Made under Article 28 of the UK GDPR
This Data Processing Agreement ("Agreement") forms part of the standard commercial terms provided online by Cloud9 Fulfilment Limited and is binding upon the Parties as an incorporated schedule to the main Customer Terms and Conditions.
(A) The Controller (the "Customer") and the Processor ("Cloud9") have entered into a services agreement under which the Processor provides fulfilment, warehousing, inventory management, order processing, dispatch, returns management, and related logistics services to the Controller (the "Services Agreement").
(B) In performing the Services, the Processor will process Personal Data on behalf of the Controller.
(C) This Agreement sets out the terms on which such Processing will be carried out and is intended to satisfy the requirements of Article 28 of the UK GDPR and the Data Protection Act 2018.
1.1 In this Agreement, the following definitions apply:
"Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (as amended), and all other laws, regulations, regulatory guidance, and codes of practice applicable to the Processing of Personal Data, in each case as in force and as amended, replaced, or supplemented from time to time (including the Data (Use and Access) Act 2025 to the extent it is in force).
"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" have the meanings given in the UK GDPR.
"International Transfer" means a transfer of Personal Data to a country or territory outside the United Kingdom, or onward transfer of such data.
"Restricted Country" means any country which has not been the subject of a UK adequacy decision (formally, a UK adequacy regulation) in force at the relevant time.
"Services" means the services provided by the Processor to the Controller under the Services Agreement.
"Sub-processor" means any third party engaged by the Processor (or by another Sub-processor) to process Personal Data on behalf of the Controller.
"TOMs" means the technical and organisational measures set out in Schedule 2.
"UK GDPR" has the meaning given in section 3(10) of the Data Protection Act 2018.
1.2 Headings are for convenience only and do not affect interpretation.
1.3 References to statutes or statutory provisions include any subordinate legislation made under them and are to be construed as references to those statutes, statutory provisions, or subordinate legislation as modified, amended, extended, consolidated, re-enacted, or replaced from time to time.
2.1 This Agreement forms part of, and is supplemental to, the Services Agreement.
2.2 In the event of any conflict or inconsistency between the provisions of this Agreement and the Services Agreement, this Agreement shall prevail in relation to matters concerning the Processing of Personal Data and the Parties' obligations under Applicable Data Protection Law. In all other respects the Services Agreement shall prevail.
3.1 The Parties acknowledge that, in respect of the Processing of Personal Data carried out under the Services Agreement, the Controller is the controller and Cloud9 is the processor.
3.2 Each Party shall comply with its respective obligations under Applicable Data Protection Law.
3.3 Schedule 1 (Processing Details) sets out the subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects, in accordance with Article 28(3) of the UK GDPR.
4.1 The Controller warrants and undertakes that:
4.1.1 it has, and shall maintain throughout the term of this Agreement, a valid lawful basis under Article 6 of the UK GDPR (and, where applicable, a condition under Article 9 or 10) for all Processing instructed by it;
4.1.2 it has provided all required information to Data Subjects under Articles 13 and 14 of the UK GDPR, including in respect of the Processing carried out by Cloud9 and its Sub-processors;
4.1.3 its instructions to Cloud9 will not cause Cloud9 to breach Applicable Data Protection Law; and
4.1.4 it shall not transfer or otherwise make available to Cloud9 any Personal Data which is not strictly necessary for the performance of the Services, and in particular shall not transfer any special category data within the meaning of Article 9 of the UK GDPR or criminal offence data within the meaning of Article 10, except with Cloud9's prior written agreement and on terms agreed in advance.
Cloud9 shall, in respect of all Personal Data Processed under this Agreement:
5.1 Documented instructions: Process the Personal Data only on the documented instructions of the Controller, including in relation to International Transfers, unless required to Process by United Kingdom law to which Cloud9 is subject; in such a case, Cloud9 shall inform the Controller of that legal requirement before Processing, unless such law prohibits such notice on important grounds of public interest. The Services Agreement together with this Agreement constitute the Controller's complete and final documented instructions at the Effective Date; additional or alternate instructions must be agreed in writing.
