DPA | TrackQUAL

This Data Processing Addendum ("DPA") forms part of and supplements the agreement between the customer identified in the applicable order, subscription, statement of work, or other written or electronic agreement for the TrackQUAL services ("Customer", "you" or "your") and Apperley Holdings Ltd. trading as TrackQUAL, company number 15798690, of Burcombe Road, Chalford, GL6 8BH ("TrackQUAL", "we", "us" or "our") (the "Agreement").

This DPA applies where TrackQUAL Processes Personal Data on behalf of Customer in connection with the provision of the TrackQUAL platform and related services.

If you do not have authority to enter into this DPA on behalf of the relevant Customer entity, you must not accept or rely on it.

1. Purpose and Scope

This section explains when this DPA applies and what it covers.

1.1 This DPA applies to the Processing of Personal Data by TrackQUAL on behalf of Customer as a Processor in connection with the services provided under the Agreement.

1.2 This DPA is intended to satisfy the parties' obligations under:

the UK General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended ("UK GDPR");
the Data Protection Act 2018;
Regulation (EU) 2016/679 ("EU GDPR"); and
other applicable data protection and privacy laws to the extent they apply to the Processing described in this DPA,

(together, "Data Protection Law").

1.3 This DPA does not apply to any Processing activities in respect of which TrackQUAL acts as an independent Controller, including as described in clause 3.3.

1.4 In the event of any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in relation to the Processing of Personal Data.

2. Definitions

This section defines the main terms used in the DPA.

2.1 In this DPA, the terms "Controller", "Processor", "Process", "Processing", "Personal Data", "Personal Data Breach", "Data Subject", "Special Categories of Personal Data", and "Supervisory Authority" have the meanings given to them under applicable Data Protection Law.

2.2 In this DPA:

"Customer Personal Data" means Personal Data Processed by TrackQUAL on behalf of Customer in connection with the services under the Agreement.
"Permitted Purpose" means providing, securing, supporting, maintaining, and improving the TrackQUAL services in accordance with the Agreement and Customer's documented instructions.
"Restricted Transfer" means a transfer of Personal Data that is subject to restrictions under Data Protection Law in relation to international transfers.
"Subprocessor" means any third party appointed by TrackQUAL to Process Customer Personal Data on behalf of Customer.

3. Roles of the Parties

This section explains when TrackQUAL is acting as a processor and when it is acting as a controller.

3.1 The parties acknowledge and agree that, for the Processing of Customer Personal Data under this DPA, Customer is the Controller (or where applicable the Processor acting on behalf of another Controller) and TrackQUAL is the Processor.

3.2 Customer is responsible for ensuring that it has all necessary rights, notices, lawful bases, and permissions required under Data Protection Law to disclose Customer Personal Data to TrackQUAL and to authorise TrackQUAL to Process that Customer Personal Data for the Permitted Purpose.

3.3 The parties further acknowledge that TrackQUAL may act as an independent Controller, and not as Customer's Processor, in relation to certain limited categories of Personal Data where TrackQUAL determines the purposes and means of Processing for its own legitimate business purposes, including:

account management and service administration;
billing, invoicing, collections, and financial compliance;
service security, fraud prevention, abuse detection, and incident response;
regulatory compliance, legal obligations, and law enforcement cooperation; and
internal business operations, support management, and service improvement using non-customer-content operational data where permitted by law.

3.4 Where TrackQUAL acts as an independent Controller under clause 3.3, that Processing is governed by TrackQUAL's Privacy Policy and applicable Data Protection Law, and not by the Processor obligations in this DPA.

4. Customer Instructions

This section confirms that TrackQUAL only processes Personal Data on Customer's instructions, except where law requires otherwise.

4.1 TrackQUAL shall Process Customer Personal Data only:

on Customer's documented instructions;
as necessary to provide the services under the Agreement;
as necessary to comply with applicable law; or
as otherwise expressly permitted under this DPA.

4.2 The Agreement, this DPA, Customer's use and configuration of the services, and any written instructions agreed between the parties together constitute Customer's complete documented instructions to TrackQUAL at the date of this DPA.

