Effective Date: 14 November 2025
This Data Processing Addendum ("DPA") forms part of the SaaS Terms of Service (the "Agreement") between Omni Tend Ltd ("Processor", "we", "us" or "our") and the Customer ("Controller", "you" or "your").
This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws, including the UK Data Protection Act 2018 and the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").
1.1 Definitions
In this DPA, the following terms shall have the meanings set out below:
"Controller" means the Customer, who determines the purposes and means of the Processing of Personal Data.
"Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including the UK GDPR, the EU GDPR, and the UK Data Protection Act 2018, and any successor or replacement legislation.
"Data Subject" means an identified or identifiable natural person whose Personal Data is Processed under this DPA.
"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by the Processor on behalf of the Controller under the Agreement.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
"Processing" (and "Process", "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means Omni Tend Ltd, Company Number: 15219162, which Processes Personal Data on behalf of the Controller.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission or UK Information Commissioner's Office.
"Sub-processor" means any third party appointed by the Processor to Process Personal Data on behalf of the Controller.
1.2 Interpretation
Terms not defined in this DPA shall have the meaning given to them in the Agreement or, if not defined there, in the applicable Data Protection Laws.
2.1 This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Services under the Agreement.
2.2 The Processor shall Process Personal Data only in accordance with the Controller's documented instructions as set out in this DPA, the Agreement, and any additional written instructions provided by the Controller, unless required to do so by applicable law.
2.3 If the Processor believes that any instruction from the Controller infringes Data Protection Laws, the Processor shall promptly inform the Controller and may suspend the Processing until the Controller confirms or modifies the instruction.
2.4 Roles. For Customer Data that the Processor processes on the Controller's documented instructions to provide and support the Services, the Processor acts as processor. For the Processor's own limited purposes—platform security and fraud/abuse prevention, service improvement and analytics, compliance/legal and audit, billing and account management, and communications about the Services—the Processor acts as controller, using the minimum personal data needed and anonymising or aggregating where possible. The Processor will not use Customer Personal Data for other purposes without consent. Lawful bases for controller activities are set out in the Processor's Privacy Policy.
3.1 Subject Matter
The subject matter of the Processing is the provision of the Omni Tend SaaS platform services, including ePOS (electronic point of sale) and eCommerce functionality, as described in the Agreement.
3.2 Duration
The duration of Processing is for the term of the Agreement and for a period of up to 30 days following termination for active data return or destruction, and up to 180 days for backup systems.
3.3 Nature and Purpose of Processing
The Processor will Process Personal Data for the following purposes:
3.4 Categories of Data Subjects
Personal Data Processed under this DPA may relate to the following categories of Data Subjects:
3.5 Categories of Personal Data
The Personal Data Processed may include:
Account and Business Data:
End-Customer Data:
Special Categories of Personal Data:
The Processor does not expect to Process special categories of Personal Data (as defined in Article 9 GDPR) or personal data relating to criminal convictions and offences. If the Controller instructs the Processor to Process such data, the parties shall agree additional safeguards in writing before such Processing commences.
4.1 Compliance with Instructions
The Processor shall:
a) Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case the Processor shall inform the Controller of that legal requirement before Processing, unless prohibited by law);
b) Ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) Not transfer, copy, or otherwise Process Personal Data for its own purposes or on behalf of any third party;
d) Implement and maintain appropriate technical and organisational measures as described in Section 5 below.
4.2 Notification of Non-Compliance
If the Processor believes it is unable to comply with its obligations under Data Protection Laws or this DPA, it shall promptly notify the Controller and, where appropriate, cease the relevant Processing activity until lawful Processing can be ensured.
5.1 Technical and Organisational Measures
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of Processing, including as appropriate:
a) Encryption of Personal Data:
b) Authentication and Access Controls:
c) Payment Data Security:
d) Audit Logging and Monitoring:
e) Ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
f) Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
g) Regular testing, assessment and evaluation of the effectiveness of technical and organisational measures;
h) Physical security of data centres and facilities where Personal Data is stored or Processed;
i) Secure deletion procedures for destroying Personal Data when no longer required;
j) Protection against common web vulnerabilities including cross-site request forgery (CSRF) and injection attacks.
5.2 Security Documentation
The Processor shall maintain documentation of its security measures and make such documentation available to the Controller upon reasonable request, subject to confidentiality obligations.
5.3 Security Updates
The Processor shall regularly review and update its security measures to ensure they remain appropriate in light of evolving security threats and technological developments.
6.1 General Authorisation
The Controller provides general written authorisation for the Processor to engage Sub-processors to Process Personal Data on the Controller's behalf, subject to the conditions set out in this Section 6.