5.2 Notification of infringing instructions: Immediately inform the Controller in writing if, in its opinion, an instruction infringes Applicable Data Protection Law. Cloud9 shall be entitled to suspend performance of the relevant instruction (without liability) until the instruction is confirmed or modified.
5.3 Confidentiality: Ensure that all persons authorised to Process the Personal Data have committed themselves to confidentiality (whether by contractual or statutory duty) and have received appropriate training on Applicable Data Protection Law and on Cloud9's information security policies.
5.4 Security: Implement and maintain the technical and organisational measures set out in Schedule 2 (TOMs), and such other measures as are required by Article 32 of the UK GDPR taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons.
5.5 Sub-processors: Comply with the conditions in clause 8 (Sub-processors) before engaging any Sub-processor.
5.6 Data subject rights: Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for the exercise of Data Subjects' rights under Chapter III of the UK GDPR (clause 10).
5.7 Assistance: Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation) taking into account the nature of the Processing and the information available to Cloud9 (clauses 11 and 12).
5.8 Return or deletion: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services relating to Processing, and delete existing copies, unless United Kingdom law requires storage of the Personal Data (clause 17).
5.9 Audit and information: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (clause 14).
5.10 No own purposes: Not Process the Personal Data for its own purposes, nor for any commercial benefit independent of the Services, nor sell or rent any Personal Data to any third party.
5.11 Records of processing: To the extent required by Article 30(2) of the UK GDPR, maintain a written (which may be electronic) record of categories of Processing activities carried out on behalf of the Controller, and make such record available to the Supervisory Authority on request.
6.1 Cloud9 shall treat all Personal Data as strictly confidential and shall ensure that access is limited to those of its personnel who need access for the performance of the Services.
6.2 The obligations in this clause shall survive termination of this Agreement.
7.1 Cloud9 shall implement and maintain the technical and organisational measures described in Schedule 2 to ensure a level of security appropriate to the risk to the rights and freedoms of natural persons.
7.2 Cloud9 may update the TOMs from time to time, provided that no such update materially reduces the level of security afforded to Personal Data. Cloud9 shall notify the Controller of any material changes.
7.3 Cloud9 shall regularly test, assess, and evaluate the effectiveness of the TOMs, and shall provide a summary of the results of such testing to the Controller on reasonable written request.
7.4 Cloud9 shall ensure that any media containing Personal Data is securely disposed of in accordance with the TOMs.
8.1 The Controller grants Cloud9 general written authorisation to engage Sub-processors for the purposes of providing the Services. The Sub-processors engaged as at the date of acceptance are listed at Sub-processor List, which Cloud9 maintains and updates from time to time.
8.2 Cloud9 may add, replace, or remove Sub-processors at its discretion. Cloud9 shall inform the Controller of any intended addition or replacement of a Sub-processor by any one or more of the following means: (a) email to the Controller's registered account or billing contact; (b) notification within Cloud9's online system, customer portal, or dashboard; or (c) publication of the updated Sub-processor List at the URL above. It is the Controller's responsibility to keep its contact details current and to monitor the Sub-processor List. Notice is deemed given on the date the email or in-system notification is sent, or the date the Sub-processor List is updated, whichever is earliest.
8.3 The Controller may object to an intended addition or replacement of a Sub-processor only on reasonable grounds relating to data protection compliance, by written notice to Cloud9 within 10 days of notice being given under clause 8.2. If the Controller does not object within that period, the Controller is deemed to have accepted the change and Cloud9 may proceed.
