This Data Processing Agreement ("DPA") forms part of the Terms of Service between TradeWind Shipping Limited ("Processor", "we", "us") and you ("Controller", "Customer") and governs how we process personal data on your behalf when providing the TradeWind shipping label platform services.
1. Definitions
In this DPA:
- "Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any applicable data protection legislation.
- "Personal Data" means any information relating to an identified or identifiable natural person that the Processor processes on behalf of the Controller in connection with the Services.
- "Processing" has the meaning given in Data Protection Laws.
- "Services" means the TradeWind shipping label platform services as described in the Terms of Service.
- "Sub-processor" means a third-party processor engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and Purpose
This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the Services. The Processor processes Personal Data solely for the purpose of providing the Services, including:
- Generating shipping labels with recipient name, address, phone number, and email
- Submitting customs declarations with product and value information
- Providing tracking information and delivery notifications
- Managing returns and delivery exceptions
- Generating invoices and billing records
- Importing and synchronising order data from connected e-commerce platforms
3. Types of Personal Data Processed
| Category | Data Elements | Data Subjects |
|---|---|---|
| Recipient/Shipping Data | Name, address, phone number, email address | End customers (recipients of shipments) |
| Order Data | Order numbers, product descriptions, quantities, values | End customers |
| Customs Data | Product descriptions, values, HS codes, country of origin | End customers (declared on customs forms) |
| Account Data | Business name, contact name, email, phone, address, VAT number, EORI number | Customer (Controller) and their staff |
| Authentication Data | Username, email, hashed password (bcrypt) | Customer (Controller) and their staff |
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law.
- Ensure that persons authorised to process Personal Data have committed to confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS 1.2+) and at rest.
- Not engage another processor (Sub-processor) without prior written consent of the Controller.
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).
- Delete or return all Personal Data to the Controller upon termination of the Services, at the Controller's choice.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA.
5. Sub-processors
The Controller provides general written authorisation for the Processor to engage Sub-processors. Current Sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon (Neon Inc.) | PostgreSQL database hosting | United States (AWS us-east-1) |
| Replit (Replit Inc.) | Application hosting and deployment | United States |
| UPS (United Parcel Service) | Shipping label generation and tracking | United States / Global |
| Royal Mail (Royal Mail Group Ltd) | Shipping label generation and tracking | United Kingdom |
| Stripe (Stripe Inc.) | Payment processing | United States |
| SendGrid (Twilio Inc.) | Transactional email delivery | United States |
The Processor will notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected Services.
6. International Transfers
Where Personal Data is transferred outside the United Kingdom, the Processor ensures that appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs), or that the transfer is to a country with an adequacy decision.
7. Security Measures
The Processor implements the following technical and organisational security measures:
- All data in transit encrypted with TLS 1.2 or higher
- Database encryption at rest (AES-256)
- Password hashing using bcrypt with a cost factor of 12
- Multi-tenant data isolation (all database queries scoped by account ID)
- Rate limiting on authentication endpoints
- Session management with secure, HTTP-only cookies
- Role-based access control (super_admin, account_owner, staff)
- Audit logging of significant actions
- CORS restrictions to authorised domains only in production
- Input validation and SQL injection prevention via parameterised queries (Drizzle ORM)
8. Data Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
9. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing. The Processor shall respond to such requests within 5 business days.
10. Data Retention
Personal Data processed on behalf of the Controller is retained for the duration of the Services agreement. Upon termination:
- The Controller may request export of all their data within 30 days of termination
- After 30 days, all Personal Data will be securely deleted, unless retention is required by law
- Backup copies will be purged within 90 days of termination
11. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and scope limitations.
12. Term and Termination
This DPA commences on the date the Controller first uses the Services and continues for the duration of the Services agreement. The obligations regarding data processing survive termination to the extent necessary for the Processor to fulfil its obligations under this DPA and applicable law.
13. Contact
For data protection queries or to exercise rights under this DPA, contact us at:
- Email: privacy@tradewind.express
- Post: TradeWind Shipping Limited, United Kingdom