Data Processing Agreement
Version: 1.0 · Effective Date: January 2026 · Last Updated: January 2026
Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between Versatile Commerce Ltd ("Vastyn", "Processor", "we", "us") and the customer ("Controller", "you", "your") for the provision of the Vastyn platform services.
This DPA sets out the terms under which Vastyn will process personal data on your behalf in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018.
To execute this DPA:
Download, complete the signature section, and email to hello@vastyn.com. We will countersign and return a copy for your records.
Parties
Processor:
- Company Name: Versatile Commerce Ltd
- Company Number: 10984996 (registered in England and Wales)
- ICO Registration: ZA483890
- Registered Address: Maritime House, Discovery Quay, Falmouth, Cornwall, TR11 3XA, United Kingdom
- Contact: hello@vastyn.com
Controller:
- Company Name: _________________________________
- Registered Address: _________________________________
- Contact Email: _________________________________
1. Definitions
| Term | Definition |
|---|---|
| "Data Protection Laws" | UK GDPR, EU GDPR, Data Protection Act 2018, and any applicable national data protection laws |
| "Personal Data" | Any information relating to an identified or identifiable natural person processed under this DPA |
| "Processing" | Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion |
| "Data Subject" | An identified or identifiable natural person whose Personal Data is processed |
| "Sub-processor" | A third party engaged by the Processor to process Personal Data on behalf of the Controller |
| "Services" | The Vastyn platform and related services provided under our Terms of Service |
| "Security Incident" | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data |
2. Scope and Purpose
2.1 Scope
This DPA applies to all Processing of Personal Data by Vastyn on behalf of the Controller in connection with the Services.
2.2 Purpose of Processing
Vastyn processes Personal Data solely to provide the Services, which include:
- Multi-channel e-commerce operations management
- Order management and fulfilment
- Inventory synchronisation across marketplaces
- Product and catalogue management
- Reporting and analytics
- Customer support
2.3 Relationship of Parties
- You (the Controller): Determine the purposes and means of Processing Personal Data
- Vastyn (the Processor): Processes Personal Data only on your documented instructions
3. Details of Processing
3.1 Categories of Data Subjects
Personal Data processed may relate to:
| Category | Examples |
|---|---|
| Your customers | Buyers who purchase products through your sales channels |
| Your staff | Employees or contractors who access the Vastyn platform |
| Your suppliers | Supplier contacts for purchasing and fulfilment |
3.2 Types of Personal Data
| Data Type | Examples |
|---|---|
| Identity data | Names, usernames |
| Contact data | Email addresses, phone numbers, shipping/billing addresses |
| Transaction data | Order details, purchase history, payment references |
| Technical data | IP addresses, browser information, access logs |
3.3 Special Category Data
Vastyn does not require or intentionally process special category data (e.g., health, religious beliefs, biometric data). You must not upload special category data to the platform.
3.4 Duration of Processing
Processing continues for the duration of the Services agreement plus 90 days, after which Personal Data is deleted unless legally required to retain it.
4. Controller Obligations
As the Controller, you warrant and undertake that:
- 4.1 You have a lawful basis for Processing the Personal Data and for instructing Vastyn to process it on your behalf.
- 4.2 You have provided appropriate privacy notices to Data Subjects informing them of the Processing.
- 4.3 You have obtained any necessary consents where required.
- 4.4 Your instructions to Vastyn comply with Data Protection Laws.
- 4.5 You will not provide special category data or data relating to criminal convictions.
- 4.6 You will promptly inform Vastyn if any of your instructions may infringe Data Protection Laws.
5. Processor Obligations
Vastyn warrants and undertakes to:
5.1 Processing Instructions
- Process Personal Data only on your documented instructions, unless required by law
- Inform you if we believe an instruction infringes Data Protection Laws
- Not process Personal Data for any purpose other than providing the Services
5.2 Confidentiality
- Ensure personnel authorised to process Personal Data are bound by confidentiality obligations
- Limit access to Personal Data to personnel who need it to provide the Services
5.3 Security
- Implement appropriate technical and organisational measures to protect Personal Data (see Section 7)
- Regularly test, assess, and evaluate the effectiveness of security measures
5.4 Sub-processors
- Not engage Sub-processors without your prior authorisation (see Section 6)
- Ensure Sub-processors are bound by equivalent data protection obligations
5.5 Data Subject Rights
- Assist you in responding to Data Subject requests (access, rectification, deletion, etc.)
