TarantulaMarket.com
Effective Date: 05.07.25
Last Updated: 05.07.25

This Data Processing Agreement ("Agreement") is entered into by and between:

  • TarantulaMarket.com ("Marketplace", "we", "us", "our"), operated by [Insert Company Name], registered in the United Kingdom,
  • The Vendor ("Vendor", "you", "your") registered on the TarantulaMarket.com platform,

This Agreement forms part of the Vendor Agreement between the parties.

1. Purpose

This DPA sets out the obligations of both parties regarding the processing of personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Roles of the Parties
  • Marketplace: Acts as the Data Controller.
  • Vendor: Acts as the Data Processor with respect to any customer personal data received through the platform in order to fulfil orders.
3. Subject Matter of Processing

The personal data processed under this Agreement relates to customer data provided by the Marketplace to the Vendor for the purpose of:

  • Processing and fulfilling customer orders
  • Managing returns or refunds
  • Customer service or communications related to transactions
4. Types of Personal Data

The data shared may include:

  • Customer name
  • Email address
  • Shipping and billing address
  • Phone number
  • Purchase details

Vendors must not process any special categories of personal data (e.g., health or biometric data) unless explicitly instructed.

5. Vendor Obligations

The Vendor agrees to:

  • Process personal data only on the documented instructions of the Marketplace and only for the purposes outlined in this Agreement.
  • Ensure the confidentiality and integrity of personal data through appropriate technical and organisational measures.
  • Not subcontract or transfer data to another party without prior written consent from the Marketplace.
  • Promptly inform the Marketplace if any instruction infringes the UK GDPR or other applicable data protection laws.
  • Assist the Marketplace in fulfilling data subjects’ rights (access, rectification, deletion, etc.) within applicable timeframes.
  • Notify the Marketplace without undue delay (and within 24 hours) upon becoming aware of a data breach.
6. Confidentiality

The Vendor must ensure that any person authorised to process personal data is subject to a duty of confidentiality.

7. Security Measures

The Vendor must implement appropriate security measures, which may include:

  • Data encryption at rest and in transit
  • Access controls
  • Secure storage and transmission practices
  • Regular vulnerability testing
8. Sub-Processors

If the Vendor wishes to engage a third-party processor (e.g., a fulfilment or logistics provider), the Vendor must:

  • Obtain prior written consent from the Marketplace
  • Enter into a written contract with the sub-processor with equivalent data protection obligations
9. Data Breach Notification

In the event of a personal data breach, the Vendor shall:

  • Notify the Marketplace within 24 hours of discovery
  • Provide all relevant information about the breach
  • Cooperate fully in any mitigation or reporting obligations
10. Data Subject Rights

Vendors must assist the Marketplace in responding to:

  • Subject access requests
  • Requests for rectification, erasure, restriction, or data portability
  • Objections to processing

Vendors may not respond directly to data subjects unless instructed in writing by the Marketplace.

11. Data Retention and Deletion

Upon completion of the services or termination of the Vendor relationship:

  • All personal data must be securely deleted or returned to the Marketplace
  • The Vendor must certify such deletion upon request
12. Audit and Compliance

The Marketplace has the right to audit or inspect the Vendor’s processing activities, upon reasonable notice, to ensure compliance with this DPA.

13. International Transfers

The Vendor shall not transfer personal data outside of the UK without:

  • Prior written consent from the Marketplace
  • Ensuring appropriate safeguards under Chapter V of the UK GDPR (e.g., SCCs, adequacy decisions)
14. Term and Termination

This DPA remains in effect as long as the Vendor processes personal data on behalf of the Marketplace. Termination of the Vendor Agreement will automatically terminate this DPA.

15. Governing Law

This DPA is governed by the laws of England and Wales, and any disputes shall be subject to the exclusive jurisdiction of the English courts.

16. Signatures

This DPA is incorporated by reference into the Vendor Agreement and binding upon registration.