Data Processing Agreement

The terms on which Outpost processes personal data when providing services to merchants acting as data controllers.

Schedule to the Master Services Agreement — Merchant / Controller

This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Master Services Agreement, Reseller Agreement or other commercial agreement between the Merchant and Outpost (the “Principal Agreement”). It sets out the terms on which Outpost processes Personal Data in connection with the services provided under the Principal Agreement (the “Services”). Capitalised terms not defined in this DPA have the meaning given in the Principal Agreement. In the event of any conflict between this DPA and the Principal Agreement in respect of the processing of Personal Data, this DPA prevails.

PartyDetails
Controller[Merchant legal name] (the “Merchant” or “Controller”), a company incorporated under [jurisdiction] with registered address at [address].
ProcessorOutpost Technologies Ltd (“Outpost” or “Processor”), incorporated in England and Wales (Company No. 13465097), registered office 4th Floor Office, 205 Regent Street, London, England, W1B 4HB. Outpost enters into this DPA for itself and, where applicable, on behalf of its Affiliates that provide the Services.

1. Definitions

In this DPA:

TermMeaning
Data Protection Lawsthe UK GDPR; the EU GDPR (Regulation (EU) 2016/679); the UK Data Protection Act 2018; the Privacy and Electronic Communications Regulations 2003; and, to the extent applicable to the processing, any other data protection or privacy law (including the CCPA, Brazil’s LGPD, Mexico’s LFPDPPP and Australia’s Privacy Act 1988), in each case as amended or replaced.
Controller, Processor, Personal Data, Processing, Data Subject, Personal Data Breach, Special Category Data, Supervisory Authorityhave the meanings given in the UK GDPR / EU GDPR.
Controller Personal DataPersonal Data that Outpost processes on the Controller’s behalf under the Principal Agreement, as described in Annex A.
Sub-processorany third party engaged by Outpost to process Controller Personal Data on the Controller’s behalf.
Restricted Transfera transfer of Controller Personal Data to, or access from, a country outside the UK or EEA that is not the subject of an adequacy decision.
Standard Contractual Clauses / SCCsthe EU standard contractual clauses in Commission Decision 2021/914 and, for UK transfers, the UK International Data Transfer Addendum / IDTA issued under s.119A DPA 2018.

2. Roles of the Parties and Scope

2.1 In respect of Controller Personal Data processed by Outpost on the Controller’s documented instructions in connection with the Services, the Merchant is the Controller and Outpost is the Processor.

2.2 Notwithstanding Clause 2.1, in performing certain Merchant of Record and regulated functions Outpost acts as an independent Controller in its own right, as set out in Clause 15. Where Outpost acts as an independent Controller, it does not do so on the Controller’s instructions and is separately responsible for its own compliance.

2.3 The subject matter, duration, nature and purpose of the processing, the types of Personal Data and the categories of Data Subjects are set out in Annex A.

3. Processing on Documented Instructions

3.1 Outpost shall process Controller Personal Data only on the Controller’s documented instructions (including as set out in the Principal Agreement, this DPA and Annex A), including with regard to international transfers, unless required to process by applicable law; in which case Outpost shall inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.

3.2 Outpost shall inform the Controller without undue delay if, in its opinion, an instruction infringes Data Protection Laws. Outpost is not obliged to, and does not, monitor the Controller’s compliance with Data Protection Laws.

3.3 The Principal Agreement, this DPA and Annex A constitute the Controller’s complete and documented instructions to Outpost. Any additional or changed instruction must be agreed in writing and may be subject to reasonable fees.

4. Obligations of the Controller

The Controller warrants and undertakes that:

(a) it has, and will maintain throughout the term, a valid legal basis under Article 6 (and, where relevant, Article 9) of the UK GDPR / EU GDPR for each category of Personal Data it provides to Outpost;

(b) it has provided all privacy information required under Articles 13 and 14 to the relevant Data Subjects;

(c) its instructions to Outpost comply with Data Protection Laws;

(d) it will not provide Special Category Data to Outpost unless agreed in writing, and will notify Outpost immediately if any Special Category Data is present in the Personal Data provided; and

(e) it will respond promptly to any request from Outpost for information or assistance in connection with Data Subject rights or the parties’ respective obligations under this DPA.