8.4 If the Controller objects within the period, the Parties shall discuss the objection in good faith. If no resolution is reached within a reasonable period, the Controller's sole and exclusive remedy is to terminate the portion of the Services that necessarily requires the use of the relevant Sub-processor, on written notice. Cloud9 shall not be obliged to refund any pre-paid fees relating to Services already performed, and the Controller shall remain liable for all fees accrued up to the date of termination. Pending resolution or termination, Cloud9 may continue to use the relevant Sub-processor.
8.5 Cloud9 shall ensure that any Sub-processor it engages is bound by a written contract containing data protection obligations no less protective than those imposed on Cloud9 under this Agreement, in accordance with Article 28(4) of the UK GDPR.
8.6 Cloud9 shall remain fully liable to the Controller for the performance of any Sub-processor's obligations and for any acts or omissions of any Sub-processor that result in a breach of this Agreement.
9.1 Cloud9 may, in the course of providing the Services, use software and systems that incorporate automated, machine-learning, or artificial-intelligence-assisted features for purposes including (without limitation) operational efficiency, fraud prevention, fraud detection, demand forecasting, route optimisation, address validation, and analytics.
9.2 Cloud9 shall not, and shall procure that its Sub-processors shall not, use Personal Data Processed under this Agreement to train, fine-tune, or otherwise improve any general-purpose artificial-intelligence model intended for use beyond the provision of Services to the Controller, without the Controller's prior written consent.
9.3 Cloud9 shall not carry out solely automated decision-making (including profiling) within the meaning of Article 22 of the UK GDPR which produces legal effects concerning a Data Subject or similarly significantly affects a Data Subject, without the Controller's prior written consent.
9.4 Cloud9 shall, on reasonable written request and to the extent the relevant information is reasonably available to Cloud9 (taking into account that certain logic may be proprietary to third-party software vendors and not disclosed to Cloud9), provide the Controller with sufficient information about the logic, significance, and envisaged consequences of any automated or AI-assisted features used in connection with the Services to enable the Controller to meet its transparency obligations under Articles 13 to 15 of the UK GDPR.
9.5 Cloud9 shall notify the Controller in advance of the introduction of any new AI-assisted feature that materially changes the nature of the Processing.
10.1 Cloud9 shall not, and shall procure that its Sub-processors shall not, carry out any International Transfer of Personal Data unless it has first taken such measures as are necessary to ensure that the transfer is in compliance with Applicable Data Protection Law.
10.2 Where an International Transfer is to a Restricted Country, the relevant transfer shall be carried out under one or more of the following safeguards:
10.2.1 the International Data Transfer Agreement (IDTA) issued by the Information Commissioner;
10.2.2 the UK Addendum to the European Commission's Standard Contractual Clauses; or
10.2.3 any other transfer mechanism recognised under Applicable Data Protection Law,
in each case supported by a transfer risk assessment carried out by Cloud9 and any supplementary measures identified as necessary by that assessment.
10.3 Cloud9 shall, on request, provide the Controller with a copy of the relevant transfer mechanism and a summary of any transfer risk assessment.
10.4 Schedule 4 (International Transfers) lists current transfers of Personal Data outside the United Kingdom and the safeguards relied upon.
11.1 Cloud9 shall promptly, and in any event within 5 business days, notify the Controller in writing of any request received from a Data Subject seeking to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making).
11.2 Cloud9 shall not respond directly to such requests except on the documented instructions of the Controller or as required by Applicable Data Protection Law.
11.3 Taking into account the nature of the Processing, Cloud9 shall provide reasonable assistance to the Controller (including by appropriate technical and organisational measures) to enable the Controller to respond to such requests within the timescales set out in Applicable Data Protection Law.
11.4 Cloud9 may charge the Controller a reasonable fee for such assistance where the request is manifestly unfounded or excessive, or where the assistance required materially exceeds that reasonably contemplated by the Services Agreement.
12.1 Cloud9 shall, taking into account the nature of the Processing and the information available to it, provide reasonable assistance to the Controller in respect of:
12.1.1 any data protection impact assessment carried out by the Controller under Article 35 of the UK GDPR; and
12.1.2 any prior consultation with the Supervisory Authority under Article 36 of the UK GDPR.
