---|
Personal Data | Any information relating to an identified or identifiable natural person that we process on your behalf under the Agreement. |
Processing | Any operation performed on Personal Data, whether or not by automated means, including collection, recording, storage, use, disclosure, and erasure. |
Data Subject | An identified or identifiable natural person whose Personal Data is processed. |
Sub-processor | A third party engaged by us to process Personal Data on our behalf in connection with the Service. |
Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA. |
Standard Contractual Clauses | The standard contractual clauses for the transfer of personal data to third countries, as approved by the European Commission or by other relevant authorities under Data Protection Laws. |
3. Roles of the Parties
For Personal Data that you submit to the Service about your customers, employees, suppliers, or other individuals (“Customer Personal Data”), you are the Controller and Retail Stack is the Processor. This DPA governs the Processing.
For Personal Data that we process about your Authorised Users in our capacity as service provider (including account credentials, profile information, and usage data), we act as an independent Controller. That processing is governed by our Privacy Policy and is not subject to this DPA.
4. Scope and Purpose of Processing
4.1 Subject matter
The subject matter of the Processing is the provision of the Service to you under the Agreement.
4.2 Duration
Processing continues for the duration of the Agreement, plus any post-termination retention period set out in the Agreement or required by applicable law.
4.3 Nature and purpose
We process Customer Personal Data to enable you to use the Service and to perform our obligations under the Agreement, including hosting, storing, transmitting, and displaying Customer Personal Data; supporting Service features (such as customer management, sales, loyalty, and supplier communications); generating reports and analytics for you; providing technical and customer support; and complying with our legal obligations.
4.4 Categories of Data Subjects
The Data Subjects whose Customer Personal Data may be processed include your customers, your employees, your suppliers and their personnel, and other counterparties whose information you enter into the Service.
4.5 Categories of Customer Personal Data
Customer Personal Data may include contact information (name, phone number, email, address); transaction and purchase history; loyalty and promotional information; supplier business information and bank or payment details where you provide them; invoice content captured through the procurement Product; and free-text notes you enter.
You must not enter into the Service any special categories of Personal Data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or data concerning a Data Subject’s sex life or sexual orientation), unless we have specifically agreed in writing to support such processing.
5. Controller Instructions
We will process Customer Personal Data only on your documented instructions, including with regard to transfers of Customer Personal Data to a third country, unless we are required to process Customer Personal Data by applicable law to which we are subject. In such a case, we will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Agreement, this DPA, and your configuration of the Service constitute your complete and final documented instructions. Any additional or alternative instructions must be agreed in writing.
We will inform you if, in our opinion, an instruction you give infringes Data Protection Laws.
6. Our Obligations
In Processing Customer Personal Data, we will:
process Customer Personal Data only in accordance with your documented instructions
ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations
implement and maintain the technical and organisational security measures described in Annex A
provide you with reasonable assistance, taking into account the nature of the Processing and the information available to us, to enable you to comply with your obligations under Data Protection Laws, including obligations relating to Data Subject rights, data protection impact assessments, prior consultation with supervisory authorities, and Personal Data Breach notifications
at your choice, delete or return all Customer Personal Data to you after the end of the provision of the Service, unless storage is required by applicable law
make available to you all information reasonably necessary to demonstrate compliance with this DPA
permit audits as set out in Section 11
7. Sub-processors
7.1 General authorisation
You provide general authorisation for us to engage Sub-processors to process Customer Personal Data, subject to this Section 7.
7.2 Sub-processor list
A current list of the Sub-processors we engage is maintained at retailstack.co/legal/sub-processors. We will notify you of changes to the list (including the addition or replacement of Sub-processors) by updating that page and, where required by law, by providing additional notice through the Service or by email.
7.3 Objection right
You may object on reasonable data protection grounds to our use of a new Sub-processor within thirty (30) days of receiving notice of the change. If you object, we will use good faith efforts to make available to you a change to the Service that avoids the use of the objected-to Sub-processor without unreasonably burdening you. If we cannot reasonably do so, you may terminate the affected portion of the Service in accordance with the Agreement.
7.4 Sub-processor obligations
We remain liable to you for the acts and omissions of our Sub-processors as if they were our own. We will impose on each Sub-processor data protection terms that are substantially the same as those set out in this DPA, including obligations of confidentiality, security, and assistance.
8. International Transfers
Where we transfer Customer Personal Data to a country that does not provide an adequate level of protection under applicable Data Protection Laws, we will implement an appropriate transfer mechanism, which may include the Standard Contractual Clauses or another mechanism recognised under the applicable law.
For transfers subject to the EU GDPR or UK GDPR, the Standard Contractual Clauses are deemed incorporated into this DPA by reference, with you as data exporter and the relevant Retail Stack entity as data importer, and with the choices and clauses set out in Annex C.
9. Data Subject Rights
We will assist you, by appropriate technical and organisational measures and insofar as possible, to fulfil your obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Laws.
If we receive a request directly from a Data Subject relating to Customer Personal Data, we will not respond to that request on the merits without your prior authorisation, except where required by law. We will, without undue delay, forward the request to you so that you may respond.
We may charge a reasonable fee for material assistance with Data Subject requests where such assistance exceeds what is technically and operationally available through standard features of the Service.
10. Personal Data Breach
We will notify you without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing such information as we have available about the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, the measures taken or proposed to address the breach, and the contact point for further information.
We will cooperate with you and provide reasonable assistance to enable you to comply with any notification obligations you may have under Data Protection Laws.
