Data Processing Agreement

Last Updated: 17 May 2026 · Version 1.0.0

This Data Processing Agreement ("DPA") forms part of the Terms of Service between YourCart Ltd ("YourCart", "we", "us", "Processor") and the merchant (the merchant, "you", "Controller") subscribed to the YourCart platform. It governs the processing of personal data carried out by YourCart on behalf of the Controller in connection with the YourCart service.

---

1. Definitions

For the purposes of this DPA:

• "Personal Data" has the meaning given in the UK GDPR.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA — typically your end customers, your staff, and your account contacts.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
• "Sub-processor" means any third party engaged by YourCart to process Personal Data on behalf of the Controller.
• "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

2. Roles

You are the Controller of the Personal Data of your customers and any other Data Subjects whose data flows through your YourCart-hosted storefront and apps. You determine the purposes and means of processing.

YourCart is the Processor acting on documented instructions from you. Your instructions are: provide the YourCart service to you and your customers in accordance with the Terms of Service.

YourCart's own internal handling of merchant-account-holder personal data (your name, email, billing address, etc.) is governed by our Privacy Policy. That processing is on a Controller basis between us and you, separate from this DPA.

3. Scope and duration

This DPA applies for as long as the Terms of Service remain in force between the parties, plus any extended retention period required by sections 9 and 10 below.

4. Subject matter, nature, and purpose of processing

Aspect	Detail
Subject matter	Personal Data of the merchant's customers, staff, and contacts, processed for the operation of the merchant's online storefront and branded mobile apps
Nature of processing	Collection, storage, transmission, search, retrieval, segmentation (for push notifications), backup, deletion
Purpose	Enabling the merchant to operate their YourCart-provided storefront, apps, and related features (push notifications, order management, customer support, marketing where consented)
Categories of Data Subject	(i) the merchant's customers; (ii) the merchant's staff with platform access; (iii) the merchant's account contact persons
Categories of Personal Data	Names, email addresses, postal addresses, phone numbers, order history, payment-method tokens (we do not store full card numbers — Stripe does), push-notification device tokens, IP addresses, app/web usage telemetry
Special categories (Article 9)	None expected. Merchants must NOT use the platform to process Article 9 data (health, biometric, ethnicity, religion, etc.) unless they have separately notified us in writing and we have provided written consent — we are not configured for it.

5. Sub-processors

YourCart engages the following sub-processors to deliver the service:

Sub-processor	Purpose	Data location	Transfer mechanism
Stripe Payments Europe Ltd	Payment processing, subscription billing, Connect-account payouts	Ireland (primary), United States (failover)	Stripe is its own Controller for payment data, processing under its own DPA; UK GDPR adequacy regulations apply for EEA→UK transfers
Google LLC (Firebase)	Push-notification delivery (FCM), authentication tokens, Firestore for ephemeral state	United States	Standard Contractual Clauses (UK addendum); Google's Cross-Border Data Transfers terms
Microsoft Ireland Operations Limited (Azure)	Application hosting (Flask APIs), SQL Server (primary data store), Blob Storage, Key Vault	UK South region (primary)	Data residency UK; Microsoft Online Services DPA. EMEA contracting entity: Microsoft Ireland Operations Limited, 70 Sir John Rogerson's Quay, Dublin, D02 R296, Ireland
Mailgun Technologies Inc.	Transactional email delivery (account, password-reset, support, BugReport admin notifications)	United States	UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses

YourCart maintains an up-to-date list of sub-processors at https://yourcart-api-prod.azurewebsites.net/SubProcessors. Material changes (addition or replacement of a sub-processor) will be notified to merchants by email at least 14 days before the change takes effect, giving you the option to object.

If you object to a new sub-processor, your sole remedy is to terminate the Terms of Service for convenience under its termination provisions. Termination on this basis does not entitle you to any refund beyond what is set out in the Refund Policy. We may, at our discretion, engage with reasonable objections, but are under no obligation to do so or to alter our sub-processor selection.

6. Security measures

YourCart implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption in transit (TLS 1.2 minimum on all merchant- and customer-facing endpoints).
• Encryption at rest for: Stripe-managed card data (Stripe), SQL Server data (Azure SQL TDE), Blob storage (Azure-managed encryption), Key Vault secrets (HSM-backed).
• Access controls — role-based access for the YourCart team; merchant access scoped to their own data via the multi-tenant database pattern; principle of least privilege for sub-processor service accounts.
• Audit logs — application-level logs of authentication events and admin actions; retained per the retention schedule below.
• Backup and recovery — daily SQL Server backups with point-in-time restore; 30-day retention.
• Vulnerability management — dependency scanning, Azure Advanced Security alerts, and incident response procedures.
• Pseudonymisation and data minimisation where reasonably practicable.

7. Personal Data Breach notification

YourCart will notify the Controller of any Personal Data Breach affecting the Controller's data without undue delay and in any event within 72 hours of YourCart confirming, after reasonable preliminary investigation, that a Personal Data Breach has occurred and materially affects the Controller's data. The 72-hour clock runs from such confirmation, not from the receipt of an initial alert, indicator, or unverified report. Notification will include:

• The nature of the breach (categories and approximate volumes of Data Subjects and Personal Data records affected).
• Contact details of the YourCart point of contact.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate its effects.

