Data Processing Agreement

1. Framework & scope

This Data Processing Agreement (the “DPA”) forms an integral part of the Partner Terms & Conditions between Sinka B.V., trading as SKUU(Hennegras 2, 2498 BL, ’s-Gravenhage, the Netherlands, KvK 95087982, VAT NL866996588B01), and the Partner. It applies wherever SKUU processes personal data on behalf of the Partner and sets out the terms required by Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

Capitalised terms not defined here have the meaning given in the Partner Terms. “Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, and “Personal Data Breach” have the meaning given in the GDPR. Where this DPA conflicts with the Partner Terms on a data-protection matter, this DPA prevails.

2. Roles & subject matter

In respect of the personal data of End Customers, the Partner is the Controller and SKUU acts as Processorfor the purpose of order routing and fulfilment coordination. For SKUU’s own purposes (settlement records, security, fraud prevention, and anonymised analytics) SKUU is an independent Controller; that processing is described in our Privacy Policy and falls outside this DPA. The Parties are not joint controllers.

The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in section 13 (Details of the processing).

3. SKUU’s obligations as Processor

• Documented instructions. SKUU processes the Partner’s personal data only on the Partner’s documented instructions, including the instructions inherent in the Partner Terms and in the Partner’s use of the Service, unless required to act by Union or Member-State law (in which case SKUU informs the Partner unless that law prohibits it).
• Confidentiality. SKUU ensures that persons authorised to process the personal data are bound by an appropriate duty of confidentiality.
• Security. SKUU implements the technical and organisational measures described in section 4 (Article 32 GDPR).
• Assistance. Taking the nature of the processing into account, SKUU assists the Partner with appropriate measures to respond to Data-Subject requests (section 9) and to meet its obligations under Articles 32 to 36 GDPR (security, breach notification, and data-protection impact assessments).
• Return or deletion. On termination, SKUU deletes or returns the personal data as set out in section 11.
• Demonstrate compliance. SKUU makes available the information necessary to demonstrate compliance with Article 28 and allows for and contributes to audits as set out in section 10.

4. Security measures

SKUU maintains technical and organisational measures appropriate to the risk under Article 32 GDPR, including: encryption in transit (TLS 1.3 or higher) and at rest (AES-256); role-based, least-privilege access controls with multi-factor authentication; segmentation and strict isolation between test and production environments; continuous security monitoring with a documented incident-response process; and regular encrypted backups stored within the European Union. SKUU keeps these measures under review and may update them provided the level of protection is not reduced.

5. Data minimisation (Masked Email)

As a privacy-by-design and data-minimisation measure (Articles 5(1)(c) and 25 GDPR), SKUU substitutes a per-order Masked Email for the End Customer’s real email so that the Shipping Partner never receives it. The Shipping Partner receives only the End Customer’s name, shipping address, phone number, line items, and the Masked Email, solely to fulfil that specific Routed Order, and may not contact, market to, profile, retain, enrich, resell, or solicit the End Customer.

6. Sub-processors

The Partner gives SKUU general authorisation to engage sub-processors. SKUU imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA (back-to-back Article 28 terms) and remains responsible for its sub-processors’ performance. A current list of sub-processors is available via the dashboard (and section 13). SKUU informs the Partner of any intended addition or replacement of a sub-processor in advance and gives the Partner a reasonable opportunity to object; if SKUU does not accommodate a reasonable objection, the Partner may terminate under the notice period in the Partner Terms.

7. International transfers

Hosting and primary storage are within the European Union. SKUU does not transfer the Partner’s personal data outside the European Economic Area unless a valid transfer mechanism under Chapter V GDPR applies: an adequacy decision (Article 45) or appropriate safeguards (Article 46), in practice the EU Standard Contractual Clauses (Commission Decision 2021/914) together with a transfer impact assessment and any necessary supplementary measures.

8. Personal-data breach

SKUU notifies the affected Partner of a Personal Data Breach without undue delay after becoming aware of it, and provides the information the Partner reasonably needs to meet its own obligations under Articles 33 and 34 GDPR, including the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. As Controller, the Partner decides whether and how to notify the supervisory authority and affected individuals. SKUU cooperates fully with any investigation.

9. Data-subject requests

If SKUU receives a request from a Data Subject to exercise their rights (access, rectification, erasure, restriction, portability, or objection), SKUU does not respond directly except on the Partner’s instruction or as legally required, and forwards the request to the Partner without undue delay. SKUU provides reasonable assistance to enable the Partner to respond, taking into account the nature of the processing and the information available to SKUU.

10. Audits & information

SKUU makes available to the Partner the information necessary to demonstrate compliance with Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by the Partner or an auditor it mandates. Audits take place on reasonable prior written notice, during business hours, no more than once per year (unless a supervisory authority or a Personal Data Breach reasonably requires otherwise), subject to confidentiality, and in a manner that does not disproportionately disrupt SKUU’s operations. SKUU may satisfy an audit request by providing relevant certifications or third-party audit reports where available.

11. Return & deletion

On termination of the Service, and at the Partner’s choice, SKUU deletes or returns all personal data processed on the Partner’s behalf and deletes existing copies, unless Union or Member-State law requires storage. Where retention is legally required (for example, the Dutch seven-year fiscal retention obligation), SKUU restricts the data to that purpose alone. Deletion is completed within the timeframe set out in the Privacy Policy.

12. Liability & precedence

Liability under this DPA is governed by the liability provisions of the Partner Terms. This DPA is governed by Dutch law and subject to the same jurisdiction clause as the Partner Terms. In case of conflict between this DPA and the Partner Terms regarding the processing of personal data, this DPA prevails.

13. Details of the processing

• Subject matter. Routing and coordinating the fulfilment of End-Customer orders across the SKUU Network on the Partner’s behalf.
• Duration. For the term of the Partner Terms and until return or deletion under section 11.
• Nature and purpose. Receiving, matching, transmitting, and coordinating order and fulfilment data; settlement reporting; and related support.
• Types of personal data. End-Customer name, shipping address, phone number, order line items and order status, and the Masked Email. SKUU does not process special categories of data (Article 9 GDPR) or payment-card credentials.
• Categories of data subjects. The Partner’s End Customers.
• Sub-processors (current).the merchant’s connected e-commerce platform (order-data source, operating under its own terms); Supabase, Inc. (managed Postgres, Frankfurt, Germany; SCCs for any non-EEA support access); Hostinger International Ltd (VPS infrastructure, EU data centres); the transactional email provider (account and settlement notifications); and, once introduced, the licensed payment service provider for Settlement. The current list is maintained in the dashboard.

14. Contact

Data-protection questions and requests under this DPA can be sent to info@skuu.io (legal: legal@skuu.io). Supervisory authority: Autoriteit Persoonsgegevens.

Sinka B.V., trading as SKUU · Hennegras 2, 2498 BL, ’s-Gravenhage, the Netherlands · KvK 95087982 · VAT NL866996588B01.

See also our Partner Terms and Privacy Policy.