Data Processing Agreement (DPA)

Last Updated: [15.09.2025]

1. COMPANY INFORMATION

Data Controller: DIGIFABRICA LTD
Company Number: 15390190
Registered Office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Email: info@bittenpay.com
Director: Ümit Sönmez

2. INTRODUCTION

This Data Processing Agreement (“DPA”) governs the processing of personal data by DIGIFABRICA LTD in connection with our digital marketplace platform services. This DPA complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

3. DEFINITIONS

Data Controller: The natural or legal person which determines the purposes and means of processing personal data
Data Processor: The natural or legal person which processes personal data on behalf of the controller
Data Subject: An identified or identifiable natural person
Personal Data: Any information relating to an identified or identifiable natural person
Processing: Any operation performed on personal data
Sub-processor: Any data processor engaged by the main processor
Supervisory Authority: The Information Commissioner’s Office (ICO) in the UK

4. SCOPE AND APPLICATION

4.1 Scope of Processing

This DPA applies to all personal data processing activities conducted by DIGIFABRICA LTD as part of providing marketplace services including:

  • User account management
  • Transaction processing
  • Affiliate and vendor program management
  • Customer support services
  • Marketing and analytics activities

4.2 Relationship Between Parties

DIGIFABRICA as Data Controller:

  • For platform user accounts and transactions
  • For marketing and communication activities
  • For analytics and business intelligence
  • For legal compliance and fraud prevention

DIGIFABRICA as Data Processor:

  • When processing data on behalf of vendors for customer transactions
  • When providing services to enterprise clients
  • When handling data under specific client instructions

5. CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA

5.1 Data Subjects

  • Platform users (customers, affiliates, vendors)
  • Website visitors
  • Newsletter subscribers
  • Customer support contacts
  • Business contacts and partners

5.2 Categories of Personal Data

Account and Profile Data:

  • Name and contact information
  • Email addresses and phone numbers
  • Profile pictures and biographical information
  • Username and account preferences
  • Authentication credentials (hashed passwords)

Transaction Data:

  • Payment information and billing addresses
  • Purchase history and transaction records
  • Refund and dispute information
  • Commission and payout data

Technical Data:

  • IP addresses and device identifiers
  • Browser and operating system information
  • Cookies and tracking pixels
  • Website usage and navigation data
  • Log files and error reports

Communication Data:

  • Customer support conversations
  • Email communications
  • Chat logs and messages
  • Survey responses and feedback

Marketing Data:

  • Marketing preferences and consent records
  • Campaign interaction data
  • Social media profile information (if connected)
  • Behavioral targeting data

5.3 Special Categories of Personal Data

DIGIFABRICA does not intentionally collect special categories of personal data (sensitive data such as health, religious beliefs, political opinions, etc.). If such data is inadvertently collected, it will be deleted promptly upon discovery.

6. PROCESSING ACTIVITIES AND PURPOSES

6.1 Purposes of Processing

Service Provision:

  • Creating and managing user accounts
  • Processing payments and transactions
  • Delivering digital products
  • Providing customer support
  • Managing affiliate and vendor relationships

Legal Compliance:

  • Tax reporting and record keeping
  • Anti-fraud and security measures
  • Regulatory compliance reporting
  • Legal dispute resolution

Business Operations:

  • Analytics and performance monitoring
  • Marketing and promotional activities
  • Product development and improvement
  • Business intelligence and reporting

6.2 Lawful Basis for Processing

Contract Performance: Processing necessary for service delivery and contractual obligations
Legitimate Interest: Business operations, fraud prevention, and service improvement
Legal Obligation: Tax compliance, regulatory reporting, and legal requirements
Consent: Marketing communications and non-essential analytics (where required)

7. INTERNATIONAL TRANSFERS

7.1 Transfer Safeguards

When personal data is transferred outside the UK or EEA, DIGIFABRICA ensures appropriate safeguards:

Adequacy Decisions: Transfers to countries with adequacy decisions from UK Government
Standard Contractual Clauses: EU/UK Standard Contractual Clauses for other transfers
Binding Corporate Rules: For transfers within multinational organizations
Certification and Codes of Conduct: Approved certification mechanisms

