Data Processing Agreement

Last updated: 13 March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the merchant ("Controller") and Sweeteo Ltd, trading as SweetRep ("Processor"), for the provision of the SweetRep ambassador management platform ("Service").

1. Introduction and Scope

This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation ("UK GDPR") and sets out the terms on which the Processor processes personal data on behalf of the Controller in connection with the Service.

This DPA applies to all processing of personal data carried out by the Processor on behalf of the Controller through the use of the Service, including order data, customer data, and ambassador data that the Controller makes available to the Processor.

2. Definitions

In this DPA, unless the context requires otherwise:

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).
"Processing" means any operation performed on personal data, as defined in UK GDPR Article 4(2).
"Data Subject" means the identified or identifiable natural person to whom the personal data relates.
"Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
"UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

3. Roles and Responsibilities

The Controller (Merchant) determines the purposes and means of processing personal data through the use of the Service, including the collection of order data and management of ambassador programmes.

The Processor (SweetRep / Sweeteo Ltd) processes personal data only on documented instructions from the Controller, unless required to do so by applicable law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes UK GDPR or other applicable data protection law.

4. Processing Details

4.1 Subject Matter and Purpose

The Processor processes personal data to provide the ambassador management platform, including: commission attribution and tracking, order synchronisation, payout processing, discount code management, UGC mission management, AI content screening, analytics aggregation, and email notifications.

4.2 Categories of Data

Ambassador personal data: name, email, payment details, social media URLs, bio
End customer data: order amounts, discount codes used, customer email (retained temporarily for fraud detection)
UGC content: video files, thumbnails, metadata
Referral tracking data: truncated IP address, user-agent, referral codes, timestamps

4.3 Categories of Data Subjects

Ambassadors enrolled in the Controller's programme
End customers who place orders using ambassador discount codes
Website visitors who click referral links

4.4 Duration of Processing

Processing will continue for the duration of the Controller's use of the Service. Upon termination, data will be handled in accordance with Section 10 (Data Deletion and Return) of this DPA.

5. Security Measures

The Processor implements and maintains appropriate technical and organisational measures to protect personal data, including:

Encryption at rest: Sensitive fields (bank details, access tokens, PayPal credentials) encrypted using AES-256-GCM with dedicated key management
Encryption in transit: All data transmitted over HTTPS/TLS 1.2 or higher
Password security: User passwords hashed with bcrypt; never stored in plaintext
Access controls: Role-based access control (RBAC) enforced at application level; production database access restricted to authorised personnel only
Infrastructure: Hosted on AWS eu-west-2 (London) with managed database services
Monitoring: Application logging and error monitoring for security event detection

6. Sub-processor Management

The Controller provides general written authorisation for the Processor to engage sub-processors. The current list of approved sub-processors is:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Infrastructure, hosting, storage (S3), database	eu-west-2 (London, UK)
PayPal (Europe) S.à r.l.	Ambassador payout processing	Luxembourg / US
Anthropic PBC	AI content screening of UGC thumbnails	US
Resend Inc.	Transactional email delivery	US
Shopify Inc.	E-commerce platform integration (order data, discount codes)	Canada / US

The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors, providing the Controller with an opportunity to object. If the Controller objects on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected part of the Service.

The Processor shall ensure that any sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting personal data processed under this DPA.

The notification shall include, to the extent available:

A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
The name and contact details of the point of contact (admin@sweetrep.com)
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Data Breach.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests exercising their rights under Chapter III of the UK GDPR, including rights of access, rectification, erasure, portability, restriction, and objection.

Where the Processor receives a request directly from a data subject, it shall promptly forward the request to the Controller and shall not respond to the data subject directly unless instructed to do so by the Controller.

9. International Transfers

The Processor's primary infrastructure is hosted in the UK (AWS eu-west-2, London). However, certain sub-processors are located in the United States.

International transfers of personal data are safeguarded as follows:

UK-US Data Bridge: Where a sub-processor is certified under the EU-US Data Privacy Framework and the UK Extension (UK-US Data Bridge), transfers are made in reliance on that certification.
International Data Transfer Agreement (IDTA): Where a sub-processor is not DPF-certified, or where applicable, transfers are governed by the UK International Data Transfer Agreement (IDTA) issued by the ICO, supplemented by a Transfer Risk Assessment.

The Processor shall inform the Controller if it becomes aware that any sub-processor's DPF certification has lapsed or been revoked, and shall take appropriate steps to ensure continued compliance with transfer requirements.

10. Data Deletion and Return

Upon termination of the Service agreement, or upon the Controller's written request, the Processor shall:

Return data: Provide the Controller with an export of their data in a structured, machine-readable format (JSON or CSV) within 30 days of the request.
Delete data: Securely delete all personal data processed on behalf of the Controller within 30 days of the later of: (a) the termination date, or (b) the expiry of any applicable retention period.

Exception: The Processor may retain personal data where required by applicable law, including financial records retained for 6 years in compliance with HMRC requirements. The Processor shall inform the Controller of any such retention and shall ensure the data remains protected.

11. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits are subject to the following conditions:

The Controller shall provide at least 30 days' written notice of any audit
Audits shall be limited to no more than one per calendar year, unless required by a supervisory authority or following a Data Breach
The Controller shall bear its own costs of any audit
Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
The auditor shall be bound by confidentiality obligations

12. General Provisions

12.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction over any disputes arising from this DPA.

12.2 Conflict

In the event of any conflict between this DPA and the main Terms of Service, this DPA shall prevail with respect to data protection matters.

12.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

12.4 Contact

For questions about this DPA or data protection matters, contact:

Sweeteo Ltd
71-75 Shelton Street, London, WC2H 9JQ
Company Registration Number: 17058907
Email: admin@sweetrep.com