- Notify you promptly upon receiving a Data Subject request directly
5.6 Security Incidents
- Notify you without undue delay (and within 48 hours) upon becoming aware of a Security Incident
- Provide information to assist your notification obligations to supervisory authorities and Data Subjects
5.7 Data Protection Impact Assessments
- Provide reasonable assistance for data protection impact assessments where required
5.8 Audit
- Make available information necessary to demonstrate compliance with this DPA
- Allow for and contribute to audits and inspections (see Section 9)
5.9 Deletion
- Upon termination, delete or return all Personal Data within 90 days, unless legally required to retain it
- Provide certification of deletion upon request
6. Sub-processors
6.1 Authorised Sub-processors
You provide general authorisation for Vastyn to engage the Sub-processors listed at: vastyn.com/subprocessors
Current Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | UK/EU/US (user's region) |
| Stripe | Payment processing | UK/EU/US |
| AWS SES | Transactional email | User's region |
| Google Analytics | Website analytics (anonymised) | US (with SCCs) |
6.2 Changes to Sub-processors
- We will notify you at least 30 days before engaging a new Sub-processor
- Notification will be via email to your registered account email
- You may object to a new Sub-processor by notifying us within 14 days
- If we cannot address your objection, you may terminate the affected Services
6.3 Sub-processor Agreements
We ensure all Sub-processors are bound by written agreements imposing data protection obligations equivalent to this DPA.
7. Security Measures
Vastyn implements the following technical and organisational measures:
7.1 Technical Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2 or higher for all data transmission |
| Encryption at rest | AES-256 encryption for all stored data |
| Access control | Role-based access control (RBAC), multi-factor authentication |
| Network security | Firewalls, intrusion detection, DDoS protection |
| Logging and monitoring | Comprehensive audit logs, 24/7 monitoring |
| Backup and recovery | Automated backups, point-in-time recovery |
| Vulnerability management | Regular security testing, dependency scanning |
7.2 Organisational Measures
| Measure | Implementation |
|---|---|
| Personnel security | Background checks, confidentiality agreements |
| Training | Security awareness training for all staff |
| Access management | Least privilege principle, regular access reviews |
| Incident response | Documented incident response procedures |
| Business continuity | Disaster recovery planning, redundant systems |
7.3 Certifications
Our infrastructure provider (AWS) maintains:
- ISO 27001, ISO 27017, ISO 27018
- SOC 1, SOC 2, SOC 3
- PCI DSS Level 1
For full details, see: vastyn.com/security
8. International Transfers
8.1 Data Location
Personal Data is stored in the AWS region corresponding to your location:
| Your Location | Data Stored In |
|---|---|
| United Kingdom | AWS London (eu-west-2) |
| European Union | AWS Frankfurt (eu-central-1) |
| United States | AWS US regions |
8.2 Transfer Mechanisms
Where transfers outside the UK/EEA are necessary, we rely on:
- UK International Data Transfer Agreement (IDTA) — For transfers from the UK
- EU Standard Contractual Clauses (SCCs) — For transfers from the EEA
- Adequacy decisions — Where applicable
8.3 No Unnecessary Transfers
We do not transfer Personal Data outside your region except where necessary to provide the Services with appropriate safeguards in place.
9. Audit Rights
9.1 Information Access
Upon reasonable request, Vastyn will provide:
- Documentation of security measures
- Summary of audit reports and certifications
- Evidence of Sub-processor compliance
9.2 On-Site Audits
You may conduct or commission an audit of our Processing activities, subject to:
- Reasonable advance notice (minimum 30 days)
- Mutually agreed scope and timing
- Confidentiality obligations
- Costs borne by you (unless audit reveals material non-compliance)
9.3 Third-Party Audits
You may accept third-party audit reports (e.g., SOC 2) as evidence of compliance in lieu of conducting your own audit.