7.2 Third Country Recipients

Current International Transfers:

  • United States: Cloud hosting services (with appropriate safeguards)
  • Various countries: Payment processing services (with SCCs)
  • Global: CDN and security services (with adequacy/SCCs)

7.3 Transfer Documentation

  • All international transfers documented with legal basis
  • Regular review of transfer mechanisms and safeguards
  • Data subject notification of international transfers
  • Transfer impact assessments conducted where required

8. DATA RETENTION

8.1 Retention Principles

  • Data retained only as long as necessary for stated purposes
  • Regular review and deletion of unnecessary data
  • Clear retention schedules for different data categories
  • Secure deletion methods used for data destruction

8.2 Retention Periods

Data CategoryRetention PeriodLegal Basis
Account DataUntil account deletion + 7 yearsContract, Legal Obligation
Transaction Records7 years from transactionLegal Obligation (Tax)
Communication Logs3 years from last contactLegitimate Interest
Marketing DataUntil consent withdrawnConsent
Technical Logs12 monthsLegitimate Interest
Support Records3 years from case closureContract, Legitimate Interest
Analytics Data2 years (anonymized after 6 months)Legitimate Interest

8.3 Deletion Procedures

  • Automated deletion systems for expired data
  • Manual review process for complex cases
  • Secure overwriting and destruction methods
  • Documentation of deletion activities

9. TECHNICAL AND ORGANIZATIONAL MEASURES

9.1 Security Measures

Technical Safeguards:

  • Encryption of data in transit and at rest (AES-256)
  • Access controls and authentication systems
  • Regular security updates and patches
  • Intrusion detection and monitoring systems
  • Backup and disaster recovery procedures
  • Secure development practices

Organizational Safeguards:

  • Data protection training for all staff
  • Regular security awareness programs
  • Incident response procedures
  • Vendor security assessments
  • Privacy by design and default principles
  • Regular security audits and assessments

9.2 Access Controls

  • Role-based access to personal data
  • Principle of least privilege enforcement
  • Regular access reviews and updates
  • Multi-factor authentication requirements
  • Logging and monitoring of data access

9.3 Data Minimization

  • Collection limited to necessary data only
  • Regular review of data collection practices
  • Anonymization and pseudonymization where possible
  • Purpose limitation strictly enforced

10. SUB-PROCESSORS

10.1 Sub-processor Authorization

DIGIFABRICA may engage sub-processors to assist with data processing activities. All sub-processors are:

  • Carefully vetted for security and compliance
  • Bound by contracts with equivalent data protection obligations
  • Subject to regular monitoring and audits
  • Required to implement appropriate technical and organizational measures

10.2 Current Sub-processors

Sub-processorServiceLocationSafeguards
Amazon Web ServicesCloud hostingUK/IrelandUK GDPR Compliance
StripePayment processingIreland/USSCCs, PCI DSS
MailgunEmail servicesUSSCCs, Privacy Shield successor
Google AnalyticsWebsite analyticsUSGoogle Ads Data Processing Terms
IntercomCustomer supportIreland/USSCCs

10.3 Sub-processor Changes

  • 30 days written notice for new sub-processors
  • Opportunity to object to new sub-processors
  • Alternative arrangements if objection sustained
  • Updated list maintained and publicly available

11. DATA SUBJECT RIGHTS

11.1 Facilitating Rights Requests

DIGIFABRICA assists in responding to data subject rights requests:

Right of Access: Providing copies of personal data and processing information
Right to Rectification: Correcting inaccurate or incomplete data
Right to Erasure: Deleting data when legally required
Right to Restrict Processing: Limiting processing in certain circumstances
Right to Data Portability: Providing data in structured, machine-readable format
Right to Object: Honoring objections to processing based on legitimate interests
Rights Related to Automated Decision-making: Providing human review where required

11.2 Response Procedures

  • Verification of data subject identity
  • Response within one month (extendable to three months for complex requests)
  • Free provision of information (fee may apply for excessive requests)
  • Clear explanation if request is refused
  • Information about right to complain to supervisory authority

