CloudBilling

Data processing addendum

Last updated: 9 May 2026 (2026-05-09). This DPA forms part of the agreement between Customer (“Controller” or “Customer”) and [your legal entity] (“Processor” or “we”) when we process personal data on Customer’s behalf. Adapt party names, exhibits, and SCC module with counsel.

1. Scope and roles

This DPA applies where we process personal data contained in Customer Data solely to provide the Service and as further instructed in the Terms. Customer is the controller (or processor to its own customers—in that case Customer warrants it has authority to pass down instructions). We are the processor for those processing activities.

2. Subject matter, duration, nature, and purpose

  • Subject matter: hosting and operating the Cloud Billing platform for Customer.
  • Duration: for the term of the subscription and until deletion under Section 9 unless law requires retention.
  • Nature and purpose: storage, organisation, retrieval, display, backup, logging for security, and support as described in the Terms and product documentation.

3. Types of personal data and data subjects

Categories may include:

  • Identity and contact: name, email, phone, address, role, identifiers in Customer Data (e.g. buyer contacts).
  • Transactional data: invoices, orders, stock movements, attendance, shop IDs—where they relate to identifiable individuals.
  • Technical data: IP address, device, auth logs linked to Users.

Data subjects may include Customer’s employees, contractors, and Customer’s own customers or suppliers. Customer is responsible for the lawful basis and notices toward those subjects.

4. Our obligations as processor

We will:

  • process personal data only on documented instructions from Customer (including this DPA, the Terms, and configuration within the Service), unless EU/UK law requires otherwise—in which case we inform Customer unless prohibited;
  • ensure persons authorised to process are bound by confidentiality or professional duty equivalent;
  • implement appropriate technical and organisational measures per Article 32 GDPR, including tenant isolation, encryption in transit, access controls, and logging;
  • respect subprocessor rules in Section 6 and maintain a subprocessor list on the website or upon request;
  • assist Customer with data subject requests, DPIAs, and breach notifications, taking into account the nature of processing and information available to us, within reasonable commercial effort;
  • delete or return Customer Data as described in the Terms after the end of the service period unless law requires storage—and then restrict processing;
  • make available information reasonably necessary to demonstrate compliance and allow audits conducted by Customer or a mandated auditor, subject to confidentiality, security, and no more than one audit per twelve months except for verified incidents, on thirty days’ notice during business hours, at Customer’s expense.

5. Customer instructions

Customer instructs us to process Customer Data to deliver the features it enables in the Service and to comply with documented retention and export procedures. Instructions that would break security, violate law, or require disproportionate engineering may be refused with explanation.

6. Subprocessors

Customer grants general authorisation for subprocessors we use to run the Service (e.g. Supabase, Stripe, hosting). We will impose written obligations no less protective than this DPA. We will notify Customer of new subprocessors (e.g. by updating a public list) and allow objection where replacement within reasonable time is commercially practicable; otherwise Customer may terminate the affected Service in accordance with the Terms.

Indicative list (maintain separately): infrastructure/database/ auth provider (Supabase), payments (Stripe), application hosting (e.g. Vercel), email delivery (as configured).

7. Security incidents

We will notify Customer without undue delay after we confirm a personal data breach affecting Customer Data, describing nature, likely consequences, and measures taken or proposed, and document the breach. Customer is responsible for regulatory and data subject notifications concerning its controller role.

8. International transfers

Where personal data protected by EEA/UK/CH law is processed outside those areas, we implement appropriate safeguards such as EU Standard Contractual Clauses (module two or three as applicable), UK Addendum, or other lawful mechanisms. Customer may request copies of signed clauses where available.

9. Deletion and return

On termination or expiry, we delete or return Customer Data within ninety (90) days unless applicable law requires retention. Customer should export data before closure; backup copies age out according to system settings.

10. Contact

Processor contact: use coordinates on our Contact page. For joint agreements, attach signatories in an exhibit.

See also: Privacy policy, Terms, Legal centre.