Legal

Data Processing Addendum

Last updated: 28 May 2026

This Data Processing Addendum (the “DPA”) forms part of the Terms of Service and satisfies Article 28 UK GDPR.

1. Parties and Scope

This DPA is entered into between the Vendor (acting as Controller) and Orbit Technologies Limited, a company incorporated in England and Wales with company number 07259336 and registered office at 2-6 Abington Square, Northampton, England, NN1 4AA, trading as Orbit Commerce (acting as Processor).

This DPA applies whenever we process Customer Personal Data on your behalf in connection with your use of the Service. It is automatically incorporated into the Terms of Service. No physical or electronic signature is required for this DPA to take effect.

In the event of any conflict between this DPA and the Terms of Service in respect of the processing of Customer Personal Data, this DPA prevails. Capitalised terms used but not defined here have the meaning given in the Terms of Service.

2. Definitions

  • “Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other law in any jurisdiction relating to the processing of personal data that applies to the parties in respect of their performance under this DPA.
  • “UK GDPR” means Regulation (EU) 2016/679 as incorporated into the law of the United Kingdom by the European Union (Withdrawal) Act 2018 and as amended.
  • “Customer Personal Data” means personal data we process on the Controller’s behalf as part of the Service, as described in Annex 1.
  • The terms “personal data”, “data subject”, “processing”, “processor”, “controller”, “sub-processor”, and “personal data breach” have the meanings given in the UK GDPR.
  • “Restricted Transfer” means a transfer of Customer Personal Data from the United Kingdom to a country or territory for which no adequacy regulations under Article 45 UK GDPR are in force.
  • “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under section 119A of the Data Protection Act 2018.
  • “EU SCCs” means the standard contractual clauses approved by the European Commission in Decision (EU) 2021/914.
  • “UK IDTA” means the International Data Transfer Agreement issued by the Information Commissioner.

3. Roles of the Parties

The parties acknowledge that, in respect of Customer Personal Data, the Controller is the controller and the Processor is the processor under the Data Protection Laws.

We may also process personal data as an independent controller for our own legitimate business purposes (for example, account administration, billing, security, fraud prevention, service improvement, and compliance with our own legal obligations). That processing is governed by our Privacy Policy and is not subject to this DPA.

4. Details of Processing

The subject matter, duration, nature, purpose of the processing, the categories of data subjects, and the types of Customer Personal Data are set out in Annex 1 below.

5. Controller Responsibilities

The Controller warrants that: (a) it has and will maintain throughout the term a valid lawful basis under Article 6 UK GDPR (and Article 9 where special category data is involved) for instructing the Processor to carry out the processing; (b) it has provided all required privacy information to data subjects under Articles 13 and 14 UK GDPR; (c) it is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired the Customer Personal Data; and (d) its instructions to the Processor comply with the Data Protection Laws.

The Controller is solely responsible for configuring the Service in line with its compliance obligations, including cookie banners, marketing consent capture, data retention settings, and access controls within its Vendor Account.

6. Processor Obligations (Article 28 UK GDPR)

The Processor will:

  • (a) Documented instructions: process Customer Personal Data only on the documented instructions of the Controller, including in respect of Restricted Transfers, unless required to do otherwise by law (in which case the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest);
  • (b) Confidentiality: ensure that persons authorised to process Customer Personal Data are bound by confidentiality obligations and have received appropriate data protection training;
  • (c) Security: implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2;
  • (d) Sub-processors: only engage sub-processors in accordance with section 8;
  • (e) Data subject rights: taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to data subject requests under Chapter III UK GDPR;
  • (f) Security, breach, DPIA, prior consultation: assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 UK GDPR, taking into account the nature of the processing and the information available to the Processor;
  • (g) Return or deletion: at the choice of the Controller, delete or return all Customer Personal Data after the end of the provision of the Service, and delete existing copies unless the law requires storage; and
  • (h) Compliance and audits: make available to the Controller all information necessary to demonstrate compliance with Article 28 UK GDPR and allow for and contribute to audits, including inspections, in accordance with section 10.

7. Security Measures

The Processor implements and maintains the technical and organisational measures set out in Annex 2, which are designed to ensure a level of security appropriate to the risk presented by the processing. The Processor may update these measures from time to time, provided that the security of Customer Personal Data is not materially diminished. The Processor will document any material changes and make the current set of measures available to the Controller on request.

