Data Processing Agreement (DPA)
This Data Processing Agreement governs the processing of personal data on behalf of our Clients in the course of providing MyQCart POS Services.
This Data Processing Agreement ("DPA") forms part of the agreement for MyQCart POS Services between the Client ("Controller", "you") and MyQCart™ ("Processor", "we", "us", or "our"), a trading name of ORVIK GROUP LTD (Company Registration No. 17333890), a private company registered in England and Wales with its registered office at 71–75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom. It applies where MyQCart processes personal data on your behalf in the course of providing the Services.
This DPA is intended to help business Clients operating in or serving the UK and EU meet their obligations under UK GDPR / EU GDPR when using a third-party processor.
1. Definitions
- "Controller", "Processor", "Personal Data", "Processing", "Data Subject", "Supervisory Authority" and "Personal Data Breach" shall have the meanings given to them under applicable Data Protection Legislation.
- "Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK and the European Union, including the UK GDPR, the Data Protection Act 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"), and the Privacy and Electronic Communications Regulations 2003.
- "UK GDPR" has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
- "Subprocessor" means any third party appointed by the Processor to process personal data on behalf of the Controller.
2. Roles of the Parties
- The Client is the Data Controller for personal data relating to its own staff, customers, and end users that is entered into or processed through the Services (e.g., customer names, transaction records, loyalty data).
- MyQCart is the Data Processor, processing such personal data solely on behalf of, and in accordance with, the Client's documented instructions, as set out in the Terms of Service and this DPA.
3. Scope and Nature of Processing
- Subject matter: Provision of POS software and related hosting, backup, and support services.
- Duration: For the term of the Client's subscription, plus any post-termination retention period described in the Privacy Policy.
- Nature and purpose: Storage, processing, and transmission of transaction, inventory, and customer data as configured by the Client within the Services.
- Categories of data subjects: The Client's customers, staff, and end users.
- Categories of personal data:
- Names and contact details (including email addresses and telephone numbers)
- Transaction and purchase history
- Billing and payment information
- Loyalty programme information (where configured or applicable)
- Any other personal data the Client chooses to input or capture within the Services.
4. Processor Obligations
MyQCart shall:
- Process personal data only on the documented instructions of the Client, unless required otherwise by law.
- Ensure personnel authorized to process personal data are subject to confidentiality obligations.
- Implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk.
- Ensure that any person authorised to process personal data is bound by appropriate confidentiality obligations, whether through contractual or statutory requirements.
- Implement appropriate technical and organizational security measures, as described in our Security Policy.
- Assist the Client, insofar as reasonably possible, in responding to data subject rights requests and in meeting obligations relating to data security, breach notification, and data protection impact assessments.
- Notify the Client without undue delay and, where reasonably practicable, within seventy-two (72) hours of becoming aware of a personal data breach affecting the Client's data.
- Make available information reasonably necessary to demonstrate compliance with this DPA.
- Maintain records of processing activities where required under applicable data protection legislation.
- At the Client's choice, delete or return all personal data at the end of the subscription term, except where retention is required by law (see Privacy Policy, Section 8).
5. Subprocessors
- MyQCart may engage subprocessors (e.g., cloud hosting providers, payment processors) to assist in providing the Services.
- MyQCart imposes data protection obligations on subprocessors that are no less protective than those in this DPA.
- MyQCart remains liable for the performance of its subprocessors' obligations.
- A current list of approved subprocessors is available upon request or may be published on our website. MyQCart will provide reasonable notice of any intended changes to subprocessors, giving the Client the opportunity to object on reasonable data protection grounds.
6. International Transfers
Where personal data is transferred outside the UK or EEA, MyQCart will ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or other legally recognised transfer mechanisms, as applicable, in accordance with applicable data protection law.
7. Security Measures
MyQCart maintains appropriate technical and organisational security measures designed to protect Client data, as further described in our Security Policy. These include:
- Encryption of data in transit using TLS/SSL (TLS 1.2 or higher)
- Access controls and authentication mechanisms
- Role-based access permissions for both Processor staff and Controller users
- Secure password hashing (non-plaintext storage)
- Regular backups and system monitoring
- Vulnerability monitoring and patch management
- Secure hosting infrastructure
Further details are available in our Security Policy.
8. Audit Rights
Upon reasonable prior notice, and no more than once per year (unless required by a regulator or following a security incident), the Client may request information reasonably necessary to verify MyQCart's compliance with this DPA. Any audit shall be conducted during normal business hours and in a manner that does not unreasonably interfere with MyQCart's business operations.
9. Confidentiality
Each party shall keep confidential all information received from the other party in connection with this DPA except where disclosure is required by applicable law or regulation.
10. Liability
Liability under this DPA is subject to the limitation of liability provisions set out in the Terms of Service.
11. Governing Law
This Data Processing Agreement shall be governed by and interpreted in accordance with the laws of England and Wales, except where applicable data protection legislation requires otherwise.
12. Contact Us
For data protection inquiries or to request a signed copy of this DPA for your records:
MyQCart™A trading name of ORVIK GROUP LTD
Registered in England and Wales
Company Registration No. 17333890
Registered Office
71–75 Shelton Street
Covent Garden
London WC2H 9JQ
United Kingdom
Phone: +44 7723 353557
Email: support@myqcart.com
Website: https://www.myqcart.com