Skip to main content
Primary Logo

Data Processing Agreement

Effective Date: 8 May 2026 · Version 1.0

This Data Processing Agreement ("DPA") is entered into between Vyete Technologies Ltd ("Vyete", "Processor") and the shop operator or brand partner ("Customer", "Controller") using Vyete's platform services. It is incorporated by reference into the applicable Customer Terms and takes effect when the Customer first uses the platform's data processing capabilities.

This DPA is intended to satisfy the requirements of Article 28 of the UK General Data Protection Regulation and equivalent provisions in applicable data protection law.

1. Definitions

| Term | Meaning | |---|---| | Controller | The Customer, who determines the purposes and means of processing personal data | | Processor | Vyete, who processes personal data on behalf of the Controller | | Data Subject | The individual whose personal data is being processed (typically the end customer) | | Personal Data | Any information relating to an identified or identifiable natural person | | Processing | Any operation performed on personal data | | Sub-processor | A third party engaged by Vyete to carry out processing on its behalf | | Security Incident | Any breach of security leading to accidental or unlawful access to personal data | | GDPR | UK GDPR and/or EU GDPR as applicable to the parties |

2. Scope and Nature of Processing

2.1 Subject Matter

Vyete processes personal data in its capacity as a platform operator. This DPA covers personal data that Vyete processes on behalf of the Customer in connection with the provision of platform services, including:

  • Customer order data (names, addresses, contact details, purchase history).
  • Customer account information gathered through the Customer's storefront.
  • Communications between the Customer's shop and end customers via platform tools.
  • Customer data generated by the Customer's use of Vyete's analytics and reporting tools.

2.2 Nature and Purpose of Processing

Vyete processes personal data for the following purposes on the Controller's behalf:

  • Facilitating transactions between the Customer's shop and end customers.
  • Providing order management, fulfilment tracking, and customer communication tools.
  • Generating analytics and performance reports for the Customer.
  • Enabling Customer-initiated marketing communications (where the Customer has lawful basis).
  • Supporting dispute resolution and customer service activities.

2.3 Categories of Data Subjects

  • End customers who purchase from the Customer's shop on Vyete.
  • Prospective customers who interact with the Customer's listing without completing a purchase.

2.4 Types of Personal Data

  • Identification data: name, email address, phone number.
  • Transactional data: order history, payment status (not full payment card data).
  • Delivery data: delivery address, delivery instructions.
  • Behavioural data: browsing and search activity related to the Customer's listings.
  • Communication data: messages exchanged between end customers and the Customer.

2.5 Duration

Processing continues for the duration of the Customer's active account. On account termination, see Section 9.

3. Controller's Obligations

The Customer, as Controller, warrants and confirms that:

  • It has a valid lawful basis for the processing described in this DPA.
  • It has provided all required notices to Data Subjects about the processing of their data.
  • It will provide Vyete with timely instructions and cooperate with Vyete's reasonable requests.
  • It will not instruct Vyete to carry out processing that would violate applicable data protection law.
  • It will maintain its own records of processing activities as required by Article 30 GDPR.

4. Processor's Obligations

Vyete, as Processor, will:

  • Process personal data only on the Controller's documented instructions, except where required by applicable law (in which case Vyete will notify the Controller before processing unless legally prohibited).
  • Ensure all personnel authorised to process the personal data are bound by appropriate confidentiality obligations.
  • Implement the technical and organisational security measures described in Section 6.
  • Assist the Controller in fulfilling Data Subject rights requests (see Section 7).
  • Notify the Controller of Security Incidents in accordance with Section 8.
  • Delete or return personal data to the Controller on termination as set out in Section 9.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and cooperate with audits.

5. Sub-processors

5.1 General Authorisation

The Controller provides general authorisation for Vyete to engage Sub-processors as necessary to deliver the platform services. Vyete maintains a current list of Sub-processors, which is published at vyete.com/legal/sub-processors and updated as Sub-processors change.

