Data Processing Agreement

Last Updated: 11 November 2024

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Perkstar Ltd ("Perkstar", "Processor", "we", "us") and you ("Customer", "Controller", "you") and governs the processing of personal data by Perkstar on your behalf.

This DPA applies when you use our Service to collect and manage data about your customers (e.g., loyalty card holders). It sets out our obligations as a data processor under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws.

By using our Service, you agree to this DPA.

2. Definitions

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including the UK GDPR, EU GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.

"Personal Data" means any information relating to an identified or identifiable natural person that you submit to the Service.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Sub-processor" means any third party engaged by Perkstar to process Personal Data on your behalf.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

3. Roles and Responsibilities

3.1 You as Controller

You are the data controller for Personal Data you collect through the Service. You determine the purposes and means of processing. You are responsible for:

  • Ensuring you have a lawful basis to collect and process Personal Data

  • Providing appropriate privacy notices to your customers

  • Obtaining any necessary consents

  • Responding to data subject requests

  • Complying with all applicable Data Protection Laws

3.2 Perkstar as Processor

We are the data processor. We process Personal Data only on your behalf and according to your documented instructions. We are responsible for:

  • Processing Personal Data only as instructed by you

  • Ensuring our personnel are bound by confidentiality

  • Implementing appropriate security measures

  • Assisting you with your compliance obligations

  • Deleting or returning Personal Data upon termination

4. Scope of Processing

4.1 Subject Matter

The processing relates to the provision of digital loyalty card services, enabling you to create, manage, and distribute loyalty cards to your customers.

4.2 Duration

Processing continues for the duration of our agreement plus any retention period specified in Section 10.

4.3 Nature and Purpose

We process Personal Data to:

  • Create and manage digital loyalty cards

  • Track loyalty card transactions (stamps, points, rewards)

  • Send notifications to cardholders on your behalf

  • Provide analytics and reporting to you

  • Provide customer support

4.4 Types of Personal Data

The Personal Data processed may include:

  • Contact information (name, email address, phone number)

  • Loyalty card identifiers

  • Transaction history (stamps collected, points earned, rewards redeemed)

  • Device information (for wallet pass delivery)

4.5 Categories of Data Subjects

  • Your customers who hold loyalty cards

5. Your Instructions

5.1 Documented Instructions

We will process Personal Data only in accordance with your documented instructions, unless required by law to do otherwise. Your instructions are documented in:

  • This DPA

  • Our Terms of Service

  • Your use of the Service features

  • Any written instructions you provide to us

5.2 Additional Instructions

If you require processing beyond the scope of this DPA, we will work with you to agree additional terms. Additional processing may incur additional fees.

5.3 Unlawful Instructions

If we believe an instruction violates Data Protection Laws, we will inform you promptly. We may suspend processing until you confirm or modify the instruction.

6. Confidentiality

6.1 Personnel

We ensure that anyone authorised to process Personal Data:

  • Is bound by appropriate confidentiality obligations

  • Processes Personal Data only as necessary to provide the Service

  • Has received appropriate training on data protection

6.2 Ongoing Obligation

Confidentiality obligations continue after the termination of this DPA.

7. Security

7.1 Security Measures

We implement appropriate technical and organisational measures to protect Personal Data, including:

  • Encryption of data in transit (TLS) and at rest

  • Access controls and authentication

  • Regular security assessments

  • Secure hosting infrastructure

  • Employee security training

7.2 Ongoing Security

We regularly review and update our security measures to address evolving threats and maintain appropriate protection.

8. Sub-processors

8.1 Authorisation

You provide general authorisation for us to engage Sub-processors to assist in providing the Service.

8.2 Current Sub-processors

Our current Sub-processors are:

Sub-processor

Purpose

Location

Stripe

Payment processing

USA

Amazon Web Services

Cloud hosting

EU/UK

Google

Wallet pass delivery

USA

Apple

Wallet pass delivery

USA

An up-to-date list is available upon request at legal@perkstar.co.uk.

8.3 New Sub-processors

Before engaging a new Sub-processor, we will:

  • Notify you by email at least 14 days in advance

  • Provide details of the Sub-processor and the processing involved

If you have a reasonable objection based on data protection concerns, notify us within 14 days. We will work with you to address the concern. If we cannot resolve the objection, you may terminate the affected Service.