The Controller is responsible for any onward notification to its Data Subjects and the Information Commissioner's Office (ICO) where required under UK GDPR Articles 33 and 34.

8. Data Subject rights

YourCart will assist the Controller in responding to Data Subject requests under UK GDPR (access, rectification, erasure, restriction, portability, objection) within 30 days of receiving the Controller's written request, subject to YourCart's reasonable assessment of feasibility and operational capacity. Where a request requires manual investigation, the 30-day window may be extended in line with UK GDPR Article 12(3). Specifically:

• On the Controller's written request, we return the merchant's customer Personal Data in CSV + JSON within the 30-day window above. Where a self-service export endpoint is later made available from the merchant admin app, the contractual response window remains the same.
• On the Controller's written request, we delete the specified Data Subject's Personal Data from primary storage within 30 days, retaining only what is required for legal compliance (transactional records for HMRC retention, etc.). Where a self-service deletion endpoint is later made available from the merchant admin app, the contractual response window remains the same.
• We do not respond directly to a Data Subject; the Controller is the first point of contact and instructs us.

9. Return and deletion of Personal Data on termination

On termination of the Terms of Service for any reason, YourCart will, at the Controller's choice (notified in writing within 14 days of termination), either:

• Return all Personal Data of the Controller's customers in CSV + JSON form (the same format as Controller-initiated export requests under section 8 above), and thereafter delete it from active systems within 30 days of confirmation of return; or
• Delete all Personal Data immediately and provide written confirmation of deletion.

If the Controller does not communicate a choice within the 14-day window, YourCart will delete all Personal Data without further notice and is not required to provide a return.

Data may be retained beyond these timelines only where required by applicable law (e.g. HMRC retention obligations on financial records — typically 6 years from end of accounting period). Such retained data is segregated and not used for any operational purpose.

10. Audit rights

The Controller may, on 30 days' written notice and not more than once in any 12-month period, audit YourCart's compliance with this DPA. Audits are limited to:

• Review of YourCart-provided documentation (security overview, sub-processor list, incident summaries); and
• Written questionnaires, with a reasonable response window agreed by the parties.

On-site, remote, or third-party-led inspections of YourCart systems, premises, or personnel are not permitted under this DPA. The Controller's sole remedy if dissatisfied with the outcome of an audit is termination of the Terms of Service in accordance with its provisions. The Controller bears its own costs of any audit, and YourCart's reasonable costs of responding (including engineering time at standard professional rates) may be recovered by YourCart where an audit is requested more than once in any 12-month period or where it reveals no material non-compliance.

11. International data transfers

Where Personal Data is transferred outside the United Kingdom, YourCart relies on:

• UK adequacy regulations for transfers to the European Economic Area (EEA).
• The UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses for transfers to other jurisdictions, including the United States (Firebase, Mailgun).
• Any other transfer mechanism approved by the ICO from time to time.

A list of current transfer destinations is given in section 5 above.

12. Liability

This DPA forms part of the Terms of Service. YourCart's aggregate liability under or in connection with this DPA, in contract, tort (including negligence), breach of statutory duty, or otherwise, is capped at the lesser of:

• the subscription fees paid by the Controller to YourCart in the 12 months preceding the event giving rise to the claim; or
• £5,000 (five thousand pounds sterling).

This cap applies save where applicable law (including UK GDPR and Data Protection Act 2018) requires uncapped liability for specific categories of breach. The Controller acknowledges that this cap reflects the commercial pricing of the YourCart service, the parties' allocation of risk, and is reasonable in light of both. Nothing in this section limits liability for fraud, fraudulent misrepresentation, or any liability that cannot be limited or excluded under English law.

13. Controller indemnity

The Controller will indemnify and hold harmless YourCart, its officers, employees, contractors, and agents from and against any claim, loss, fine, regulatory penalty, or legal cost (including reasonable legal fees) arising from or in connection with:

• the Controller's unlawful or non-compliant Processing instructions;
• the Controller's failure to obtain or maintain a lawful basis under UK GDPR for any Processing carried out via the YourCart service;
• any Data Protection Impact Assessment that the Controller was required to perform under UK GDPR Article 35 but did not perform, or performed inadequately;
• any onward disclosure or use of Personal Data by the Controller, the Controller's staff, or third parties acting on the Controller's behalf;
• any breach by the Controller of this DPA or of UK GDPR.

This indemnity survives termination of the Terms of Service.

14. High-risk Processing — limitation

YourCart is not designed for, and makes no representation or warranty as to suitability for, Processing in scenarios that engage UK GDPR Article 35 (high-risk Processing requiring a Data Protection Impact Assessment). Examples include systematic profiling with legal or similarly significant effects, large-scale Processing of Special Category data, and large-scale systematic monitoring of publicly accessible areas. Where the Controller's intended Processing engages Article 35, the Controller is solely responsible for performing any required DPIA, identifying mitigations, and managing ongoing risk. YourCart accepts no responsibility for the lawfulness or adequacy of such Processing, and no clause of this DPA shall be construed as YourCart accepting Controller obligations in respect of high-risk Processing.

15. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over disputes arising from it.

16. Order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails on matters of Personal Data processing. The Terms of Service prevail on all other matters.

17. Contact