DATA PROCESSING AGREEMENT (DPA)

Company: Digital Stratagems Limited

UK Company number: 14268586

Address: 153-155 London Road, Hemel Hempstead, Hertfordshire, HP3 9SQ

Contact (legal): legal@heycart.ai

1.1. This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the heycart Service.

2.1. The Controller determines the purposes and means of processing personal data.

2.2. The Processor processes personal data only on documented instructions from the Controller.

3.1. The Processor shall:

• (a) Process personal data only on documented instructions from the Controller (unless required by law).
• (b) Ensure confidentiality of persons authorised to process personal data.
• (c) Implement appropriate technical and organisational measures to protect personal data.
• (d) Assist the Controller in responding to data subject rights requests.
• (e) Assist with data protection impact assessments and consultations with regulators.
• (f) Notify the Controller without undue delay upon becoming aware of a personal data breach.
• (g) Make available all information necessary to demonstrate compliance with this DPA.

4.1. The Processor may engage sub-processors to support delivery of the Service.

4.2. The Processor may engage sub-processors to support delivery of the Service. A current list of sub-processors is maintained at: https://heycart.ai/legal/sub-processors

4.3. The Processor may update the list of sub-processors from time to time as its infrastructure and services evolve. The Controller is responsible for reviewing that page periodically to remain informed of current sub-processors. By continuing to use the Service after an update, the Controller is deemed to have acknowledged the revised list.

4.4. The Controller may object on reasonable grounds; if not resolved, either party may terminate the Service.

5.1. Where personal data is transferred outside the UK or EEA, the Processor shall ensure appropriate safeguards are in place, including:

• (a) UK International Data Transfer Agreement (IDTA),
• (b) UK Addendum to the EU Standard Contractual Clauses, or
• (c) EU Standard Contractual Clauses (2021).

6.1. This DPA remains in force for as long as the Processor processes personal data on behalf of the Controller.

6.2. Upon termination of the Service, the Processor will delete or return all personal data within 30 days, unless applicable law requires retention.

7.1. The Processor shall implement at least the following measures:

• (a) Encryption of data in transit and at rest.
• (b) Access controls and authentication.
• (c) Regular backups and recovery procedures.
• (d) Logging and monitoring of access.
• (e) Security training for personnel.
• (f) Vulnerability management and patching.

7.2. A more detailed Security Annex may be provided on request.

8.1. Liability under this DPA is governed by the limitation of liability provisions in the heycart SaaS Terms of Service.

9.1. This DPA is governed by the laws of England and Wales.

Subject matter: Provision of the heycart SaaS Service.

Duration: For the term of the Service.

Nature and purpose: Processing personal data as necessary to provide the Service, including storage, transmission, analysis, and support.

Types of data: Identification data (names, emails), usage data (logs, IP addresses), account data, billing data.

Categories of data subjects: Customer employees, contractors, authorised users, and other individuals whose personal data is entered into the Service by the Controller.