10. Data Subject Rights
10.1 Assistance
Vastyn will assist you in fulfilling your obligations to respond to Data Subject requests, including:
| Right | Our Assistance |
|---|---|
| Right of access | Provide data export functionality; assist with specific requests |
| Right to rectification | Enable you to correct data; assist where needed |
| Right to erasure | Delete data upon instruction; confirm deletion |
| Right to restriction | Implement processing restrictions as instructed |
| Right to portability | Provide data in portable formats |
| Right to object | Cease processing upon instruction |
10.2 Direct Requests
If a Data Subject contacts Vastyn directly, we will:
- Promptly notify you (within 5 business days)
- Not respond directly unless legally required or instructed by you
- Provide information to assist your response
10.3 Costs
Reasonable assistance is provided at no additional cost. Extensive or complex requests may incur fees at our standard rates, notified in advance.
11. Security Incidents
11.1 Notification
Upon becoming aware of a Security Incident, Vastyn will:
- Notify you without undue delay (within 48 hours)
- Provide initial information about the nature and scope of the incident
- Provide ongoing updates as investigation progresses
11.2 Information Provided
Notification will include (to the extent known):
- Description of the incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records affected
- Likely consequences
- Measures taken or proposed to address the incident
11.3 Cooperation
Vastyn will:
- Cooperate with your investigation
- Assist with notifications to supervisory authorities and Data Subjects
- Implement measures to mitigate effects and prevent recurrence
11.4 Documentation
We maintain records of all Security Incidents, including facts, effects, and remedial actions.
12. Term and Termination
12.1 Term
This DPA remains in effect for the duration of your use of the Services.
12.2 Survival
Sections 5.9 (Deletion), 9 (Audit Rights), 11 (Security Incidents), and 13 (Liability) survive termination.
12.3 Effect of Termination
Upon termination:
- We will cease Processing Personal Data (except for deletion)
- We will delete all Personal Data within 90 days
- We will provide certification of deletion upon request
- Legally required retention will be disclosed to you
13. Liability
13.1 Liability Cap
Total liability under this DPA is subject to the limitations in our Terms of Service.
13.2 Indemnification
Each party will indemnify the other for losses arising from its breach of this DPA or Data Protection Laws.
13.3 Regulatory Fines
Liability for regulatory fines is allocated to the party whose act or omission caused the fine, subject to the liability cap.
14. General Provisions
14.1 Governing Law
This DPA is governed by the laws of England and Wales.
14.2 Jurisdiction
Disputes are subject to the exclusive jurisdiction of the courts of England and Wales.
14.3 Amendments
We may update this DPA to reflect changes in Data Protection Laws. Material changes will be notified 30 days in advance.
14.4 Entire Agreement
This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement regarding data processing.
14.5 Severability
If any provision is found unenforceable, the remaining provisions continue in effect.
14.6 Precedence
In case of conflict between this DPA and the Terms of Service regarding data protection, this DPA prevails.
15. Signatures
This DPA is effective when signed by both parties.
CONTROLLER
PROCESSOR
How to Execute This DPA
- Download the PDF version of this DPA
- Complete the Controller details and signature section
- Email the signed DPA to hello@vastyn.com
- Receive a countersigned copy within 5 business days
Questions?
If you have questions about this DPA or need assistance:
Email: hello@vastyn.com
Post:
Versatile Commerce Ltd
Maritime House, Discovery Quay
Falmouth, Cornwall
TR11 3XA
United Kingdom
Related Documents
| Document | Description |
|---|---|
| Privacy Policy | How we collect and use personal data |
| Terms of Service | Agreement governing use of the Services |
| Security | Our security measures and practices |
| Subprocessors | List of third-party processors |
Document Information
| Field | Value |
|---|---|
| Document: | Data Processing Agreement |
| Controller: | Versatile Commerce Ltd |
| Company Number: | 10984996 |
| ICO Registration: | 00019463104 |
| Version: | 1.0 |
| Effective Date: | January 2026 |
| Last Updated: | January 2026 |