Data Processing Addendum (Controller → Processor)
This DPA forms part of the agreement between New Venture Capital Pty. Ltd. (ACN 626 647 256, ABN 56 626 647 256) (“Processor”, “EPR One”, “we”) and any merchant using the EPR One app (“Controller”, “you”) to the extent EPR One processes Customer Personal Data on your behalf.
Effective date: the date you first enable the App or sign an Order.
1) Roles and scope
1.1 Roles. Controller determines the purposes and means of processing Customer Personal Data; Processor processes that data on Controller’s documented instructions, solely to provide the App and related support. (Account/billing data about your team is processed by Processor as an independent controller.)
1.2 Duration. For the Subscription Term plus a short post-termination period to back up, export, and securely delete as set out in §9.
1.3 Data subjects & data. Typical data subjects include your staff/users and your customers/consignees. Typical data includes: names, emails, phone numbers, postal addresses, order and item metadata, product/packaging/material mappings and weights, classification codes, configuration and audit logs. No special categories are intended.
2) Processor obligations
2.1 Instructions. Processor will only process Customer Personal Data on Controller’s documented instructions (including via the App UI and APIs) unless required by law.
2.2 Confidentiality. Processor ensures personnel with access are bound by confidentiality obligations.
2.3 Security. Processor implements appropriate technical and organisational measures (see Annex II).
2.4 Sub-processors. Controller authorises Processor to use the sub-processors in Annex III and successors providing substantially similar services in the same or comparable regions. Processor will (a) impose written terms no less protective than this DPA and (b) remain liable for sub-processor performance. Processor will maintain an online list of sub-processors and give at least 30 days’ notice of material changes; Controller may object on reasonable, documented grounds and, if unresolved, may terminate the impacted service pro-rata.
2.5 Assistance. Taking into account the nature of processing, Processor will assist Controller to: (a) respond to data-subject requests; (b) meet security, breach-notification, DPIA and prior-consultation duties under applicable law.
2.6 Audits. Once per 12 months and upon a Security Incident, Processor will make available summary audit reports or security responses, and allow a reasonable remote audit (or on-site during business hours) under confidentiality, without disrupting operations.
2.7 Return/deletion. Upon termination or Controller request, Processor will return Customer Personal Data (export) and then delete or irreversibly anonymise it within 90 days, unless retention is required by law or permitted for evidence of compliance.
3) International data transfers
3.1 Primary locations. Processor and named sub-processors host and process Customer Personal Data in the EU/EEA (principally Frankfurt and Ireland), unless failover or support requires otherwise as disclosed in Annex III.
3.2 EU SCCs. To the extent Controller is subject to the GDPR and Customer Personal Data is transferred to a country without an EU adequacy decision, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference: Module 2 (C→P) for transfers from Controller to Processor and Module 3 (P→P) for onward transfers to sub-processors. For the SCCs: (i) Annex I/II/III of this DPA complete the SCCs’ appendices; (ii) Clause 17 (governing law) = Ireland; Clause 18 (forum) = Irish courts; (iii) the docking clause applies.
3.3 UK & Switzerland. For UK transfers, the UK Addendum (IDTA Addendum) applies with the same annexes; for Swiss transfers, references to the GDPR include the Swiss FADP and the competent authority is the Swiss FDPIC.
Certain support interactions handled by Help Scout may be processed in the United States. Such transfers are subject to the EU SCCs (Module 3) and the UK Addendum as set out in Annexes to this DPA.
4) Security incidents
Processor will notify Controller without undue delay (within 48 hours) after becoming aware of a confirmed Security Incident affecting Customer Personal Data, providing details as they become available and taking reasonable steps to mitigate harm and prevent recurrence.
5) Controller responsibilities
Controller is responsible for (a) the legality of instructions; (b) providing required notices to, and obtaining consents from, data subjects; (c) the accuracy and quality of Customer Personal Data; (d) configuration of the App (e.g., mappings, exports).
6) Liability
Each party’s liability under this DPA is governed by the liability provisions of the underlying agreement between the parties.
7) Order of precedence
If there is a conflict between this DPA and other terms, this DPA controls to the extent of the conflict. If there is a conflict between this DPA and the SCCs, the SCCs control.
Annex I — Details of processing / SCC Appendix
A. Parties
Data exporter (Controller): The merchant identified in the App or Order. Contact: the email(s) provided in the App admin.
Data importer (Processor): New Venture Capital Pty. Ltd., ABN 56 626 647 256. Contact: privacy@epr-one.com (update).
B. Subject matter, nature, purpose
Processing necessary to provide EPR One (data sync from Shopify, calculations, exports, logging, support, security, availability).
C. Categories of data subjects
Merchant staff/users; merchant customers/consignees; (optionally) logistics contacts.
D. Categories of personal data
Identifiers (name, email, phone), postal addresses, order/line-item metadata, product/packaging/material mappings, weights, configuration and audit logs, support communications. No intentional collection of special categories.
E. Frequency & duration
Continuous processing during the Subscription Term; retention per §2.7.
F. Competent supervisory authority
For SCCs: the authority corresponding to the Controller’s EU member state; if not determinable, Irish DPC.
Annex II — Technical & organisational security measures
- Governance & access: least-privilege IAM; MFA enforced; role-based access; background-checked staff; confidentiality agreements; security training.
- Encryption: TLS 1.2+ in transit; provider-managed encryption at rest for databases, object storage, and backups.
- Application security: code reviews, CI/CD with approvals, dependency scanning, secrets management, environment isolation, audit logs (≥90 days).
- Network & platform: cloud firewalls/security groups; automated patching cadence; vulnerability management.
- Data resilience: automated backups with periodic restore tests; multi-AZ/region redundancy as provided by cloud vendors.
- Monitoring & logging: centralised logs/metrics; alerting on anomalies and auth events.
- Incident response: documented playbooks; 24×7 on-call escalation; post-incident review and corrective actions.
- Vendor risk: sub-processor due diligence and contractual safeguards; continuous list maintenance and change notifications.
- Privacy by design: data minimisation; configurable exports; admin tools to access, correct, delete data.
Annex III — Authorised sub-processors (current)
Note: Regions reflect your current setup; if you move a vendor/region, update this annex and your public Sub-processors page and give 30 days’ notice.
| Vendor | Role | Region(s) used |
|---|---|---|
| Salesforce Heroku (incl. Heroku Postgres/Redis) | App hosting & DB | EU (Ireland/Frankfurt) |
| Amazon Web Services (S3) | Object storage (exports, backups) | EU (Ireland/Frankfurt) |
| Grafana Cloud | Centralised logs/metrics | EU region (e.g., Frankfurt) |
| Sentry | Error monitoring | EU region (Frankfurt) |
| Help Scout | Help desk / support ticketing (merchant contact data & support content only) | United States (SCCs under Help Scout DPA) |
(Marketing site on Vercel is outside this Annex because it does not process Customer Personal Data on Controller’s behalf; see Privacy Policy.)
Annex IV — Data Subject Requests & cooperation
Processor provides in-product tools and/or support to help Controller respond to access, correction, deletion, restriction, portability, and objection requests; responses occur within reasonable timeframes aligned to law and Controller’s instructions.
Annex V — Deletion / return
Within 90 days of termination or on written request, Processor will provide standard exports of Customer Personal Data, then delete or irreversibly anonymise remaining copies from active systems and backups (at next rotation), unless retention is required by law.
Questions about this DPA? Contact privacy@epr-one.com or support@epr-one.com.