5. Obligations of Outpost (Processor)

Outpost shall, in respect of Controller Personal Data:

(a) process it only on documented instructions in accordance with Clause 3;

(b) ensure that persons authorised to process it are bound by an appropriate duty of confidentiality (Clause 6);

(c) implement and maintain the technical and organisational measures set out in Annex B (Clause 7);

(d) engage Sub-processors only in accordance with Clause 9;

(e) taking into account the nature of the processing, assist the Controller with Data Subject requests (Clause 10) and with its obligations under Articles 32–36 (Clause 11);

(f) notify the Controller of Personal Data Breaches in accordance with Clause 8;

(g) return or delete Controller Personal Data on termination in accordance with Clause 13; and

(h) make available information necessary to demonstrate compliance with this DPA and allow for audits in accordance with Clause 14.

6. Confidentiality

Outpost shall ensure that any person authorised to process Controller Personal Data is subject to a binding obligation of confidentiality (whether contractual or statutory), receives appropriate data protection and security training, and accesses Personal Data only on a need-to-know basis to perform the Services.

7. Security

7.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risks to Data Subjects, Outpost shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Annex B.

7.2 Outpost is certified to PCI DSS Level 1 in respect of payment-data handling and does not store full primary account numbers (PANs) or CVV/CVC codes; all payment data is tokenised via licensed payment service providers.

8. Personal Data Breach

8.1 Outpost shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Controller Personal Data.

8.2 The notification shall include, to the extent known: the nature of the breach; the categories and approximate number of Data Subjects and records affected; the likely consequences; and the measures taken or proposed to address it. Where the information is not all available at once, it may be provided in phases without undue further delay.

8.3 Outpost shall take reasonable steps to mitigate and, where possible, remediate the breach, and shall keep the Controller informed. Notification is not an acknowledgement of fault or liability.

9. Sub-processing

9.1 The Controller grants Outpost general written authorisation to engage Sub-processors to process Controller Personal Data. Outpost’s current Sub-processors are available on written request.

9.2 Outpost shall give the Controller at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor. The Controller may object within that period on reasonable grounds relating to data protection. If the parties cannot resolve the objection, the Controller may terminate the affected part of the Services in accordance with the Principal Agreement, without penalty for the terminated portion.

9.3 Outpost shall enter into a written contract with each Sub-processor imposing data protection obligations no less protective than those in this DPA.

9.4 Outpost remains fully liable to the Controller for the acts and omissions of its Sub-processors to the same extent as if performed by Outpost.

10. Data Subject Requests

10.1 Taking into account the nature of the processing, Outpost shall assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests by Data Subjects to exercise their rights under Articles 15–22.

10.2 If Outpost receives a request directly from a Data Subject relating to Controller Personal Data, it shall not respond substantively (other than to direct the Data Subject to the Controller where appropriate) and shall forward the request to the Controller without undue delay.

11. Assistance

Taking into account the nature of the processing and the information available to it, Outpost shall provide the Controller with reasonable assistance in relation to data protection impact assessments and prior consultation with a Supervisory Authority (Articles 35–36) and security of processing (Article 32). The Controller shall reimburse Outpost’s reasonable costs of assistance that goes beyond that inherent in providing the Services.

12. International Transfers

12.1 Outpost shall not make a Restricted Transfer of Controller Personal Data unless a valid transfer mechanism is in place, namely (a) an adequacy decision; (b) appropriate safeguards such as the SCCs / UK IDTA; or (c) a derogation under Article 49.

12.2 The Controller acknowledges that Outpost’s processing operations and certain Sub-processors are located outside the UK and EEA, including in the United States. Where a Restricted Transfer occurs, the SCCs and/or the UK IDTA are deemed entered into and incorporated into this DPA, with the Controller (and, where relevant, the Data Subjects) as data exporter and Outpost or the relevant Sub-processor as data importer. Copies of the relevant transfer mechanisms are available on written request to companies@outpostnow.com.

13. Return and Deletion of Personal Data

On expiry or termination of the Principal Agreement, at the Controller’s election, Outpost shall within 30 days return and/or delete all Controller Personal Data and delete existing copies, unless retention is required by applicable law. Where retention is legally required, Outpost shall continue to protect the Personal Data and process it only to the extent and for the period required by that law. Outpost shall confirm deletion in writing on the Controller’s request.

14. Audit

14.1 Outpost shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

14.2 The Controller may, on at least 30 days’ written notice and no more than once per calendar year (or following a Personal Data Breach), audit Outpost’s compliance, at the Controller’s cost, subject to reasonable confidentiality controls and without unreasonable disruption. Outpost may satisfy an audit request by providing current certifications or reports (such as SOC 2 or ISO 27001) where these reasonably demonstrate compliance, and may object to a proposed auditor on reasonable grounds of conflict or commercial sensitivity, in which case the parties shall agree an alternative.