6.2 Sub-processor Categories
The Processor engages Sub-processors in the following categories to provide the Services:
All Sub-processors are bound by data processing agreements with obligations equivalent to those in this DPA. Where Sub-processors are located outside the UK/EEA, appropriate safeguards (such as Standard Contractual Clauses) are in place.
6.3 Sub-processor Obligations
The Processor shall:
a) Impose on each Sub-processor the same data protection obligations as set out in this DPA, including requirements regarding security, confidentiality, and international transfers;
b) Enter into a written contract with each Sub-processor containing terms substantially equivalent to those set out in this DPA;
c) Remain fully liable to the Controller for the performance of the Sub-processor's obligations;
d) Supervise the Sub-processor's Processing activities to ensure compliance with the contract and Data Protection Laws.
6.4 Sub-processor List
The Processor shall maintain an up-to-date list of Sub-processors, which shall be made available to the Controller upon request by emailing privacy@omnitend.com.
7.1 Assistance with Data Subject Requests
Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, to enable the Controller to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:
7.2 Direct Requests
If the Processor receives any request from a Data Subject to exercise their rights under Data Protection Laws, the Processor shall:
a) Not respond to that request directly without the Controller's prior written authorisation;
b) Promptly forward the request to the Controller;
c) Provide reasonable assistance to the Controller in responding to the request as instructed by the Controller.
7.3 Charges for Assistance
The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests without charge. If the Controller's requests for assistance are manifestly excessive, the Processor may charge reasonable fees for such assistance, which shall be agreed in advance.
8.1 Notification to Controller
The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting the Controller's Personal Data.
8.2 Breach Notification Content
The notification shall, to the extent possible, include:
a) A description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
b) The name and contact details of the Processor's data protection officer or other relevant contact point;
c) A description of the likely consequences of the Personal Data Breach;
d) A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach and, where appropriate, measures to mitigate its possible adverse effects.
8.3 Investigation and Remediation
The Processor shall:
a) Investigate the Personal Data Breach and take reasonable steps to remediate the breach and prevent future breaches;
b) Provide ongoing updates to the Controller as the investigation progresses and new information becomes available;
c) Cooperate with the Controller in any investigation, including providing access to relevant personnel, facilities, and documentation;
d) Not make any public disclosure of the Personal Data Breach without the Controller's prior written consent, except as required by applicable law.
8.4 Documentation
The Processor shall maintain records of all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, and shall make such records available to the Controller and supervisory authorities upon request.
9.1 Assistance with DPIAs
Where required under Data Protection Laws, the Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of Processing and the information available to the Processor.
9.2 Information Provision
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Data Protection Laws, and allow for and contribute to audits and inspections as set out in Section 10.
10.1 Audit and Inspection Rights
The Controller (or an independent auditor appointed by the Controller, subject to confidentiality obligations) may, upon reasonable written notice (at least 30 days) and during normal business hours, audit and inspect the Processor's compliance with its obligations under this DPA, subject to the following conditions:
a) Audits shall not be conducted more than once per year, unless required following a Personal Data Breach or by a supervisory authority;
b) The Controller shall provide reasonable details of the scope, duration, and commencement date of the audit;
c) Audits shall not unreasonably interfere with the Processor's business operations;
d) The Controller shall be responsible for all costs and expenses associated with the audit, including reasonable costs incurred by the Processor in facilitating the audit.
10.2 Audit Reports and Certifications
In lieu of conducting an audit under Section 10.1, the Controller may accept relevant third-party audit reports or security certifications held by the Processor (such as ISO 27001, SOC 2, or similar), which the Processor shall make available upon reasonable request.
10.3 Remediation
If an audit reveals non-compliance with this DPA or Data Protection Laws, the Processor shall promptly take appropriate measures to remedy such non-compliance and provide the Controller with evidence of such remediation.
11.1 Data Locations
Personal Data may be Processed and stored in the following locations:
11.2 Transfers Outside the UK/EEA
To the extent that the Processor transfers Personal Data outside the United Kingdom or the European Economic Area ("EEA") to a country that has not been subject to an adequacy decision by the UK Information Commissioner's Office or the European Commission, the Processor shall ensure that:
a) Appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or the UK ICO, or binding corporate rules;
b) The transfer complies with the requirements of Data Protection Laws;
c) The Controller is informed of such transfers and the safeguards in place.
11.3 Standard Contractual Clauses
Where Standard Contractual Clauses are used as the basis for international transfers, the parties agree that:
a) The applicable Standard Contractual Clauses are incorporated into this DPA by reference;
b) For EU GDPR transfers, the EU Commission Standard Contractual Clauses (2021/914) shall apply;
c) For UK GDPR transfers, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall apply;
d) The Controller is the "data exporter" and the Processor (or relevant Sub-processor) is the "data importer";
e) The details in Section 3 of this DPA satisfy the requirements of Annex I of the Standard Contractual Clauses;
f) The security measures described in Section 5 of this DPA satisfy the requirements of Annex II of the Standard Contractual Clauses.