4.3 Customer may provide additional reasonable documented instructions from time to time, provided that such instructions are consistent with the Agreement, technically feasible, lawful, and proportionate. TrackQUAL may charge reasonable fees or require a change order for implementing additional instructions.

4.4 If TrackQUAL believes that an instruction infringes Data Protection Law, TrackQUAL shall inform Customer without undue delay unless prohibited from doing so by applicable law.

5. Confidentiality

This section requires confidentiality around Customer Personal Data.

5.1 TrackQUAL shall ensure that any person authorised by TrackQUAL to Process Customer Personal Data is subject to an appropriate duty of confidentiality, whether contractual or statutory.

5.2 TrackQUAL shall ensure that access to Customer Personal Data is limited to those personnel, agents, and contractors who need such access for the Permitted Purpose.

6. Security Measures

This section covers technical and organisational security measures.

6.1 Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to individuals, TrackQUAL shall implement appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.

6.2 The measures referred to in clause 6.1 shall include, as appropriate:

measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
measures to restore availability and access to Personal Data in a timely manner following a physical or technical incident;
processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures; and
appropriate access controls, authentication controls, logging, monitoring, encryption, network protections, and secure development practices.

6.3 A summary of TrackQUAL's technical and organisational measures is set out in Schedule 2. TrackQUAL may update those measures from time to time provided that any such update does not materially reduce the overall level of protection for Customer Personal Data.

7. Use of Subprocessors

This section allows TrackQUAL to use subprocessors subject to safeguards.

7.1 Customer authorises TrackQUAL to appoint Subprocessors to Process Customer Personal Data on Customer's behalf, provided that TrackQUAL remains responsible for its Subprocessors' performance of the relevant data protection obligations under this DPA.

7.2 TrackQUAL shall enter into a written agreement with each Subprocessor imposing data protection obligations that are no less protective, in all material respects, than those set out in this DPA, to the extent applicable to the services performed by that Subprocessor.

7.3 TrackQUAL's current Subprocessors shall be described on its Subprocessors page at subprocessors or such replacement URL as TrackQUAL may designate from time to time.

7.4 Customer acknowledges and agrees that TrackQUAL may update its Subprocessors from time to time for operational, legal, security, or commercial reasons.

7.5 Where required by applicable Data Protection Law, TrackQUAL shall provide a mechanism for notifying Customer of material updates to the Subprocessor list and, where legally required, for Customer to raise reasonable objections on data protection grounds within a reasonable period after such notice.

7.6 If Customer raises a reasonable objection in good faith and based on Data Protection Law, the parties shall work together in good faith to address the objection through a commercially reasonable alternative. If no such alternative is reasonably available, either party may terminate the affected part of the services in accordance with the Agreement.

8. International Transfers

This section addresses cross-border data transfers.

8.1 Customer authorises TrackQUAL and its Subprocessors to make Restricted Transfers of Customer Personal Data where necessary to provide the services, provided that such transfers are made in accordance with Data Protection Law.

8.2 Where a Restricted Transfer occurs, TrackQUAL shall ensure that an appropriate transfer mechanism is in place, which may include:

an adequacy decision or adequacy regulation;
the European Commission's Standard Contractual Clauses;
the UK International Data Transfer Agreement;
the UK Addendum to the EU Standard Contractual Clauses; or
another valid transfer mechanism recognised under applicable Data Protection Law.

8.3 To the extent required by Data Protection Law, the relevant transfer mechanism referred to in clause 8.2 is incorporated into this DPA by reference and shall apply to the relevant Restricted Transfer.

8.4 The parties shall cooperate in good faith to implement supplementary measures where reasonably necessary in light of applicable Data Protection Law, regulatory guidance, or case law relating to Restricted Transfers.

9. Assistance with Data Subject Requests

This section requires TrackQUAL to help Customer respond to data rights requests.

9.1 Taking into account the nature of the Processing, TrackQUAL shall provide reasonable assistance to Customer, insofar as reasonably possible, to enable Customer to respond to requests from Data Subjects exercising their rights under Data Protection Law.

