Skip to main content

Data Processing Agreement

Updated

Date of Last Revision: September 24, 2025

This Data Processing Agreement ("DPA") is part of the Agreement between the Customer and Handled, Inc. ("Handled," "we," "us," or "our") and governs our processing of Personal Data on behalf of the Customer in connection with the Services.

1. Definitions

"Applicable Data Protection Laws" means all laws and regulations governing the use, processing, and protection of Personal Data, including the GDPR, UK GDPR, and CCPA/CPRA.

"Personal Data" means any information that relates to an identified or identifiable individual that Handled processes on behalf of Customer.

"Process," "Controller," "Processor," "Data Subject," and "Subprocessor" have the meanings given under Applicable Data Protection Laws.

2. Roles and Scope

Customer is the Controller of Personal Data. Handled is the Processor, processing Personal Data solely to provide the Services. Each party will comply with the obligations applicable to it under Applicable Data Protection Laws.

3. Purpose and Nature of Processing

Handled and its affiliated third parties process Personal Data as necessary to provide the Services and to offer, maintain, or improve the Services, including exploring new features or offerings and improving service pricing or delivery.

4. Customer Responsibilities

Customer represents and warrants that it has all necessary rights, consents, and legal bases to provide Personal Data to Handled and to authorize its processing. Customer is solely responsible for the accuracy, quality, legality, and adequacy of Personal Data.

5. Handled’s Processing Obligations

Handled will:

  • Process, and allow its affiliated third parties to process, Personal Data as necessary to provide the Services and to offer, maintain, or improve the Services, including exploring new features or offerings and improving service pricing or delivery.
  • Not sell or share Personal Data (as those terms are defined under CCPA/CPRA). Any disclosure of Personal Data to subcontractors or service providers is done solely to provide the Services for the business purposes authorized by Customer
  • Implement commercially reasonable technical and organizational safeguards
  • Ensure access is limited to authorized individuals under confidentiality obligations
  • Notify Customer of any confirmed Personal Data breach without undue delay, only to the extent required by law

Handled may, at its discretion, assist Customer in responding to verified data subject requests within a commercially reasonable timeframe.

6. Subprocessors

Handled may use third-party service providers to support delivery of the Services. These may include WMS platforms, cloud infrastructure providers, analytics tools, CRM systems, and shipping carriers. While Handled may not disclose all subprocessors, all such providers are engaged to support service delivery, and some operate under their own privacy policies. Handled coordinates such subprocessors as part of the Services but does not assume liability for their independent acts or omissions.

7. International Transfers

Handled primarily processes Personal Data in the United States. Handled may make available additional data transfer mechanisms, such as the EU Standard Contractual Clauses, UK addenda, or Swiss addenda, if required by law and agreed upon in writing by the parties.

8. Security Measures

Handled maintains commercially reasonable safeguards designed to protect Personal Data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication protocols
  • Secure physical and digital storage
  • Internal data handling policies

General information about Handled’s privacy practices is available in our Privacy Policy.

9. Data Subject Rights

Handled may, at its discretion, assist Customer in responding to verified data subject requests within a commercially reasonable timeframe.

10. Data Retention

Handled retains Personal Data for as long as reasonably necessary to provide the Services or meet its legal and operational obligations. Handled is under no obligation to delete or return Personal Data after termination of the Agreement unless legally required.

11. Audit Rights

Handled may, once per year and upon written request, provide documentation or a summary of its data protection practices. Any broader audit right must be expressly required by law and pre-approved in writing by Handled. Customer agrees to bear the cost of any such audit.

12. Liability

The limitation of liability under this DPA shall be governed by the limitation set forth in the Agreement. Nothing in this DPA increases or expands the liability cap agreed to in the underlying Agreement.

13. General

This DPA is governed by the same law and jurisdiction as the Agreement. If any provision is found unenforceable, the remainder shall remain in effect. In case of conflict between this DPA and the Agreement, the DPA shall control with respect to privacy and data protection.

14. Contact

For questions about this DPA or privacy-related issues, please contact:
Email: legal@handledcommerce.com

Related articles

Powered by Zendesk