Data Processing Agreement
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between GETBOOKD LTD (trading as Boutique Supply Co, the "Processor") and the customer ("Controller") for the provision of wholesale grooming products and related services.
This DPA sets out the terms under which personal data is processed in connection with orders, account management, and service delivery, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Definitions
- Controller: The customer who determines the purposes and means of processing personal data (e.g. a grooming salon placing wholesale orders).
- Processor: GETBOOKD LTD, which processes personal data on behalf of the Controller to fulfil orders and provide services.
- Data Subject: An identified or identifiable natural person whose personal data is processed.
- Personal Data: Any information relating to a Data Subject, as defined by the UK GDPR.
- Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
3. Scope of Processing
3.1 Categories of Data Subjects
- Trade account holders and their authorised representatives
- Business contacts who submit enquiry or application forms
3.2 Types of Personal Data
- Name, email address, phone number
- Business name and delivery address
- Order history and transaction records
- Payment references (card details are handled solely by Stripe)
- IP address and browser data (via analytics)
3.3 Purpose of Processing
- Order fulfilment, delivery, and account management
- Payment processing
- Customer communication and support
- Website analytics and performance improvement
4. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorised to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 6)
- Not engage a Sub-processor without prior written authorisation from the Controller (see Section 5)
- Assist the Controller in responding to Data Subject rights requests
- Assist the Controller in ensuring compliance with data protection impact assessments and prior consultations with supervisory authorities, where required
- Delete or return all personal data upon termination of the agreement, unless retention is required by law
- Make available all information necessary to demonstrate compliance and allow for audits
5. Sub-processors
The Controller provides general authorisation for the Processor to engage the following Sub-processors. The Processor will notify the Controller of any intended changes to this list, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and fraud prevention | USA (with EU/UK SCCs) |
| Vercel, Inc. | Website hosting, CDN, and analytics | USA (with EU/UK SCCs) |
| Royal Mail / Courier Partners | Order delivery (name and address only) | United Kingdom |
Each Sub-processor is bound by data protection obligations no less stringent than those set out in this DPA. The Processor remains fully liable for the acts and omissions of its Sub-processors.
6. Data Security
The Processor implements the following technical and organisational measures to protect personal data:
- Encryption in transit: All data transmitted via TLS 1.2 or higher (HTTPS enforced site-wide)
- Encryption at rest: Payment data encrypted by Stripe; database encrypted at rest
- Access controls: Role-based access; principle of least privilege applied to all systems
- Authentication: Multi-factor authentication on administrative accounts
- Infrastructure security: Hosted on Vercel with automated security patching, DDoS protection, and edge network isolation
- Regular reviews: Security practices reviewed periodically and updated as necessary
7. Data Breach Notification
In the event of a personal data breach, the Processor shall:
- Notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach
- Provide the following information: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate with the Controller in notifying the ICO and affected Data Subjects, where required under Article 33 and 34 of the UK GDPR
- Document all breaches, including facts, effects, and remedial actions taken
8. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:
- Right of access (Subject Access Requests)
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object to processing
The Processor will promptly inform the Controller if it receives a request directly from a Data Subject and will not respond to such requests without the Controller's instructions, unless legally required to do so.
9. International Transfers
Where personal data is transferred outside the UK or EEA (e.g. to Stripe or Vercel in the USA), the Processor ensures that appropriate safeguards are in place, including:
- UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) with the UK Addendum
- Transfer Impact Assessments where required
- Verification that Sub-processors maintain adequate data protection standards
10. Data Retention and Deletion
Upon termination of the business relationship or upon request by the Controller, the Processor shall:
- Delete all personal data within 30 days, unless retention is required by applicable law (e.g. HMRC financial record requirements)
- Provide written confirmation of deletion upon request
- Ensure that Sub-processors also delete personal data in accordance with this DPA
11. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. Audits shall be conducted with reasonable notice (minimum 30 days), during normal business hours, and at the Controller's expense. The Processor shall cooperate fully and provide access to relevant records and systems.
12. Term and Termination
This DPA remains in effect for the duration of the business relationship between the Controller and the Processor. Obligations relating to data security, breach notification, and data deletion survive termination.
13. Governing Law
This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.
14. Contact
For questions about this DPA or to exercise data protection rights:
GETBOOKD LTD
49 Maes y Crofft
Morganstown, Cardiff CF15 8FE
United Kingdom
info@boutiquesupplyco.com