DATA PROCESSING AGREEMENT (DPA)

Effective Date: February 26, 2026

This Data Processing Agreement ("DPA") forms part of the Master Service Agreement or Terms of Service (the "Agreement") between:

  • Venderly ("Processor"), acting as a Data Processor.
  • The Customer (as defined in the Agreement), acting as a Data Controller.

1. Definitions

  • Data Protection Laws: The UK GDPR, the Data Protection Act 2018, the EU GDPR (2016/679), and the UK Data (Use and Access) Act 2025/2026.
  • Sub-processor: Any third party (for example, Vercel, Neon, Cloudflare R2, Stripe, or Resend) appointed by Venderly to process personal data.

2. Processing of Personal Data

2.1 Instructions

Venderly shall process Personal Data only on the documented instructions of the Customer, including with regard to transfers of personal data to a third country.

2.2 Purpose

The objective of the processing is the provision of vendor onboarding and procurement management services.

2.3 Duration

Processing shall continue for the duration of the Agreement plus any post-termination retention period required by law (typically 7 years for financial records).

3. Venderly Obligations

3.1 Confidentiality

Venderly ensures that persons authorised to process personal data have committed themselves to confidentiality.

3.2 Security

Taking into account the state of the art and the service architecture (including Vercel-hosted services, Neon managed PostgreSQL, and Cloudflare R2 object storage), Venderly shall implement appropriate technical and organisational measures (including access controls, encryption in transit, and encryption at rest via infrastructure providers) to ensure a level of security appropriate to the risk.

3.3 Right to Complain (2026 Compliance)

Venderly shall provide the Customer with the necessary information and assistance to fulfil the Customer's obligation to handle data subject complaints within the 30-day statutory window.

4. Sub-processors

4.1 Authorisation

The Customer provides a general written authorisation for Venderly to engage Sub-processors.

4.2 Current List

The Customer acknowledges the following primary Sub-processors:

  • Vercel, Inc.: Application hosting and delivery.
  • Neon, Inc.: Managed PostgreSQL database hosting.
  • Cloudflare, Inc. (R2): S3-compatible object storage services.
  • Stripe, Inc.: Payment processing and related financial workflows (where enabled).
  • Resend, Inc.: Transactional email delivery (where enabled).

4.3 Notification

Venderly shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors via [Email/Dashboard], giving the Customer the opportunity to object.

5. Data Subject Rights

5.1 Assistance

Venderly shall, insofar as possible, assist the Customer by appropriate technical and organisational measures for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subject rights (for example, Access, Erasure, and Portability).

6. Personal Data Breach

6.1 Notification

Venderly shall notify the Customer without undue delay after becoming aware of a personal data breach. Such notification shall include the nature of the breach and the contact point for more information.

7. Audit Rights

7.1 Compliance

Venderly shall make available to the Customer all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits or inspections.

Annex 1: Details of Processing

  • Categories of Data Subjects: Customer employees, vendor employees, and point-of-contact individuals.
  • Types of Personal Data: Names, business emails, Tax IDs, insurance certificates, banking details, and IP addresses.
  • Nature of Processing: Storage, retrieval, organisation, and transmission of vendor compliance documentation.