Data Processing Agreement (DPA)

1) Parties, scope & duration

Controller (“Client”): the business entity that signs up to EU Returns Hub services (details as per order form / signup).

Processor: EU Returns Hub — Dzianis Vislavus (details above).

This DPA forms part of and is incorporated into the Service Terms/Order between the parties. It applies to Processor’s handling of Personal Data on behalf of Controller when providing the services described in Annex I. The DPA is effective from the earlier of: (a) online acceptance; or (b) signature by both parties; and continues for the term of the underlying services.

2) Definitions

Terms “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach”, and “Supervisory Authority” have the meanings set out in the EU GDPR. Where relevant, references to GDPR shall be read to include the UK GDPR (Data Protection Act 2018) and Swiss FADP for processing subject to those laws.

3) Roles & responsibilities

• Controller determines the purposes and means of Processing and ensures a lawful basis and transparency towards Data Subjects.
• Processor processes Personal Data only on behalf of Controller and does not determine purposes/means.
• Unless otherwise agreed in writing, Processor does not process special categories of data.

4) Controller’s instructions

Processor shall process Personal Data only on documented instructions from Controller, including with respect to transfers to a third country or international organisation, unless required by EU or Member State law. In that case, Processor shall inform Controller before Processing, unless prohibited by law.

5) Processor obligations

• Confidentiality: persons authorised to process Personal Data are bound by confidentiality.
• Security: appropriate technical and organisational measures (“TOMs”) as in Annex II, maintained proportionate to risk.
• Sub-processing: engagement only under Section 7; Processor remains responsible for sub-processors.
• Records: records of Processing activities per Art. 30(2) GDPR.
• Assistance: reasonable help with Arts. 32–36 GDPR (security, breach notifications, DSARs, DPIAs).
• Purpose limitation: no selling, profiling, or use for advertising; Processing only for services delivery.
• Training: security and privacy training appropriate to role.
• No profiling/ads/ML training: Processor will not use Personal Data for targeted advertising, profiling unrelated to the services, or training of machine-learning models (including foundation/AI models) beyond what is strictly necessary to provide the services, unless expressly instructed by Controller in writing.

6) Security measures

Baseline TOMs are listed in Annex II and include access control, encryption in transit, EU-hosted storage, logging/monitoring, vulnerability management, and physical safeguards at the warehouse.

7) Sub-processors

Controller grants general authorisation to engage sub-processors listed at /subprocessors.html. Processor will (a) impose obligations no less protective than this DPA; (b) remain liable for sub-processor performance; and (c) provide prior notice of changes via that page or email at least 15 days in advance. Controller may object on reasonable grounds; if unresolved, Controller may terminate the affected services without penalty.

8) International transfers

Processing is primarily within the EEA/UK/Switzerland. Processor will not transfer Personal Data outside those areas unless instructed or permitted by Controller, or required by law. For such transfers, Processor will implement an appropriate transfer mechanism (e.g., EU/UK Standard Contractual Clauses) and, where needed, perform and document a transfer impact assessment (TIA) and apply supplementary measures. If Controller requests use of non-EEA channels or providers (e.g., WeChat support, exports to CN), that constitutes Controller’s instruction to transfer the minimum necessary contact/shipping data for that purpose.

9) Personal data breach

Processor shall notify Controller of a Personal Data Breach without undue delay and no later than 36 hours after becoming aware, sharing available details and follow-up updates to enable Controller to meet its obligations.

10) Data subject rights & DPIA assistance

• Processor will promptly forward Data Subject requests it receives and assist Controller in responding within statutory time limits.
• Processor will reasonably assist with DPIAs and prior consultations proportionate to the Processing and information available to Processor.

Processor will acknowledge Data Subject requests within 2 business days and provide reasonable assistance to enable Controller to respond within statutory time limits (typically 30 days under GDPR). For DPIA/prior consultation support, Processor will respond to reasonable requests within 5 business days.

11) Return & deletion

Upon termination or on Controller’s written instruction, Processor will delete or return Personal Data and delete existing copies, unless EU or Member State law requires retention. Upon completion, Processor will provide a deletion certificate upon request. Operational backups are overwritten in the ordinary course (typically within 60 days). Statutory retention for invoices/accounting under Polish law may apply.

