Data Processing Agreement

1. Definitions

Capitalised terms in this DPA follow the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK Data Protection Act 2018. "Personal Data" means personal data as defined in GDPR Article 4(1) processed by Shipnest on behalf of the Customer.

2. Subject matter, nature, purpose, duration

Shipnest processes the Personal Data described in Annex I for the purpose of providing the Shipping Services: storing orders, generating labels, tracking parcels, handling returns and claims, and facilitating customer-facing tracking + returns pages. Processing continues for the duration of the Customer's Shipnest subscription and, where applicable, through the retention period set out in Section 7.

3. Controller and processor obligations

The Customer is the controller. Shipnest is a processor and, where it uses sub-processors (see Section 6), those sub-processors are further processors bound by equivalent obligations through back-to-back DPAs.

Shipnest processes Personal Data only on the Customer's documented instructions — creating the Shipnest account and using the product constitutes those instructions — unless required otherwise by applicable law, in which case Shipnest will notify the Customer before processing unless that notification is prohibited.

4. Confidentiality

Shipnest ensures that personnel authorised to process Personal Data are bound by confidentiality obligations, either statutory or contractual.

5. Security of processing

Shipnest implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data at rest (AES-256-GCM for credential blobs, Postgres at-rest encryption for the rest) and in transit (TLS 1.2+).
• Role-based access control inside the Shipnest application and the operator admin console.
• Mandatory two-factor authentication for Shipnest platform administrators and opt-in TOTP-based 2FA for Customer users.
• Audit-logging of privileged actions, retained for the life of the Customer account plus 90 days.
• Regular review of sub-processor security posture.

6. Sub-processors

The Customer grants Shipnest general authorisation to engage sub-processors, subject to at least 30 days' prior notice of new sub-processors or replacements. The current list is maintained at /legal/subprocessors and is part of this DPA. Objections raised during the notice window may entitle the Customer to terminate the affected Service.

Shipnest remains fully liable to the Customer for the performance of its sub-processors' obligations.

7. Data subject rights, deletion and return

Shipnest will, taking into account the nature of the processing, assist the Customer — insofar as possible — in fulfilling its obligation to respond to requests by data subjects exercising their rights under GDPR Chapter III. Most rights (access, rectification, erasure) can be actioned directly through the Shipnest application; for anything the UI doesn't cover, email info@shipnest.app.

On termination of the Services, the Customer can export their data from the application or request a copy from Shipnest. Shipnest will delete all Personal Data held on behalf of the Customer within 30 days of a confirmed deletion request, except where storage is required by law.

8. Personal data breach notification

Shipnest notifies the Customer without undue delay — and in any case within 72 hours — after becoming aware of a Personal Data Breach affecting the Customer's data, and provides the information required under GDPR Article 33(3) insofar as Shipnest possesses it.

9. Audit rights

Shipnest makes available to the Customer information necessary to demonstrate compliance with this DPA and allows for audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, at reasonable intervals and on reasonable notice. Where a current SOC 2 or ISO 27001 report or equivalent is available, the Customer agrees to accept it in lieu of an on-site audit.

10. International transfers

Where Personal Data is transferred outside the EEA / UK to a country without an adequacy decision, the transfer is governed by the Standard Contractual Clauses ("SCCs"), with Module Two (controller to processor) applying as relevant. Shipnest performs and documents transfer-impact assessments for such transfers.

11. Liability and governing law

This DPA is governed by the laws of Spain and is subject to the liability caps, exclusions and dispute resolution clauses of the Terms of Service. In the event of conflict between this DPA and the Terms, this DPA prevails with respect to data-protection matters.

Annex I — Processing details

Categories of data subjects

• Customer's employees / users with Shipnest accounts.
• Customer's end customers (order recipients, returnees).

Categories of personal data

• User account data: name, email, hashed password, role.
• End-customer contact + shipping data: name, email, phone, ship-to address, order contents, tracking number.
• Billing contact + tokenised payment method (held at Stripe).

Special categories

None. The Shipnest platform does not ask for or store special-category data (health, biometrics, political opinions, etc.).

Retention

Operational Personal Data is retained for the duration of the subscription plus a 30-day grace period on termination, after which it is deleted. Audit logs are retained for 90 days. Billing records are retained for 7 years per Spanish commercial law.