13.1 Cloud9 shall notify the Controller in writing without undue delay, and in any event within 48 hours, after Cloud9 becomes aware of a Personal Data Breach affecting any Personal Data Processed under this Agreement.
13.2 Such notification shall, to the extent known and where reasonably possible, include:
13.2.1 a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
13.2.2 the name and contact details of Cloud9's data protection contact;
13.2.3 a description of the likely consequences of the Personal Data Breach; and
13.2.4 a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
13.3 Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay.
13.4 Cloud9 shall co-operate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of the Personal Data Breach.
13.5 Cloud9 shall not notify the Supervisory Authority or any Data Subject of a Personal Data Breach on the Controller's behalf without the Controller's prior written consent, except where required by Applicable Data Protection Law.
14.1 Cloud9 shall make available to the Controller, on reasonable written request, all information necessary to demonstrate compliance with this Agreement and Article 28 of the UK GDPR.
14.2 Subject to the conditions in this clause, Cloud9 shall allow for and contribute to audits, including inspections, of its Processing activities, conducted by the Controller or by an independent auditor mandated by the Controller (and approved by Cloud9, such approval not to be unreasonably withheld).
14.3 Audits shall:
14.3.1 take place no more than once in any 12-month period, save where required by the Supervisory Authority or following a Personal Data Breach;
14.3.2 be conducted on at least 30 days' prior written notice (save in the case of an emergency audit following a Personal Data Breach, where reasonable shorter notice will apply);
14.3.3 be conducted during normal business hours, in a manner which minimises disruption to Cloud9's operations and those of its other clients;
14.3.4 be subject to reasonable confidentiality obligations; and
14.3.5 not require Cloud9 to disclose information relating to other clients or commercially sensitive information unrelated to the Services.
14.4 The Controller shall bear its own costs of any audit. Cloud9 shall bear its own time and costs of co-operating up to a reasonable level; the Controller shall reimburse Cloud9 for materially additional time and costs at Cloud9's then-current professional rates.
14.5 Where Cloud9 holds a recognised independent certification or has commissioned an independent audit covering the Services, the Controller agrees to accept the most recent certification report or audit summary in lieu of a physical audit, save where the Controller has reasonable grounds for further enquiry.
15.1 Cloud9 shall maintain records of Processing activities as required by Article 30(2) of the UK GDPR and shall make those records available to the Supervisory Authority on request.
15.2 Cloud9 shall co-operate, on request, with the Supervisory Authority in the performance of its tasks.
16.1 Cloud9 shall retain Personal Data only for as long as is necessary to provide the Services or as otherwise instructed by the Controller, or as required by Applicable Data Protection Law.
16.2 Default retention periods are set out in Schedule 1. Cloud9 may retain Personal Data in routine system backups beyond such periods until such time as those backups are overwritten in the ordinary course; such retained data shall not be Processed for any other purpose and shall continue to be subject to the obligations of this Agreement until deletion.
17.1 This Agreement shall continue in force for so long as Cloud9 Processes Personal Data on behalf of the Controller, and shall terminate automatically on termination or expiry of the Services Agreement, without prejudice to any provisions which by their nature are intended to survive termination.
17.2 On termination or expiry of the Services Agreement (or earlier on the Controller's written request), Cloud9 shall, at the Controller's option:
17.2.1 return all Personal Data to the Controller in a commonly used and machine-readable format; or
17.2.2 securely delete the Personal Data,
and in either case shall delete all existing copies, within 60 days of termination, save to the extent that retention is required by Applicable Data Protection Law (in which case Cloud9 shall continue to apply the obligations of this Agreement to such retained data) or in routine system backups (which shall be deleted in the ordinary course).