5.2 Notification of Changes

Vyete will provide the Controller with 30 calendar days' notice before adding or replacing a Sub-processor that handles Customer personal data. The Controller may object to a new Sub-processor on reasonable data protection grounds within this period by writing to [email protected]. If Vyete and the Controller cannot resolve the objection, the Controller may terminate the affected services by written notice.

5.3 Sub-processor Obligations

Vyete imposes the same data protection obligations on all Sub-processors as are contained in this DPA by way of a written contract. Vyete remains liable to the Controller for the performance of Sub-processors.

6. Security Measures

Vyete implements the following technical and organisational measures to protect personal data:

| Measure | Implementation | |---|---| | Encryption at rest | AES-256 encryption for all stored personal data | | Encryption in transit | TLS 1.2 minimum for all data in transit | | Access controls | Role-based access; principle of least privilege | | Authentication | Multi-factor authentication required for all administrative access | | Vulnerability management | Regular penetration testing; managed vulnerability programme | | Incident response | Documented incident response procedure (see Incident Response Policy) | | Personnel training | Annual data protection training for all personnel with data access | | Supplier management | Due diligence on all data-processing suppliers; contractual obligations |

Vyete may update its security measures over time provided the updated measures offer at least equivalent protection.

7. Data Subject Rights

Vyete will assist the Controller in responding to Data Subject rights requests in the following ways:

  • Access and portability: Provide the Controller with exports of personal data in a structured, machine-readable format within 5 business days of a documented request.
  • Rectification: Apply corrections to personal data as instructed by the Controller within 3 business days.
  • Erasure: Delete or anonymise personal data as instructed, subject to any legal retention obligations, within 14 calendar days.
  • Restriction: Restrict processing of specified personal data as instructed within 3 business days.

Requests must be submitted via [email protected] with the Controller's account reference. Vyete will promptly inform the Controller if it receives a Data Subject request directly and will not action it without the Controller's instructions.

8. Security Incident Notification

8.1 Notification Obligation

Vyete will notify the Controller without undue delay — and in any case within 72 hours of becoming aware — of a Security Incident affecting Customer personal data. The notification will include:

  • The nature of the Security Incident.
  • Categories and approximate number of Data Subjects affected.
  • Categories and approximate volume of personal data records affected.
  • Likely consequences of the breach.
  • Measures taken or proposed to address the breach.

8.2 Incomplete Information

Where Vyete cannot provide all of the above information within 72 hours, it will provide available information and communicate further details as soon as practicable.

8.3 Cooperation

Vyete will cooperate with the Controller in meeting its notification obligations to supervisory authorities and Data Subjects, and will follow the Controller's reasonable instructions in this regard.

9. Deletion and Return of Data

On termination or expiry of the Customer's account:

  • Vyete will retain personal data for up to 90 calendar days to allow the Customer to export data using the self-service export tool.
  • After 90 days, Vyete will securely delete or anonymise all Customer personal data from live systems.
  • Backup copies will be deleted in accordance with Vyete's backup rotation schedule (typically within 180 days of the live deletion).
  • Vyete will provide a written confirmation of deletion on request.

Where retention is required by law, Vyete will retain only the minimum data necessary for the minimum period required.

10. International Data Transfers

Vyete processes personal data in the jurisdictions where its infrastructure and Sub-processors are located. Where personal data originating in the UK or EU is transferred to a third country:

  • Vyete will ensure that an appropriate transfer mechanism is in place (e.g., adequacy decision, Standard Contractual Clauses).
  • Details of transfer mechanisms are included in the Sub-processor list at vyete.com/legal/sub-processors.

11. Audit Rights

The Controller may, at its own expense and on at least 30 calendar days' written notice, audit Vyete's compliance with this DPA once per year. Audits must be conducted during business hours, cause minimal disruption, and be performed by a qualified independent auditor bound by confidentiality. Vyete may satisfy the audit right by providing a current third-party audit report (e.g., ISO 27001, SOC 2) in lieu of an on-site audit.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the applicable Customer Terms. This DPA does not create any additional liability beyond those limits.

13. Contact

Data protection enquiries: [email protected]

Security incidents: [email protected]