Data Processing Agreement

For the purposes of this DPA, the following definitions apply:

• "Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR), as amended or replaced from time to time.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the UK GDPR.
• "Processing" means any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Controller" means Keep It What Limited, the entity that determines the purposes and means of Processing Personal Data.
• "Processor" means a third-party service provider that processes Personal Data on behalf of the Controller.
• "Sub-processor" means any Processor engaged by another Processor to carry out Processing activities on behalf of the Controller.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the contractual clauses approved by the UK Information Commissioner's Office for international data transfers.

This DPA applies to all Processing of Personal Data carried out by our Processors in connection with:

• The provision of personalised gift products and services
• Order processing, payment handling, and fulfilment
• Customer account management and authentication
• Customer communications including order confirmations and marketing (where consented)
• Website hosting, analytics, and performance monitoring
• Customer support and live chat services

2.1 Categories of Personal Data Processed

• Identity Data: Name, email address, phone number
• Contact Data: Billing and shipping addresses
• Transaction Data: Order history, payment records, product customisation details
• Technical Data: IP address, browser type, device information, cookies
• Usage Data: Page views, click patterns, session duration
• User Content: Uploaded photos for product personalisation, review content

2.2 Categories of Data Subjects

• Website visitors
• Registered customers
• Guest checkout users
• Newsletter subscribers
• Live chat users

We use the following Sub-processors to deliver our services. Each has been vetted for GDPR compliance and has appropriate data processing agreements in place:

We will notify you of any intended changes to Sub-processors by updating this page. You may object to new Sub-processors by contacting us within 14 days of notification at privacy@keepitwhat.com.

All Processors engaged by Keep It What Limited are contractually required to:

4.1 Processing Instructions

• Process Personal Data only on our documented instructions
• Not process Personal Data for any purpose other than providing the agreed services
• Inform us immediately if an instruction infringes Data Protection Laws

4.2 Confidentiality

• Ensure all personnel processing Personal Data are bound by confidentiality obligations
• Limit access to Personal Data to those who need it to perform their duties
• Maintain appropriate access controls and authentication measures

4.3 Security Measures

• Implement appropriate technical and organisational security measures
• Encryption of Personal Data in transit (TLS 1.2+) and at rest
• Regular security assessments and penetration testing
• Maintain SOC 2 Type II or equivalent certification where applicable
• Implement access logging and monitoring

4.4 Sub-processing

• Not engage Sub-processors without our prior written authorisation
• Impose equivalent data protection obligations on all Sub-processors
• Remain liable for Sub-processor compliance

Processors must assist us in responding to Data Subject requests to exercise their rights under Data Protection Laws:

• Right of Access (Article 15): Provide copies of Personal Data being processed
• Right to Rectification (Article 16): Correct inaccurate Personal Data
• Right to Erasure (Article 17): Delete Personal Data where legally required
• Right to Restriction (Article 18): Limit Processing in certain circumstances
• Right to Data Portability (Article 20): Provide Personal Data in machine-readable format
• Right to Object (Article 21): Cease Processing where legally required

Processors must respond to our requests for assistance within 5 business days to enable us to meet the statutory 30-day response deadline for Data Subject requests.

In the event of a Security Incident, Processors must:

6.1 Notification Timeline

• Notify us without undue delay and no later than 24 hours after becoming aware of a Security Incident
• Provide initial notification via email to security@keepitwhat.com
• Follow up with detailed written report within 48 hours

6.2 Notification Content

Security Incident notifications must include:

• Description of the nature of the incident
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Name and contact details of the Processor's data protection contact
• Likely consequences of the incident
• Measures taken or proposed to address the incident
• Measures taken to mitigate possible adverse effects

6.3 Our Obligations

Upon receiving notification, we will:

• Assess whether the incident requires notification to the ICO (within 72 hours of awareness)
• Determine whether affected Data Subjects must be notified
• Coordinate response and remediation efforts with the Processor
• Document the incident and response actions taken