17.3 Cloud9 shall, on written request, provide a written confirmation of deletion.
18.1 Each Party's liability arising out of or in connection with this Agreement shall be subject to the limitations and exclusions of liability set out in the Services Agreement, save that nothing in this Agreement or the Services Agreement shall limit or exclude any liability that cannot be limited or excluded by law (including liability for fraud, fraudulent misrepresentation, or death or personal injury caused by negligence).
18.2 Subject to clause 18.1, Cloud9 shall indemnify the Controller against losses, fines, damages, costs, and expenses (including reasonable legal fees) suffered by the Controller to the extent arising directly out of Cloud9's material breach of this Agreement or any negligent act or omission of Cloud9 or its Sub-processors in the Processing of Personal Data.
18.3 Subject to clause 18.1, the Controller shall indemnify Cloud9 against losses, fines, damages, costs, and expenses (including reasonable legal fees) suffered by Cloud9 to the extent arising directly out of (i) the Controller's instructions to Cloud9 being unlawful, or (ii) the Controller's failure to comply with its obligations under clause 4 (Obligations of the Controller).
18.4 Where the Parties are jointly liable to a Data Subject or a Supervisory Authority, each Party shall be liable for that proportion of the loss which corresponds to its responsibility for the damage.
19.1 Cloud9 may, on written notice to the Controller, propose variations to this Agreement which it reasonably considers necessary to comply with changes in Applicable Data Protection Law (including any guidance issued by the Information Commissioner).
19.2 Any other variation to this Agreement must be agreed in writing by the Parties.
20.1 Notices under this Agreement shall be in writing and shall be sent via electronic transmission to the designated data protection contacts below.
20.2 Data protection contacts:
For the Controller: To be specified in the Customer's primary account details.
For Cloud9: To be specified in Cloud9's primary online system or support portal.
21.1 This Agreement, and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims), shall be governed by and construed in accordance with the laws of England and Wales.
21.2 The Parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any such dispute or claim.
Subject matter of Processing: The provision of fulfilment, warehousing, inventory management, order processing, dispatch, returns, and related logistics services by Cloud9 to the Controller.
Duration of Processing: From the commencement of services until termination or expiry of the Services Agreement, plus any retention period required by law or by clause 17.
Nature of Processing: Including but not limited to: order import and order management; inventory allocation and stock management; storage of goods; order picking and packing; shipping and dispatch administration; returns handling and processing; customer service support relating to fulfilment; inventory reporting and operational support.
Purpose of Processing: To enable the operational fulfilment and delivery of the Controller's goods to its customers and to provide related services.
Categories of Personal Data: Full name; delivery address; billing address; email address; telephone number; order references and purchase details; delivery instructions; returns information; and business contact details.
Special category data: None, unless agreed in writing in advance under clause 4.1.4.
Categories of Data Subjects: Customers of the Controller; recipients of customer orders; individuals returning goods; and business contacts and authorised representatives of the Controller.
Default retention periods:
Cloud9 implements and maintains the following technical and organisational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons.
1. Information security governance: A documented information security policy reviewed at least annually. A designated person with day-to-day responsibility for data protection and information security. Mandatory data protection and security training for all staff on induction and at least annually thereafter.
2. Access control: Role-based access control on a least-privilege, need-to-know basis. Unique user IDs for each individual user; shared accounts prohibited save where operationally necessary and approved. Strong password requirements and multi-factor authentication for remote access and administrative interfaces. Prompt deactivation of accounts on personnel changes; access reviews at least every 6 months.
3. Physical security: Warehouse and office premises secured by access control (key-card or equivalent), CCTV, intruder alarm, and visitor management. Visitors escorted in operational areas where Personal Data may be visible. Paper records kept in secure storage and disposed of via cross-cut shredding or accredited confidential waste destruction.
4. Encryption and pseudonymisation: Encryption in transit using TLS 1.2 or higher for all external data flows. Encryption at rest for production databases and laptops/portable storage. Pseudonymisation applied where appropriate (for example, in analytics datasets).
