Loading...
Warehouse Bridge Warehouse Bridge

Data Processing Agreement

Last Updated: December 17, 2025

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Warehouse Bridge, a trading style of Flag Eagle LLC ("Processor," "we," "us"), and the customer ("Controller," "you") for the provision of warehouse integration services ("Services").

This DPA reflects the parties' agreement regarding the processing of personal data in accordance with the requirements of Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), UK GDPR, and other applicable data protection legislation.

1. Definitions

"Data Protection Laws" means GDPR, UK GDPR, CCPA, and any other applicable data protection and privacy legislation.

"Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

"Data Subject" means the individual to whom Personal Data relates.

"Subprocessor" means any third party engaged by Processor to process Personal Data on behalf of Controller.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Purpose

2.1 Subject Matter

This DPA applies to the processing of Personal Data by Processor in connection with providing the Services.

2.2 Nature and Purpose of Processing

  • Order management and fulfillment
  • Inventory synchronization
  • Integration with e-commerce platforms
  • Reporting and analytics
  • Customer support

2.3 Types of Personal Data

  • Contact information (name, email, phone)
  • Account credentials
  • Business information
  • Order and transaction data
  • Shipping and delivery information
  • Payment references (not full payment card data)

2.4 Categories of Data Subjects

  • Controller's customers and end users
  • Controller's employees and staff
  • Suppliers and business contacts

2.5 Duration

Processing will continue for the duration of the Services agreement plus any retention period required by law.

3. Controller Obligations

Controller warrants that:

  • It has a lawful basis for processing Personal Data
  • It has provided appropriate notices to Data Subjects
  • It has obtained necessary consents where required
  • Its instructions to Processor comply with Data Protection Laws
  • It will maintain appropriate security measures for data in its control

4. Processor Obligations

4.1 Processing Instructions

Processor shall:

  • Process Personal Data only on documented instructions from Controller
  • Inform Controller if an instruction appears to violate Data Protection Laws
  • Not process Personal Data for any purpose other than providing the Services

4.2 Confidentiality

Processor shall:

  • Ensure persons authorized to process Personal Data are bound by confidentiality obligations
  • Limit access to Personal Data to personnel who need it to perform their duties

4.3 Security Measures

Processor shall implement appropriate technical and organizational measures including:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and testing
  • Incident response procedures
  • Business continuity and disaster recovery
  • Employee security training

Details of our security measures are available in our Information Security Policy.

4.4 Subprocessors

Processor shall:

  • Not engage Subprocessors without Controller's authorization
  • Maintain a list of current Subprocessors at /subprocessors/
  • Notify Controller of changes to Subprocessors with opportunity to object
  • Ensure Subprocessors are bound by equivalent data protection obligations
  • Remain liable for Subprocessors' compliance

Controller hereby authorizes Processor to engage the Subprocessors listed at /subprocessors/.

4.5 Data Subject Rights

Processor shall:

  • Assist Controller in responding to Data Subject requests
  • Notify Controller promptly upon receiving a Data Subject request
  • Not respond directly to Data Subjects unless authorized by Controller

4.6 Security Incident Notification

Processor shall:

  • Notify Controller of a Security Incident without undue delay (within 72 hours)
  • Provide information about the nature of the incident, data affected, and remedial measures
  • Cooperate with Controller's investigation and notification obligations
  • Document Security Incidents and remediation steps

4.7 Data Protection Impact Assessments

Processor shall provide reasonable assistance if Controller is required to conduct a Data Protection Impact Assessment related to the Services.

4.8 Audit Rights

  • Controller may audit Processor's compliance with this DPA
  • Audits shall be conducted with reasonable notice during business hours
  • Processor may satisfy audit requests by providing relevant certifications, reports, or third-party audit results
  • Controller shall bear its own audit costs

5. International Transfers

5.1 Transfer Mechanisms

For transfers of Personal Data outside the European Economic Area, Processor relies on:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Other lawful transfer mechanisms as applicable

5.2 Standard Contractual Clauses

Where required, the parties agree to the Standard Contractual Clauses (Module Two: Controller to Processor) incorporated by reference. Controller acts as "data exporter" and Processor as "data importer."

5.3 Supplementary Measures

Processor implements supplementary measures including encryption, access controls, and security certifications to ensure adequate protection for transferred data.

6. Data Retention and Deletion

6.1 Retention

Processor shall retain Personal Data only for as long as necessary to provide the Services and comply with legal obligations.

6.2 Return or Deletion

Upon termination of the Services:

  • Processor shall delete or return Personal Data at Controller's choice
  • Deletion shall occur within 90 days of termination
  • Processor may retain data required for legal compliance, with notice to Controller

7. Liability

7.1 Allocation

Each party is liable for damages caused by its breach of Data Protection Laws or this DPA, subject to limitations in the main Services agreement.

7.2 Indemnification

Each party shall indemnify the other for claims arising from its breach of this DPA or Data Protection Laws.

8. Term and Termination

8.1 Term

This DPA remains in effect for the duration of the Services agreement.

8.2 Survival

Provisions relating to confidentiality, data deletion, and liability survive termination.

9. General Provisions

9.1 Governing Law

This DPA is governed by the laws of the State of Nevada, United States, except that Data Protection Laws of the relevant jurisdiction apply to data protection matters.

9.2 Amendments

This DPA may be amended in writing signed by both parties, or by Processor with notice where required to maintain compliance with Data Protection Laws.

9.3 Conflict

In case of conflict between this DPA and the main Services agreement, this DPA prevails regarding data protection matters.

9.4 Entire Agreement

This DPA, together with the Services agreement, Privacy Policy, and Subprocessor List, constitutes the complete agreement regarding Personal Data processing.

10. Contact Information

For questions about this DPA or data protection matters:

Data Protection Officer: Steven Sharp Email: steven@dataface.uk Website: warehousebridge.com

Top