Where Personal Data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place:

7.1 Transfer Mechanisms

• UK Adequacy Decisions: Transfers to countries deemed adequate by the UK Government
• UK Standard Contractual Clauses: ICO-approved contractual clauses for transfers to non-adequate countries
• UK International Data Transfer Agreement (IDTA): Where required as an addendum to EU SCCs
• Binding Corporate Rules: Where approved by the ICO

7.2 Transfer Impact Assessments

For transfers to countries without adequacy decisions, we conduct Transfer Impact Assessments considering:

• The legal framework of the destination country
• Any relevant government access to data
• Supplementary measures implemented by the Processor
• Practical experience of the Processor regarding government requests

7.3 USA Transfers

Several of our Sub-processors are based in the United States. Following the invalidation of Privacy Shield, we rely on UK Standard Contractual Clauses and supplementary measures including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Contractual commitments to challenge government requests
• Transparency reports where available

To verify compliance with this DPA and Data Protection Laws:

8.1 Information Rights

• Processors must make available all information necessary to demonstrate compliance
• Provide copies of relevant policies, procedures, and certifications upon request
• Respond to compliance questionnaires within 14 days

8.2 Audit Rights

• We may conduct audits directly or through an independent auditor
• Reasonable notice of at least 30 days will be provided for non-urgent audits
• Processors must allow and contribute to audits and inspections
• Audit costs are borne by us unless material non-compliance is discovered

8.3 Third-Party Certifications

We accept the following as evidence of compliance:

• SOC 2 Type II reports (within the last 12 months)
• ISO 27001 certification
• PCI DSS certification (for payment processors)
• Independent penetration test reports

9.1 Retention Periods

Personal Data is retained only as long as necessary for the purposes for which it was collected:

• Customer account data: Duration of account plus 2 years
• Order and transaction data: 7 years (HMRC requirements)
• Customer communications: 3 years from last interaction
• Analytics data: 26 months (GA4 default)
• Error logs: 90 days
• Uploaded images: Duration of order fulfilment plus 30 days

9.2 Deletion Obligations

Upon termination of services or at our request, Processors must:

• Delete all Personal Data within 30 days unless retention is required by law
• Provide written certification of deletion upon request
• Ensure deletion from all systems including backups (within backup retention periods)
• Instruct Sub-processors to delete Personal Data

9.3 Return of Data

Upon request, before deletion, Processors must:

• Return Personal Data in a commonly used, machine-readable format
• Provide data export within 30 days of request
• Not charge additional fees for data return

10.1 Processor Liability

Processors are liable for damages caused by Processing that:

• Does not comply with Data Protection Laws
• Is outside or contrary to our lawful instructions
• Results from their failure to meet obligations under this DPA

10.2 Indemnification

Processors agree to indemnify us against:

• Fines, penalties, and regulatory sanctions resulting from their non-compliance
• Claims, damages, and costs arising from Security Incidents caused by their negligence
• Losses resulting from their failure to assist with Data Subject requests

10.3 Limitation of Liability

Nothing in this DPA limits liability for death, personal injury, fraud, or any liability that cannot be excluded under applicable law.

This DPA:

• Commences on the date Personal Data is first processed by a Processor
• Continues for the duration of the Processing activities
• Survives termination of the underlying service agreement to the extent Personal Data remains in the Processor's possession

11.1 Termination for Breach

We may terminate Processing arrangements immediately if a Processor:

• Materially breaches this DPA and fails to remedy within 14 days of notice
• Experiences a Security Incident demonstrating inadequate security measures
• Fails to comply with Data Protection Laws
• Is subject to regulatory action regarding data protection

This DPA is governed by the laws of England and Wales.

The courts of England and Wales have exclusive jurisdiction to settle any dispute arising from or connected with this DPA.

Without prejudice to the above, Data Subjects may bring claims before the courts of their Member State of residence pursuant to Article 79 of the UK GDPR.