Our notification of, or response to, a Personal Data Breach is not an acknowledgement of fault or liability.
11. Audits
We will make available to you all information reasonably necessary to demonstrate compliance with this DPA, including by providing relevant certifications, third-party audit reports (such as SOC 2 or ISO 27001 reports where available), and policy documentation.
You may, no more than once per twelve-month period and on at least thirty (30) days’ prior written notice, request an audit of our compliance with this DPA. The audit will be conducted at your expense, during normal business hours, in a manner that does not unreasonably interfere with our operations, and subject to reasonable confidentiality obligations. Where you engage a third party to conduct the audit, that third party must not be a competitor of Retail Stack and must be bound by equivalent confidentiality obligations.
Where the audit is required to be performed by a regulator or supervisory authority, we will cooperate with that audit at no additional charge.
12. Return or Deletion of Customer Personal Data
Upon termination or expiry of the Agreement, we will, at your choice and within a reasonable period (in any event not exceeding ninety (90) days), either return all Customer Personal Data to you in a structured, machine-readable format, or delete all Customer Personal Data in our possession or control, unless storage is required by applicable law. Backups containing Customer Personal Data will be deleted in accordance with our standard backup rotation.
This Section 12 does not apply to aggregated or de-identified information that no longer constitutes Personal Data.
13. Liability
Each party’s liability arising out of or related to this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party’s obligations under Data Protection Laws to Data Subjects or to supervisory authorities.
14. Order of Precedence
In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the Processing of Customer Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses (where incorporated), the Standard Contractual Clauses prevail.
15. Term and Termination
This DPA takes effect on the Effective Date and remains in force for as long as we Process Customer Personal Data on your behalf under the Agreement. Provisions that by their nature should survive termination remain in effect.
16. Contact
All notices and communications under this DPA should be sent to support@retailstack.co.
Annex A: Technical and Organisational Security Measures
We implement and maintain the following technical and organisational measures to protect Customer Personal Data, which we may update from time to time provided that the measures continue to provide at least an equivalent level of protection.
1. Access Control
role-based access controls limiting access to Customer Personal Data to personnel and Sub-processors with a need to know
tenant isolation so that Customer Personal Data of one Merchant is not accessible from another Merchant’s Account
bearer-token authentication scoped to the Merchant’s tenant
multi-factor authentication for internal administrative access where applicable
prompt revocation of access for personnel who no longer require it
2. Transmission and Storage
encryption of data in transit using HTTPS and TLS
hashed password storage
encryption of data at rest where supported by underlying infrastructure providers
3. Operational Security
logging of access to and changes within the Service
monitoring for unusual activity and potential security incidents
vulnerability management and security patching
incident response procedures including breach notification
4. Personnel
confidentiality obligations on personnel and contractors
security awareness training appropriate to role
5. Sub-processor Management
due diligence on Sub-processors before engagement
data processing terms imposed on Sub-processors substantially equivalent to those in this DPA
6. Business Continuity
regular backups of Customer Personal Data
disaster recovery procedures appropriate to the scale and nature of the Service
Annex B: Description of Processing
Item | Detail |
|---|---|
Categories of Data Subjects | Your customers, employees, suppliers and their personnel, and other counterparties whose information you enter into the Service. |
Categories of Personal Data | Contact information, transaction and purchase history, loyalty information, supplier business and payment information, invoice content, and free-text notes. |
Sensitive data | None, unless specifically agreed in writing. |
Frequency of transfer | Continuous, for the duration of the Agreement. |
Nature of processing | Hosting, storage, transmission, display, indexing, search, automated processing for Intelligence Features, and other operations described in the Agreement. |
Purpose of processing | Provision of the Service to the Controller. |
Retention period | Duration of the Agreement plus up to 90 days post-termination, plus any longer period required by applicable law (e.g., tax records up to 7 years). |
Annex C: International Transfer Clauses (where applicable)
Where Customer Personal Data is transferred outside the European Economic Area, the United Kingdom, or other regions imposing transfer restrictions, the Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Module Two: Controller to Processor) are incorporated by reference and apply between the parties, with the following choices.
Clause 7 (Docking clause): Not applicable.
Clause 9 (Use of sub-processors): Option 2 (General written authorisation) applies, with the notice period of thirty (30) days as set out in Section 7 of this DPA.
Clause 11 (Redress): The optional independent dispute resolution body does not apply.
Clause 17 (Governing law): The Standard Contractual Clauses are governed by the law of the Republic of Ireland.
Clause 18 (Choice of forum and jurisdiction): Disputes will be resolved before the courts of the Republic of Ireland.
Annex I.A (List of Parties): Data Exporter is the Controller (Merchant) identified in the Agreement; Data Importer is the Retail Stack contracting entity identified in Schedule A of the Terms of Service.
Annex I.B (Description of transfer): As set out in Annex B of this DPA.
Annex I.C (Competent supervisory authority): The competent supervisory authority of the Member State in which the Controller is established, or as otherwise determined under Clause 13 of the Standard Contractual Clauses.
Annex II (Technical and organisational measures): As set out in Annex A of this DPA.
Annex III (List of sub-processors): As maintained at retailstack.co/legal/sub-processors.
For transfers subject to the UK International Data Transfer Addendum (Version B1.0), the UK Addendum is incorporated by reference and applied alongside the Standard Contractual Clauses above, with Tables 1 and 2 completed by reference to the foregoing and Table 3 completed by reference to Annex A and Annex B of this DPA.
By entering into the Retail Stack Agreement, you accept this Data Processing Addendum where applicable to your processing.