9.2 If TrackQUAL receives a request from a Data Subject relating to Customer Personal Data for which Customer is the Controller, TrackQUAL shall, unless prohibited by law:

promptly notify Customer; and
not respond to the request directly except on Customer's documented instructions or as required by law.

10. Assistance with Compliance Obligations

This section covers support with broader privacy compliance duties.

10.1 Taking into account the nature of Processing and the information available to TrackQUAL, TrackQUAL shall provide reasonable assistance to Customer in relation to Customer's obligations under Data Protection Law concerning:

security of Processing;
notification of Personal Data Breaches;
data protection impact assessments; and
consultation with Supervisory Authorities,

in each case to the extent Customer cannot reasonably fulfil those obligations without TrackQUAL's assistance.

10.2 TrackQUAL may charge reasonable fees for assistance provided under this clause 10 where such assistance goes beyond the standard functionality and support included in the services.

11. Personal Data Breaches

This section deals with security incidents affecting Customer Personal Data.

11.1 TrackQUAL shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

11.2 Such notification shall, to the extent available at the time, include:

a description of the nature of the Personal Data Breach;
the categories and approximate number of affected Data Subjects and records, where known;
the likely consequences of the Personal Data Breach, where known;
the measures taken or proposed to address the Personal Data Breach and mitigate its possible adverse effects; and
the name and contact details of a relevant contact point where further information can be obtained.

11.3 TrackQUAL's notification of or response to a Personal Data Breach shall not be construed as an admission of fault or liability.

12. Return and Deletion of Customer Personal Data

This section explains what happens to Personal Data when the services end.

12.1 Upon termination or expiry of the Agreement, TrackQUAL shall, at Customer's choice and subject to the Agreement, either:

return Customer Personal Data to Customer; or
delete Customer Personal Data,

unless applicable law requires continued storage of some or all Customer Personal Data.

12.2 Where return or deletion is not technically possible immediately, TrackQUAL may retain Customer Personal Data for a limited period in accordance with its backup, retention, disaster recovery, legal, and security policies, provided that TrackQUAL continues to protect that data in accordance with this DPA and does not otherwise Process it except as required by law.

12.3 Customer acknowledges that deletion from backup systems may not occur instantly and may instead take place in the ordinary course of TrackQUAL's secure backup lifecycle.

13. Audit and Information Rights

This section gives Customer a measured right to receive information and conduct audits where appropriate.

13.1 TrackQUAL shall make available to Customer such information as is reasonably necessary to demonstrate TrackQUAL's compliance with its obligations under Article 28 of the UK GDPR and EU GDPR, to the extent applicable.

13.2 Where reasonably required and where the information made available under clause 13.1 is insufficient, Customer may request an audit of TrackQUAL's relevant processing activities, subject to the following conditions:

the audit must be on reasonable written notice and no more than once in any 12-month period, unless a Personal Data Breach or regulatory requirement justifies more frequent review;
the audit must be limited in scope to matters relevant to Customer's compliance obligations under Data Protection Law;
the audit must be conducted during normal business hours and in a manner that minimises disruption to TrackQUAL's business and other customers;
TrackQUAL may satisfy the audit requirement by providing recent third party audit reports, certifications, summaries, or other independent verification materials where appropriate;
Customer and any auditor must enter into appropriate confidentiality obligations; and
Customer shall bear its own costs and reimburse TrackQUAL's reasonable costs incurred in supporting the audit, except where the audit reveals a material breach of this DPA by TrackQUAL.

13.3 Customer may not exercise any audit right in a way that would compromise the security, confidentiality, or privacy of TrackQUAL systems, other customers, or third party information.

14. Liability

This section links liability under the DPA back to the main agreement.

14.1 The liability of each party arising out of or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement, unless applicable Data Protection Law requires otherwise.

14.2 Nothing in this DPA excludes or limits liability to the extent such exclusion or limitation is prohibited by applicable law.

15. Term and Termination

This section explains how long the DPA lasts.

