Data Processing Agreement
Last updated 13 July 2026
This DPA sets out how StockVaults processes personal data on your behalf when you use the Service, in line with UK GDPR Article 28.
1. Parties, roles and scope
This Data Processing Agreement (“DPA”) forms part of, and is governed by, the StockVaults Terms of Service between you (the “Customer”) and StockVaults. It applies where StockVaults processes personal data on the Customer’s behalf in providing the Service.
For personal data the Customer enters about third parties — such as consignors, buyers and suppliers — the Customer is the data controller and StockVaults is the data processor. Where StockVaults determines the means and purposes of processing (for example, the Customer’s own account data), StockVaults acts as controller under its Privacy Policy.
This DPA reflects the parties’ agreement on the processing of personal data in accordance with UK GDPR Article 28 and the Data Protection Act 2018.
2. Subject matter, nature, purpose and duration
Subject matter and purpose: processing necessary to provide the inventory-management Service and its support, in accordance with the Customer’s instructions and the Terms.
Nature of processing: storage, organisation, retrieval, encryption, backup, transmission and deletion of personal data through the Service.
Duration: for the term of the Customer’s subscription and any period reasonably required to return or delete data afterwards.
3. Categories of data and data subjects
Personal data processed may include: names, email addresses, telephone numbers, postal addresses, free-text notes, and — where the Customer chooses to store them — consignor bank/payment details held in encrypted secure notes.
Data subjects may include: the Customer’s consignors, buyers, suppliers and the Customer’s own staff users of the Service.
4. Processor obligations
StockVaults will:
- •process personal data only on the Customer’s documented instructions (including as set out in the Terms and this DPA), unless required otherwise by law, in which case it will inform the Customer where legally permitted;
- •ensure that persons authorised to process the data are bound by confidentiality;
- •implement appropriate technical and organisational security measures (see below);
- •assist the Customer, taking into account the nature of processing, in responding to data-subject rights requests and in meeting its security, breach-notification and data-protection-impact-assessment obligations;
- •make available information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits on reasonable prior notice and subject to confidentiality;
- •on termination, delete or return the personal data at the Customer’s choice, save where storage is required by law.
5. Security measures
StockVaults maintains measures appropriate to the risk, including: encryption in transit (TLS) and at rest; additional envelope encryption of sensitive fields (e.g. consignor secure notes) using a key unique to each company; strict logical separation of each company’s data; role-based access controls and least-privilege administration; append-only audit logging of sensitive actions; and regular, access-controlled backups. Any administrator access to secure data for support is restricted, non-editing and logged.
6. Sub-processors
The Customer authorises StockVaults to engage the following sub-processors, each bound by data-protection obligations no less protective than this DPA:
- •Stripe — payment processing;
- •Brevo — transactional email delivery;
- •Cloudflare — network security, DNS and bot protection;
- •the StockVaults UK hosting provider — servers and storage.
StockVaults will give the Customer reasonable notice of any intended addition or replacement of a sub-processor, giving the Customer the opportunity to object on reasonable data-protection grounds.
7. Personal data breaches
StockVaults will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s data, and will provide information reasonably available to assist the Customer in meeting its own notification obligations.
8. International transfers
StockVaults processes personal data in the UK/EEA where practicable. Where a sub-processor processes data outside the UK/EEA, StockVaults relies on an appropriate transfer mechanism, such as UK adequacy regulations or standard contractual clauses.
9. Liability and precedence
This DPA is subject to the limitations and exclusions of liability in the Terms. In the event of a conflict between this DPA and the Terms or Privacy Policy on the processing of personal data, this DPA prevails to the extent of that conflict.
10. Contact
Data-protection queries and requests under this DPA can be sent to [email protected].
Questions about this document? Contact us.