8. Sub-processors

The Controller gives the Processor general written authorisation to engage sub-processors to assist with the provision of the Service, subject to the requirements of this section. The Processor’s current list of sub-processors is maintained at orbitcommerce.net/subprocessors and is summarised in Annex 3.

The Processor will: (a) impose written contractual obligations on each sub-processor that are no less protective than those set out in this DPA, in particular obligations of confidentiality and security; (b) remain liable to the Controller for the acts and omissions of its sub-processors; and (c) give the Controller at least thirty (30) days’ advance notice of any new or replacement sub-processor (by updating the sub-processor list and, where the Controller has subscribed, by email).

The Controller may object to a new or replacement sub-processor on reasonable data protection grounds within fifteen (15) days of notice. The parties will work in good faith to resolve the objection. If the parties cannot agree a resolution within thirty (30) days, the Controller may terminate the affected part of the Service on written notice, and the Processor will refund any prepaid Fees for the unused portion.

9. Personal Data Breach

The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will, to the extent the information is available, include:

  • a description of the nature of the breach;
  • the categories and approximate number of data subjects and records concerned;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its effects;
  • the name and contact details of the relevant point of contact at the Processor.

The Processor will cooperate with the Controller and provide such further information as the Controller reasonably requires to comply with Articles 33 and 34 UK GDPR. Notification of a breach by the Processor is not an acknowledgement of fault or liability.

10. Information and Audits

The Processor will, on the Controller’s written request and no more than once in any twelve (12) month period (except where required by a regulator or following a personal data breach), provide information reasonably necessary to demonstrate compliance with this DPA, including:

  • responses to a reasonable security questionnaire;
  • copies of relevant third-party audit reports, certifications, or summaries (for example, SOC 2, ISO 27001) where the Processor or a sub-processor holds them; and
  • a description of any material change to the security measures.

Where the information made available under this section is not sufficient to demonstrate compliance, the Controller may request, on at least thirty (30) days’ prior written notice, an audit by an independent, mutually agreed auditor bound by confidentiality obligations. Audits will: take place during business hours; not unreasonably interfere with the Processor’s operations; respect the confidentiality and security of other vendors; and be at the Controller’s cost, unless the audit identifies material non-compliance by the Processor, in which case the Processor will bear the reasonable cost.

11. International Transfers

The Processor and its sub-processors may process Customer Personal Data outside the United Kingdom. Where such processing involves a Restricted Transfer, the parties will rely on an appropriate safeguard under Article 46 UK GDPR.

UK to non-adequate countries: The parties agree that the UK Addendum applies, with the EU SCCs (Module Two: Controller-to-Processor for transfers to the Processor; Module Three: Processor-to-Processor for transfers to sub-processors) as completed in Annex 4 below. Where the Processor and Controller prefer, the UK IDTA may be used instead of the UK Addendum + EU SCCs.

UK to the United States: Where the importer is certified under the UK Extension to the EU-US Data Privacy Framework, the parties may rely on that certification for transfers to that importer for as long as the certification remains valid.

The Processor will carry out a Transfer Risk Assessment for each Restricted Transfer relying on the UK Addendum, UK IDTA, or EU SCCs, and will provide a copy on the Controller’s reasonable request.

12. Data Subject Rights and Government Requests

If the Processor receives a request from a data subject in respect of Customer Personal Data, the Processor will, without responding to the request (other than to confirm receipt and signpost the Controller), forward the request to the Controller within five (5) business days.

If the Processor receives a binding legal request from a regulator, court, or government authority for Customer Personal Data, the Processor will, unless legally prohibited from doing so: (a) notify the Controller without undue delay; (b) review the request for validity and narrowness; (c) where practicable, redirect the requester to the Controller; and (d) provide only the minimum data required to comply with a valid order.

13. Return or Deletion

On termination of the Service or on the Controller’s written request, the Processor will, at the Controller’s choice, return or delete all Customer Personal Data in its possession or control, save to the extent retention is required by law or for the establishment, exercise, or defence of legal claims. The Controller is responsible for exporting Customer Personal Data within the 30-day export window described in the Terms of Service.

The Processor’s standard deletion timeline after termination is set out in the Privacy Policy. Backup copies are deleted in accordance with our standard backup rotation, after which they are no longer recoverable.

14. Liability

Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in section 19 of the Terms of Service. Nothing in this DPA limits any liability of either party that cannot be limited under the Data Protection Laws, including liability to data subjects under Article 82 UK GDPR.