8.4 Sub-processor Obligations

We ensure each Sub-processor is bound by data protection obligations no less protective than those in this DPA. We remain liable for the acts and omissions of our Sub-processors.

9. Data Subject Rights

9.1 Your Responsibility

You are responsible for responding to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

9.2 Our Assistance

We will assist you by:

  • Providing tools within the Service to help you respond to requests

  • Promptly forwarding any requests we receive directly from Data Subjects

  • Providing information reasonably required to respond to requests

9.3 Costs

Assistance beyond the features of the Service may be subject to additional fees at our then-current rates.

10. Data Retention and Deletion

10.1 During Subscription

We retain Personal Data for as long as needed to provide the Service.

10.2 Upon Termination

When your subscription ends:

  • You may export your data for 30 days after termination

  • After 30 days, we will delete Personal Data unless required by law to retain it

  • We will provide written confirmation of deletion upon request

10.3 Backup Retention

Personal Data in backups will be deleted in accordance with our backup rotation schedule, typically within 90 days.

11. Security Incidents

11.1 Notification

We will notify you of any Security Incident without undue delay, and in any event within 72 hours of becoming aware of it.

11.2 Information Provided

Our notification will include:

  • Description of the nature of the incident

  • Categories and approximate number of Data Subjects affected

  • Likely consequences of the incident

  • Measures taken or proposed to address the incident

11.3 Your Obligations

You are responsible for notifying the relevant supervisory authority and affected Data Subjects as required by Data Protection Laws. We will assist you with these notifications.

11.4 No Admission

Our notification of a Security Incident is not an acknowledgment of fault or liability.

12. Audits and Compliance

12.1 Information

Upon request, we will provide information reasonably necessary to demonstrate our compliance with this DPA.

12.2 Audits

You may audit our compliance with this DPA once per year, subject to:

  • At least 30 days' written notice

  • Reasonable scope and duration

  • Conducted during normal business hours

  • Confidentiality obligations regarding any information disclosed

  • You bearing the cost of the audit

12.3 Third-Party Certifications

We may satisfy audit requests by providing relevant third-party certifications or audit reports.

13. International Transfers

13.1 Transfers Outside UK/EEA

Some of our Sub-processors are located outside the UK and European Economic Area. When Personal Data is transferred internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission

  • UK International Data Transfer Agreement or Addendum

  • Transfers to countries with adequacy decisions

13.2 Additional Measures

Where required, we implement supplementary measures to ensure transferred data remains protected.

14. Liability

Liability under this DPA is subject to the limitations set out in our Terms of Service, except that:

  • Neither party excludes liability for breaches of Data Protection Laws to the extent such exclusion is not permitted by law

  • Each party remains responsible for its own compliance with Data Protection Laws

15. Term and Termination

15.1 Term

This DPA remains in effect for as long as we process Personal Data on your behalf.

15.2 Survival

Sections 6 (Confidentiality), 10 (Data Retention and Deletion), 11 (Security Incidents), and 14 (Liability) survive termination.

16. Changes to This DPA

We may update this DPA to reflect changes in our practices or legal requirements. We will notify you of material changes at least 30 days before they take effect. Continued use of the Service constitutes acceptance of the updated DPA.

17. Contact

For questions about this DPA or to exercise any rights:

Perkstar Ltd 86-90 Paul Street 3rd Floor London EC2A 4NE United Kingdom

Email: legal@perkstar.co.uk

Appendix A: Technical and Organisational Measures

The following describes the security measures we implement to protect Personal Data:

Access Control

  • Role-based access controls

  • Unique user identification and authentication

  • Strong password requirements

  • Multi-factor authentication for administrative access

Encryption

  • TLS 1.2+ encryption for data in transit

  • AES-256 encryption for data at rest

  • Encrypted backups

Infrastructure Security

  • Hosted on secure cloud infrastructure (AWS)

  • Network firewalls and intrusion detection

  • Regular security patching

  • DDoS protection

Operational Security

  • Background checks for employees with data access

  • Confidentiality agreements for all personnel

  • Security awareness training

  • Access logging and monitoring

Business Continuity

  • Regular data backups

  • Disaster recovery procedures

  • Redundant infrastructure

Vendor Management

  • Due diligence on Sub-processors

  • Contractual data protection obligations

  • Regular review of Sub-processor compliance

‹ Accessibility Policy

Terms of Service ›