5. Network and endpoint security: Firewalls, network segmentation, and intrusion detection on production networks. Centrally managed anti-malware on endpoints and servers, with timely updates. A documented patch management process; security patches applied promptly based on risk. Centralised logging and alerting for security events.
6. Backup, resilience and continuity: Regular automated backups with periodic restore testing. A documented business continuity and disaster recovery plan, tested at least annually. Redundancy in critical infrastructure to support availability of the Services.
7. Secure development and change management: A documented change management process for production systems. Separation of development, test, and production environments; production data not used in test environments without appropriate controls.
8. Vendor and Sub-processor management: Risk-based due diligence on Sub-processors before engagement and periodically thereafter. Written contracts containing data protection obligations no less protective than those in this Agreement.
9. Personnel: Pre-employment screening proportionate to role. Written confidentiality obligations binding on all personnel handling Personal Data. A disciplinary process applicable to breaches of information security policy.
10. Incident management: A documented Personal Data Breach response procedure, including escalation to the data protection contact. An internal escalation procedure designed to support notification to the Controller within the timeframe in clause 13. Post-incident review and remediation tracking.
11. Testing and assurance: Vulnerability scanning of production environments on a risk-based basis. Independent security testing of customer-facing systems at a frequency determined by Cloud9's risk assessment. Periodic internal review of the effectiveness of the measures, with remediation tracked to closure.
Service: Warehouse management, order management, inventory management, e-commerce channel integration, and dispatch management.
Location of Processing: Primary processing in the UK; operational and support access from the UK and Turkey.
Transfer mechanism: UK Addendum to the EU SCCs in respect of support access from Turkey, supported by a Transfer Risk Assessment dated 28 May 2026.
Service: Cloud hosting of the Despatch Cloud platform and backups.
Location of Processing: Expected AWS Europe (London) Region, eu-west-2 (UK) — to be confirmed with Despatch Cloud.
Transfer mechanism: N/A if UK region; AWS UK Addendum / DPF terms apply for any non-UK region.
Service: Carrier services — collection, delivery, tracking and returns.
Location of Processing: UK for domestic shipments; destination country for international shipments.
Transfer mechanism: International transfers for cross-border deliveries rely on Article 49(1)(b) UK GDPR (necessary for the performance of a contract with the Data Subject); each carrier's own safeguards apply for any onward transfers.
Service: Customer support / ticketing platform for fulfilment-related customer service.
Location of Processing: Primary tenant hosting in the EEA (Frankfurt, Germany); certain incidental processing (e.g. account/billing data, short-term call recording buffers) in the US.
Transfer mechanism: EEA hosting is covered by UK adequacy regulations (no mechanism required). Incidental US processing relies on the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge), Freshworks Inc. being certified including the UK Extension.
Service: Accounting and billing system — invoicing, financial record-keeping.
Location of Processing: UK (contracting entity); New Zealand (Xero corporate processing); United States (Xero's AWS hosting).
Transfer mechanism: New Zealand is covered by UK adequacy regulations (no mechanism required). US hosting is governed by Xero's own Data Processing Addendum (UK Addendum to the EU SCCs).
Service: Hosted VOIP telephony, including inbound/outbound calls and, where enabled, call recordings relating to fulfilment customer service.
Location of Processing: United Kingdom (all processing and storage, including default call recording storage).
Transfer mechanism: N/A — no international transfer. UK-to-UK only, confirmed by Gamma and verified against Gamma's Product Privacy Information (UK-GOV-REC-017, v3).
Where any Sub-processor or Cloud9 transfers Personal Data outside the United Kingdom, the following safeguards apply. A transfer risk assessment is carried out by Cloud9 for each Restricted Country transfer requiring an Article 46 safeguard, and supplementary measures are applied where the assessment identifies them as necessary.