12) Audit & information

Processor will make available information necessary to demonstrate compliance and allow audits (including inspections) by Controller or its mandated auditor once per 12-month period with 30 days’ notice, during business hours, subject to confidentiality and safety. Remote audits and review of documentation are preferred. Controller bears its own and third-party costs; substantial extra support may be chargeable.

Audits shall avoid disruption, exclude third-party confidential information and security-sensitive details (e.g., secrets, source code), and be conducted under a mutually agreed NDA. Processor may provide recent independent assessments or summaries (e.g., penetration test summary, vulnerability scan results) to satisfy audit objectives where appropriate.

13) Liability & indemnity

Parties’ aggregate liability under this DPA is subject to the limitations in the underlying Service Terms, except where prohibited by law. Nothing limits liability for willful misconduct or breach of mandatory data-protection obligations.

14) Term, law & jurisdiction

This DPA remains in force for the duration of Processing on behalf of Controller. It is governed by the laws of Poland, and disputes are subject to the exclusive jurisdiction of the competent courts in Poznań, Poland, without prejudice to GDPR rights of Data Subjects and supervisory authorities.

Order of precedence: if there is a conflict between this DPA and the Service Terms, this DPA prevails for data-protection matters.

Annex I — Details of processing

A. Subject matter & purpose

Returns handling for EU marketplace/webshop sellers, including: intake and identification (Client ref/RMA/Order ID), photographing items, visual grading (A/B/C), creating reports, temporary storage (14 days), and executing Controller’s decisions (resale/export/disposal/extended storage).

B. Nature of processing

Collection, recording, structuring, storage, retrieval, consultation, use, transmission to Controller or instructed recipients (e.g., logistics, marketplaces), and erasure.

C. Categories of Data Subjects

• End-customers (buyers) who return goods;
• Controller’s staff/agents (contact persons and account users).

D. Categories of Personal Data

• Identifiers & contact data present on return labels/documents (e.g., order/RMA IDs; sender name/address; phone/email if present);
• Operational artefacts: item photos, grading notes, status, timestamps, warehouse location;
• Controller user accounts: name, email/IM handle (WeChat/WhatsApp), role.

E. Special categories of data

Not intentionally processed. Controller shall not instruct Processor to handle special categories unless expressly agreed in writing with additional safeguards.

F. Retention

• Operational photos/reports: retained up to 180 days by default (earlier deletion on request);
• Access/system logs: typically up to 180 days;
• Invoices/accounting: retained as required by Polish law (typically 5–6 years).

G. Processing location

Primarily within the EEA (warehouse in Poland; EU-hosted cloud). Transfers outside the EEA only per Section 8.

Annex II — Technical & organisational measures (TOMs)

• Governance & policies: information-security and data-protection policies; least-privilege; joiner/mover/leaver; NDAs.
• Access control: unique accounts; MFA for privileged access; role-based access; session timeouts; periodic reviews.
• Physical security: warehouse with CCTV, restricted zones, visitor log; quarantined area for unidentified/No-ref items.
• Devices & endpoints: full-disk encryption; patching; anti-malware/EDR on devices accessing production data.
• Data in transit/at rest: TLS 1.2+; encryption at rest for cloud object storage with photos/reports.
• Network security: firewalling; network segmentation; VPN for admin where applicable.
• Monitoring & logging: admin/access logging; anomaly alerts; time sync.
• Backups & continuity: backups for critical data; restoration tests; warehouse continuity procedures.
• Supplier management: due diligence; contractual safeguards; SCCs or equivalent for non-EEA transfers.
• Vulnerability management: regular updates; vulnerability scanning; remediation tracking; change control.
• Incident response: playbooks; escalation; breach notification per Section 9.
• Data minimisation: only data required for identification/processing; masking of personal data on label photos where feasible.
• Testing & QA: pre-production testing with anonymised/synthetic data where practical.
• Label data minimisation: photos of labels are limited to operational needs; where feasible, non-essential personal data on labels is masked or redacted.
• Log retention & integrity: access/admin logs retained up to 180 days with integrity protections and time synchronisation; reviewed for anomalies.

Annex III — Sub-processors

An up-to-date list is maintained at /subprocessors.html (available on request). Typical categories include:

• EU cloud infrastructure / object storage (EEA data centres);
• Transactional email (account/ops notifications to Controller users);
• Customer communication tools used at Controller’s instruction (e.g., WeChat for support);
• Logistics/forwarders for export to CN or intra-EU shipping (as instructed by Controller);
• Payment processor / invoicing tool (Controller billing data only).