15. Term and Changes

This DPA applies for the duration of the Terms of Service and will continue to apply for so long as the Processor processes Customer Personal Data.

The Processor may amend this DPA from time to time where necessary to reflect changes in the Data Protection Laws, regulator guidance, sub-processor arrangements, or security measures, provided that such changes do not materially reduce the protection of Customer Personal Data. The Processor will give the Controller at least thirty (30) days’ notice of material changes.

Annex 1 — Details of Processing

Subject matter

The provision of the Service by the Processor to the Controller as described in the Terms of Service.

Duration

For the term of the Terms of Service plus any post-termination retention period required for export or legal compliance.

Nature and purpose

Hosting, processing, storing, transmitting, and making available Customer Personal Data so that the Controller can operate its Storefront, take orders, manage customers, and provide customer support. Processing is automated and carried out by the Service.

Categories of data subjects

  • Customers and prospective Customers of the Controller’s Storefront;
  • Staff and contractors of the Controller who use the Service;
  • Recipients of the Controller’s marketing or transactional communications.

Types of Customer Personal Data

  • Identification data (name, email, phone, billing and shipping address);
  • Account credentials and access tokens (for the Controller’s end-customer accounts);
  • Order, transaction, and refund information (excluding full card numbers);
  • Marketing preferences, consent records, and communication history;
  • Device, technical, and usage data (IP, browser, log events, cookies);
  • Any other personal data the Controller chooses to upload into custom fields, notes, or files within the Service.

Special category and criminal-conviction data

Not processed by default. The Controller must not upload special category personal data (Article 9 UK GDPR) or criminal-conviction data (Article 10 UK GDPR) into the Service unless: (a) it has a lawful basis to do so; and (b) it notifies us in advance so that we can confirm whether additional safeguards are required.

Frequency of processing

Continuous, for the duration of the Service.

Annex 2 — Technical and Organisational Security Measures

The Processor implements measures appropriate to the risk under Article 32 UK GDPR, including:

  • Encryption: TLS 1.2+ for data in transit; AES-256 encryption for data at rest on production storage.
  • Access control: role-based access control, least-privilege principle, mandatory multi-factor authentication for production access, audit logging of administrative actions.
  • Network security: segmented production environments, firewalled infrastructure, intrusion detection, denial-of-service mitigation at the edge.
  • Personnel: background screening of personnel with production access, written confidentiality undertakings, mandatory annual data protection and security training.
  • Secure development: code review, dependency scanning, secrets management, separation of production and non-production environments.
  • Vulnerability management: regular vulnerability scanning, patch management aligned to severity, third-party penetration testing on an annual basis at minimum.
  • Backups and recovery: encrypted backups with periodic restore testing, documented business continuity and disaster recovery procedures.
  • Incident response: documented incident response plan with 72-hour notification commitment to the Controller for confirmed personal data breaches.
  • Physical security: reliance on tier-1 hosting providers with independently audited physical security controls.
  • Logging and monitoring: centralised logging, anomaly detection, retention of audit logs for at least twelve (12) months.
  • Sub-processor oversight: due diligence before onboarding, written Article 28 contracts, ongoing monitoring.

Annex 3 — Sub-processors

The Processor publishes its current list of sub-processors at orbitcommerce.net/subprocessors. Categories of sub-processors include:

  • Cloud infrastructure and hosting providers;
  • Content delivery and edge network providers;
  • Database, search, and queue services;
  • Transactional email and notification providers;
  • Customer support and helpdesk tooling;
  • Application monitoring, logging, and error-tracking providers;
  • Anti-fraud and security service providers;
  • Billing and tax computation providers.

Annex 4 — International Transfer Mechanism Details

Module of the EU SCCs (where the UK Addendum is used with the EU SCCs)

Module Two (Controller to Processor) for transfers from the Controller to the Processor. Module Three (Processor to Processor) for onward transfers from the Processor to its sub-processors.

Optional clauses

Docking clause: yes. Independent dispute resolution body (Clause 11): no, unless required by law. Compensation (Clause 12): liability allocation under the Terms of Service applies subject to non-excludable obligations under Article 82 UK GDPR.

Governing law and forum

England and Wales.

Frequency of audits

As set out in section 10 of this DPA.

Technical and organisational measures

As set out in Annex 2 of this DPA.

Contact

Data protection contact: support@orbitcommerce.net

Sub-processor notifications: support@orbitcommerce.net

Postal: Orbit Technologies Limited, 2-6 Abington Square, Northampton, England, NN1 4AA.