12. DATA BREACH NOTIFICATION

12.1 Breach Detection and Response

  • Continuous monitoring for potential breaches
  • Clear incident response procedures
  • Immediate containment and mitigation measures
  • Forensic investigation and root cause analysis
  • Implementation of preventive measures

12.2 Notification Requirements

To Supervisory Authority:

  • Within 72 hours of becoming aware of breach
  • Include nature of breach, categories and numbers affected
  • Likely consequences and measures taken
  • Contact details for further information

To Data Subjects:

  • Without undue delay if high risk to rights and freedoms
  • Clear and plain language explanation
  • Recommended measures for data subjects
  • Contact details for further information

12.3 Breach Documentation

  • Register of all personal data breaches
  • Facts and effects of each breach
  • Remedial action taken
  • Regular review and analysis for prevention

13. DATA PROTECTION IMPACT ASSESSMENTS

13.1 DPIA Requirements

Data Protection Impact Assessments conducted for:

  • High-risk processing activities
  • New technologies or processing methods
  • Large-scale systematic monitoring
  • Processing of special category data
  • Automated decision-making with legal effects

13.2 DPIA Process

  • Systematic description of processing operations
  • Assessment of necessity and proportionality
  • Risk assessment for data subjects
  • Mitigation measures identification
  • Consultation with stakeholders where appropriate

14. COMPLIANCE MONITORING

14.1 Regular Audits

  • Annual internal data protection audits
  • Third-party security assessments
  • Vendor compliance monitoring
  • Process and procedure reviews
  • Staff training effectiveness evaluation

14.2 Compliance Reporting

  • Regular compliance status reports
  • Incident and breach reporting
  • Training completion tracking
  • Policy updates and implementations
  • Continuous improvement initiatives

15. DATA PROTECTION OFFICER

15.1 DPO Designation

Contact Information:
Email: info@bittenpay.com
Address: DIGIFABRICA LTD, 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

15.2 DPO Responsibilities

  • Monitoring compliance with UK GDPR
  • Conducting privacy impact assessments
  • Serving as contact point for supervisory authority
  • Providing data protection training and advice
  • Handling data subject requests and complaints

16. COOPERATION WITH SUPERVISORY AUTHORITY

16.1 ICO Cooperation

  • Prompt response to ICO inquiries and investigations
  • Provision of necessary documentation and information
  • Implementation of corrective measures as directed
  • Regular communication on compliance matters

16.2 Regulatory Changes

  • Monitoring of regulatory developments
  • Prompt implementation of new requirements
  • Legal advice sought for complex compliance issues
  • Proactive compliance enhancement measures

17. LIABILITY AND INDEMNIFICATION

17.1 Data Protection Liability

  • Compliance with data protection laws is shared responsibility
  • Each party liable for damages caused by their non-compliance
  • Joint and several liability for joint processing activities
  • Insurance coverage for data protection claims

17.2 Indemnification

Mutual indemnification for:

  • Damages resulting from breach of DPA obligations
  • Regulatory fines and penalties for non-compliance
  • Third-party claims arising from data protection violations
  • Costs of investigation and remediation

18. TERM AND TERMINATION

18.1 Agreement Duration

This DPA remains in effect as long as DIGIFABRICA processes personal data subject to UK GDPR.

18.2 Termination Obligations

Upon termination:

  • Return or deletion of personal data as instructed
  • Certification of data destruction
  • Return of confidential information
  • Survival of confidentiality and audit rights

19. AMENDMENTS

19.1 DPA Updates

  • Updates required for legal or regulatory changes
  • 30 days notice for material changes
  • Consultation process for significant modifications
  • Version control and change documentation

20. GOVERNING LAW

This DPA is governed by the laws of England and Wales and subject to the jurisdiction of English courts.

21. CONTACT INFORMATION

Data Protection Inquiries:
Email: info@bittenpay.com
Address: DIGIFABRICA LTD, 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

Supervisory Authority:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Phone: 0303 123 1113

© 2025 DIGIFABRICA LTD. All rights reserved.

Scroll to Top