This DPA forms part of the Master Services Agreement between Printer's Friend and Customer. It governs the processing of personal data on behalf of Customer. It complies with GDPR Article 28, UK GDPR, the California CCPA, and the Australian Privacy Principles.
Customer is the controller. Printer's Friend is the processor.
Personal data of Customer's end users (the shop's customers, contacts, staff) processed via the Printer's Friend platform to provide the service.
For the term of the subscription, plus 30 days for deletion.
Storage, organisation, retrieval, transmission, alignment, combination, restriction and erasure of personal data, as required to provide the platform features.
Customer's end users: business contacts at shops Customer sells to, end consumers buying through Customer's portal, and Customer's own staff.
Name, email, phone, postal address, billing details, order history, artwork files (which may contain personal data such as names and numbers), and any free-text the data subject submits.
Listed at privacy policy / subprocessors. We notify Customer 30 days before adding or replacing any subprocessor. Customer may object; if we cannot resolve the objection, Customer may terminate without penalty.
Standard Contractual Clauses (EU 2021/914) and the UK addendum apply where personal data leaves the EEA/UK. APP 8 obligations apply for Australian Customers.
TLS 1.3 in transit, AES-256 at rest, role-based access, least-privilege production access, MFA on staff accounts, full audit log, encrypted backups, SOC 2 Type II. Full detail in our security overview.
We assist Customer in responding to data subject requests within 30 days. Customer can self-serve most requests (access, correction, deletion, export) from the platform itself.
We notify Customer within 72 hours of becoming aware of a personal data breach, with the information required under GDPR Article 33.
Customer may audit our compliance once per year on 30 days' notice. We may meet this by providing our annual SOC 2 Type II report and answering reasonable follow-up questions.
On termination, Customer can export everything for 30 days. After that we delete or anonymise all personal data, except where retention is required by law.
For a signed copy: legal@printersfriend.com.