11.4 Changes to Data Locations
The Processor may relocate Personal Data to new countries or territories as necessary to provide the Services, provided that appropriate safeguards are in place before any such relocation. The current list of data locations is available upon request (see Section 6.4).
12.1 Return or Deletion
Upon termination or expiry of the Agreement, or upon the Controller's written request, the Processor shall (at the Controller's election):
a) Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or
b) Securely delete and procure the deletion of all Personal Data.
12.2 Timeframe
The Processor shall complete the return or deletion of Personal Data within 30 days following termination of the Agreement or the Controller's written request, unless:
a) Longer retention is required by applicable law (in which case the Processor shall inform the Controller of such requirement and continue to protect the Personal Data in accordance with this DPA for the duration of such retention); or
b) The Personal Data is retained in backup systems, in which case such data shall be securely deleted in accordance with the Processor's standard backup deletion procedures (not exceeding 180 days from the date of termination).
12.3 Certification of Deletion
Upon completion of the deletion, the Processor shall provide the Controller with written certification that Personal Data has been returned or deleted in accordance with this Section 12, including confirmation that Sub-processors have also deleted the Personal Data.
12.4 Exceptions
Notwithstanding the above, the Processor may retain Personal Data to the extent and for such period as required by applicable law, provided that the Processor shall ensure the confidentiality of all such Personal Data and ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its retention.
13.1 Maintenance of Records
The Processor shall maintain accurate and up-to-date records of all categories of Processing activities carried out on behalf of the Controller, including:
a) The name and contact details of the Processor and each Sub-processor, and of the Controller on behalf of which the Processor is acting;
b) The categories of Processing carried out on behalf of the Controller;
c) Where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
d) A general description of the technical and organisational security measures referred to in Section 5.
13.2 Availability of Records
The Processor shall make such records available to the Controller and supervisory authorities upon request.
14.1 Processor's DPO
The Processor has appointed a Data Protection Officer who may be contacted at:
Data Protection Officer
Omni Tend Ltd
Email: dpo@omnitend.com
14.2 Role of DPO
The Data Protection Officer shall:
a) Monitor the Processor's compliance with Data Protection Laws and this DPA;
b) Act as the point of contact for the Controller on data protection matters;
c) Cooperate with supervisory authorities and act as their contact point;
d) Provide advice on data protection impact assessments and other data protection matters.
15.1 Liability Under Data Protection Laws
Each party's liability arising out of or related to this DPA (whether in contract, tort, or under any other theory of liability) shall be subject to the limitations of liability set out in the Agreement.
15.2 Chain of Liability
Where the Processor is liable to the Controller under this DPA or Data Protection Laws for damage caused by Processing, the Processor shall be liable for that damage only if it has not complied with obligations under Data Protection Laws specifically directed at processors or where it has acted outside or contrary to lawful instructions from the Controller.
15.3 Sub-processor Liability
The Processor shall be liable to the Controller for the acts and omissions of its Sub-processors to the same extent as if they were the acts or omissions of the Processor.
16.1 Term
This DPA shall commence on the Effective Date and shall remain in force for the duration of the Agreement and until all Personal Data has been returned or deleted in accordance with Section 12.
16.2 Survival
The obligations of the parties under this DPA that by their nature should survive termination or expiry (including obligations relating to data return/deletion, confidentiality, liability, and audit rights) shall survive termination or expiry of this DPA and the Agreement.
17.1 Conflict
In the event of any conflict or inconsistency between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail to the extent of the conflict or inconsistency with respect to Processing of Personal Data.
17.2 Amendments
We may update this DPA to reflect changes in our processing activities, sub-processors, or applicable Data Protection Laws. Material changes will be notified in accordance with the notice provisions in the Agreement. Your continued use of the Services after the effective date constitutes acceptance of the updated DPA.
17.3 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be replaced with a valid and enforceable provision that most closely reflects the parties' intent.
17.4 Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws of England and Wales, and any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
17.5 Regulatory Guidance
The parties acknowledge that Data Protection Laws and regulatory guidance continue to evolve. The parties agree to cooperate in good faith to review and, if necessary, amend this DPA to ensure continued compliance with applicable Data Protection Laws.
For questions or concerns regarding this DPA or data protection matters, please contact:
Omni Tend Ltd
Company Number: 15219162
Address: 22 Earsham Street, Bungay, Suffolk, United Kingdom, NR35 1AG
Email: privacy@omnitend.com
Data Protection Officer: dpo@omnitend.com
END OF DATA PROCESSING ADDENDUM
We use cookies to give you the best experience on our site. By continuing, you agree to our use of cookies.