Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Restock, Inc. ("Restock", "Processor"), and the Customer ("Controller"). It governs the Processing of Personal Data by Restock on the Controller's behalf and is designed to satisfy Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK GDPR. Capitalized terms not defined here have the meaning in the GDPR or the Agreement.
1. Parties and roles
With respect to Personal Data contained in Customer Data, the Customer is the Controller and Restock is the Processor. Where the Customer acts as a processor for a third-party controller, Restock is a sub-processor and the Customer warrants it has authority to engage Restock on those terms.
2. Subject matter, duration, nature, and purpose
The subject matter is the provision of the Service. The duration is the term of the Agreement plus any post-termination period described in Section 10. The nature and purpose of Processing is to host, store, transmit, and otherwise process Customer Data as necessary to provide the Service to the Controller. Further detail is in Annex I.
3. Processing on documented instructions
Restock will Process Personal Data only on the Controller's documented instructions, including with regard to international transfers, unless required by applicable law (in which case Restock will inform the Controller unless the law prohibits it). The Agreement, this DPA, and the Controller's use of the Service's features constitute the Controller's complete and documented instructions. Restock will inform the Controller if, in its opinion, an instruction infringes the GDPR or other data protection law.
4. Confidentiality of personnel
Restock will ensure that persons authorized to Process Personal Data are bound by appropriate confidentiality obligations and are subject to access controls under the principle of least privilege.
5. Security of processing (Art. 32)
Restock will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II and our Security Overview. Restock may update these measures provided the level of security is not materially reduced.
6. Sub-processors
The Controller provides general written authorization for Restock to engage sub-processors to Process Personal Data. The current list of sub-processors is maintained in the Trust Center and in Annex III. Restock will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for its sub-processors' performance. Restock will give the Controller at least 30 days' notice of the addition or replacement of a sub-processor (for example, via the Trust Center or email). The Controller may object on reasonable data protection grounds within that period; the parties will work in good faith to resolve the objection, and if they cannot, the Controller may terminate the affected Service.
7. Assistance with data subject requests
Taking into account the nature of the Processing, Restock will assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, and objection). Where a data subject contacts Restock directly regarding Personal Data Processed on a Controller's behalf, Restock will promptly forward the request to the Controller and will not respond directly except on the Controller's instruction or as required by law.
8. Assistance with obligations (Art. 32–36)
Restock will assist the Controller, taking into account the nature of Processing and the information available to Restock, in ensuring compliance with the Controller's obligations relating to security of Processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
9. Personal data breach notification
Restock will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA, and will provide information reasonably available to assist the Controller in meeting its own notification obligations. Restock will take reasonable steps to mitigate and remediate the breach.
10. Deletion or return of data
Upon termination or expiry of the Agreement, Restock will, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless retention is required by applicable law. The Service typically allows the Controller to export Customer Data for a limited period (around 30 days) after termination, after which data is deleted in the ordinary course, subject to backup rotation cycles.
11. Audits and inspections
Restock will make available to the Controller information reasonably necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. The parties will agree on the scope, timing, and confidentiality of any audit in advance; audits will occur no more than once per year (absent a regulator requirement or a breach), during business hours, with reasonable notice, and without unduly disrupting Restock's operations. Restock may satisfy audit requests by providing third-party certifications, reports (such as a SOC 2 report under NDA — see the Trust Center), and responses to reasonable questionnaires.
12. International transfers
To the extent Restock Processes Personal Data subject to the GDPR or UK GDPR in a country that does not provide an adequate level of protection, the parties agree that the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor, and Module Three where Restock acts as sub-processor) are incorporated into this DPA by reference and completed by reference to the Annexes hereto. For UK transfers, the UK International Data Transfer Addendum applies. In the event of a conflict, the SCCs prevail over other terms of this DPA with respect to such transfers.
13. General
This DPA is subject to the limitation of liability provisions of the Agreement. If any provision conflicts with the Agreement, this DPA controls with respect to Processing of Personal Data. This DPA is governed by the law specified in the Agreement, except where the GDPR or SCCs require otherwise.
Annex I — Details of processing
A. List of parties
Data exporter (Controller): The Customer identified in the Agreement. Data importer (Processor): Restock, Inc.; contact privacy@restock.supply.
B. Categories of data subjects
- Customer's personnel (Users): employees, contractors, sales representatives, route drivers.
- Customer's business contacts: store and account buyers, supplier contacts, distributor contacts.
- Other individuals identified within documents or records the Customer uploads.
C. Categories of personal data
- Identifiers and contact details (name, business email, phone, job title, employer).
- Account and authentication data for Users.
- Business and transactional data that may reference individuals (routes, orders, returns, invoices, contracts, signatures, notes).
- Payment metadata (last four digits, card brand, billing postal code — no full card numbers).
Special categories of data: The Service is not intended to Process special categories of Personal Data. The Controller should not upload such data.
D. Frequency, nature, and purpose
Continuous, for the duration of the Agreement, to provide, secure, and support the Service as instructed.
E. Retention
For the term of the Agreement plus the post-termination period in Section 10, subject to legal retention requirements and backup cycles.
Annex II — Technical and organizational measures
Restock implements the measures described in our Security Overview, including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
- Logical tenant isolation enforced through database Row Level Security.
- Authentication, multi-factor authentication, and least-privilege access controls.
- Secrets management and key rotation.
- Logging, monitoring, and an audit log of significant actions.
- Backups and disaster recovery procedures.
- Vulnerability management and a responsible disclosure process.
- Personnel confidentiality obligations and security training.
- Sub-processor due diligence and contractual safeguards.
Certain measures are on our roadmap and are marked accordingly in the Security Overview; the Annex reflects current and planned controls as the product approaches launch.
Annex III — Sub-processors
The authorized sub-processors are listed and kept current in the Trust Center. As of the date of this DPA they include the following:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Managed database, authentication, hosting | United States |
| Stripe | Payment processing | United States |
| Netlify | Static hosting and CDN | United States |
| Resend / Postmark | Transactional email delivery | United States |
| Cloudflare | DNS and CDN | United States |
Signatures
This DPA is entered into by the parties as of the effective date of the Agreement and may be executed electronically.
Signature
Name / Title
Date
Signature
Name / Title
Date