15. Outpost as Independent Controller (Merchant of Record and Regulated Processing)

15.1 The parties acknowledge that, in its capacity as Merchant of Record / deemed supplier and as a regulated business, Outpost processes certain Personal Data as an independent Controller, namely for: (a) the calculation, invoicing, collection and remittance of taxes and the issuing of statutory invoices and receipts; (b) know-your-customer, anti-money-laundering and sanctions screening; (c) fraud prevention, detection and financial-crime screening; and (d) compliance with Outpost’s own legal and regulatory obligations and the establishment, exercise or defence of legal claims.

15.2 For the processing described in Clause 15.1, Outpost determines the purposes and means, acts in its own name and not on the Controller’s instructions, and is independently responsible for its own compliance, including providing its own privacy information to Data Subjects. Each party acts as an independent Controller and not as a joint Controller in respect of such processing.

15.3 The Controller shall ensure that Data Subjects are provided with appropriate information about, and that there is a valid legal basis for, the disclosure of Personal Data to Outpost for the purposes described in Clause 15.1.

16. Aggregated and De-identified Data

Outpost may create and use anonymous, aggregated or de-identified data derived from the processing for its legitimate business purposes, including analytics and improving, securing and operating the Services, provided that such data does not identify, and cannot reasonably be used to identify, the Controller or any Data Subject.

17. Liability

Each party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement, except to the extent that such limitations are not permitted by Data Protection Laws.

18. Term, Termination and Survival

This DPA takes effect on the effective date of the Principal Agreement and continues for as long as Outpost processes Controller Personal Data. Termination of the Principal Agreement terminates this DPA. The provisions relating to confidentiality, security incidents, return and deletion, audit, liability, and Clause 15 survive termination.

19. Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales, without prejudice to any mandatory rights of Data Subjects under the Data Protection Laws of their jurisdiction of residence.

20. Order of Precedence

In the event of conflict, the following order of precedence applies in respect of data protection matters: (1) the SCCs / UK IDTA (for Restricted Transfers); (2) this DPA; and (3) the Principal Agreement.

Execution

This DPA is published by Outpost and incorporated into and forms part of the Principal Agreement. By executing the Principal Agreement, the Controller and Outpost are each deemed to have entered into this DPA. No separate signature on this DPA is required. Where there is a conflict between this DPA and the Principal Agreement in relation to data protection matters, this DPA shall prevail.

Annex A — Details of the Processing

ElementDescription
Subject matterProcessing of Personal Data of the Controller’s end customers in connection with Outpost’s provision of Merchant of Record and related Services.
Nature of processingCollection, recording, storage, use, disclosure to Sub-processors, transmission and deletion, by consultant-led and automated means.
PurposeTransaction execution, invoicing, tax calculation and remittance, fraud screening, refund and chargeback handling, and account management.
DurationFor the term of the Principal Agreement, plus the period required to meet Outpost’s retention obligations under applicable law.
Types of Personal DataName; email address; billing address; tokenised payment reference (no raw card data); purchase details; transaction ID; IP address and device type (for fraud screening).
Special Category DataNone intentionally processed. The Controller must notify Outpost immediately if any Special Category Data is present in the Personal Data provided.
Categories of Data SubjectsEnd customers (natural persons) of the Controller who purchase products or services through Outpost’s platform; and, where relevant, the Controller’s personnel.

Annex B — Technical and Organisational Measures

MeasureDescription
EncryptionPersonal Data encrypted in transit (TLS 1.2+) and at rest using industry-standard encryption (including AWS KMS envelope encryption for sensitive data).
Access controlMulti-factor authentication for systems processing Personal Data; role-based access control on a least-privilege, need-to-know basis.
Payment securityPCI DSS Level 1 compliance; no storage of full PANs or CVV/CVC; all payment data tokenised via licensed PSPs.
Security testingRegular penetration testing and vulnerability assessment; remediation of vulnerabilities under defined SLAs.
Monitoring & responseSecurity monitoring and alerting for anomalous activity; documented and tested incident-response procedures.
PersonnelConfidentiality obligations and security-awareness training for all personnel with access to Personal Data.
Sub-processor oversightSecurity assessment of Sub-processors before engagement and on an ongoing basis.
ResilienceData backup and recovery procedures with tested recovery objectives.