15.1 This DPA takes effect on the Effective Date set out above, or if later, on the date Customer first uses the services in a way that involves TrackQUAL Processing Customer Personal Data on Customer's behalf.

15.2 This DPA shall remain in effect for as long as TrackQUAL Processes Customer Personal Data on behalf of Customer under the Agreement.

16. General

This section covers legal housekeeping for the DPA.

16.1 Except as expressly modified by this DPA, the Agreement remains in full force and effect.

16.2 This DPA shall be governed by the governing law and jurisdiction provisions set out in the Agreement, unless otherwise required by applicable Data Protection Law.

16.3 If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

16.4 References in this DPA to laws or regulatory instruments include those laws or instruments as amended, replaced, or re-enacted from time to time.

Schedule 1: Details of Processing

This schedule contains the Article 28 processing details.

1. Subject matter of the Processing
Provision of the TrackQUAL platform and related services, including returns management, inspections, approvals, repairs, customer communications, workflow administration, reporting, support, security, hosting, storage, and related technical operations.

2. Duration of the Processing
For the duration of the Agreement and for any limited period thereafter during which TrackQUAL retains Customer Personal Data in accordance with the Agreement, this DPA, or applicable law.

3. Nature and purpose of the Processing
Hosting, storing, organising, structuring, retrieving, displaying, using, transmitting, securing, backing up, supporting, and deleting Customer Personal Data as necessary to provide the TrackQUAL services and related support and security functions.

4. Categories of Data Subjects
Data Subjects may include, depending on Customer's use of the services:

Customer personnel and authorised users;
Customer's end customers;
consignees, claimants, returners, buyers, or portal users;
repair contacts, supplier contacts, service partners, or logistics contacts;
individuals associated with returned items, inspections, service requests, or customer communications; and
other individuals whose Personal Data Customer or its authorised users upload, store, or otherwise submit to the services.

5. Categories of Personal Data
Personal Data may include, depending on Customer's use of the services:

name, title, and contact details;
email address, telephone number, postal address, and account identifiers;
organisation, customer, tenant, and user profile information;
return, repair, inspection, shipment, and workflow records;
communications, notes, comments, attachments, images, and documents uploaded to the platform;
device, usage, event, and audit log information associated with authorised use of the services;
billing, service, and support metadata; and
any other Personal Data submitted to the services by or on behalf of Customer.

6. Special Categories of Personal Data
TrackQUAL does not require Customer to submit Special Categories of Personal Data to the services. Customer shall not submit Special Categories of Personal Data unless strictly necessary and lawful, and only where Customer has taken appropriate safeguards and informed TrackQUAL where reasonably necessary.

7. Frequency of the Processing
Continuous and ongoing, as initiated by Customer and its authorised users during use of the services.

Schedule 2: Technical and Organisational Measures

This schedule summarises the security measures TrackQUAL applies at a high level.

TrackQUAL maintains technical and organisational measures designed to protect Customer Personal Data, which may include as appropriate:

role-based access controls and least-privilege access management;
authentication controls, password protections, and where enabled multi-factor authentication;
segregation of customer environments and tenant-aware access controls within the application;
encryption in transit and encryption at rest where appropriate and supported by the relevant infrastructure or service provider;
logging, monitoring, alerting, and audit trail capabilities for key system and user events;
secure software development, code review, dependency management, and change management practices;
vulnerability management and security patching processes;
backup, resilience, disaster recovery, and business continuity measures appropriate to the nature of the services;
controls over subprocessor engagement and service provider security review;
incident response procedures for suspected security incidents and Personal Data Breaches;
confidentiality obligations for personnel with access to Customer Personal Data; and
physical, network, and infrastructure protections provided directly by TrackQUAL and/or its hosting and infrastructure providers.

TrackQUAL may update these measures from time to time provided that the overall level of protection for Customer Personal Data is not materially reduced.

Schedule 3: Subprocessors

This schedule points to the separate subprocessor list.

TrackQUAL's current list of Subprocessors, including the services they provide and the relevant processing locations where appropriate, is maintained separately at subprocessors or such replacement page as TrackQUAL may publish from time to time.