data-processing-agreement-v0.1.md
1. Parties and role
This Data Processing Agreement applies where TradeBoard Ltd processes personal data on behalf of a customer organisation in connection with the TradeBoard service.
The customer organisation is the controller. TradeBoard Ltd is the processor, except where TradeBoard Ltd acts as controller for its own account administration, security, billing, legal compliance and business operations.
This DPA is intended for agreement at customer organisation or administrator level. Individual users should usually accept the Terms of Service, Privacy Notice and Acceptable Use Policy instead of separately accepting this DPA.
Where a deal involves more than one organisation, each participating organisation is responsible for the personal data it adds, imports, uploads or makes available through TradeBoard, and for the people it authorises to access that deal.
2. Subject matter and duration
TradeBoard processes personal data to provide a vehicle deal tracking workspace. Processing continues for the duration of the customer relationship and any retention period described in the Retention and Deletion Policy or agreed customer terms.
3. Nature and purpose of processing
Processing includes hosting, storing, displaying, transmitting, organising, securing, backing up and deleting data used in the TradeBoard service.
The purpose is to allow authorised users to manage vehicle deals, documents, comments, files, locations, collection details, workflow status and access.
4. Types of personal data
Personal data may include:
- names;
- email addresses;
- phone numbers;
- company and job details;
- profile images;
- comments and timeline entries;
- uploaded file contents;
- locations and addresses;
- user identifiers, IP addresses, user agents and timestamps;
- legal acceptance and audit records.
5. Categories of data subject
Data subjects may include:
- customer staff;
- sellers, buyers and brokers;
- dealership contacts;
- logistics contacts;
- support contacts;
- people named in uploaded deal documents.
6. Customer instructions
TradeBoard will process customer personal data only on documented instructions from the customer, including these terms, product configuration, user actions and agreed support requests.
If TradeBoard believes an instruction infringes data protection law, it will inform the customer unless legally prevented from doing so.
7. Confidentiality
TradeBoard will ensure that people authorised to process customer personal data are subject to appropriate confidentiality obligations.
8. Security
TradeBoard Ltd will apply appropriate technical and organisational measures to protect personal data, considering the nature, scope, context and purpose of processing.
Current beta measures include:
- hosted application infrastructure on Cloudflare Workers;
- authentication, database and file storage through Supabase;
- authenticated user access;
- deal-level access controls;
- separate protection for admin areas;
- storage controls for uploaded files;
- encrypted storage for saved broker API credentials;
- audit, activity and legal acceptance records;
- operational logging and monitoring.
9. Sub-processors
The customer authorises TradeBoard to use sub-processors needed to provide the service. Current sub-processors are listed in the Sub-Processors document.
TradeBoard will remain responsible for sub-processors as required by applicable data protection law.
During beta, TradeBoard will maintain a Sub-Processors document and will aim to give reasonable notice of material new sub-processors where practical.
If a customer organisation has a reasonable objection to a new sub-processor, it should contact TradeBoard at hello@tradeboard.uk. TradeBoard will consider the objection in good faith and discuss practical options, which may include continuing the service, changing configuration where possible, or ending beta access.
10. Assistance to customer
TradeBoard will provide reasonable assistance to the customer, taking into account the nature of processing, with:
- data subject requests;
- security obligations;
- breach assessment and notification;
- data protection impact assessments where relevant;
- regulator communications where legally required.
11. Personal data breaches
TradeBoard will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data.
The notice should include available information about the nature of the breach, affected data, likely consequences and mitigation steps.
12. Deletion or return
At the end of service, TradeBoard will delete or return customer personal data according to the customer terms, product capability and Retention and Deletion Policy, unless law requires continued storage.
During beta, export and deletion options may be limited by the current product capability. Some records may be retained where needed for legal, security, backup, audit or dispute-handling purposes.
Backups may take time to expire.
13. Audits
TradeBoard will make reasonable information available to demonstrate compliance with this DPA. Audit rights, notice periods, confidentiality and cost controls must be finalised by solicitor review.
14. International transfers
If personal data is transferred outside the UK, TradeBoard will use appropriate safeguards required by UK data protection law.
This beta wording must be checked against final supplier regions, provider terms and transfer safeguards before paid launch.