Skip to content
TRUEMARTLegal Documents
Legalv1.0 · Effective 1 April 2026

Data Processing Agreement

This Agreement is entered into between TrueMart UK as Controller and each approved Vendor as Processor. It governs all processing of personal data carried out by Vendors in connection with the fulfilment of customer orders on the TrueMart platform, as required by UK GDPR Article 28.

Legal Basis

UK GDPR Article 28

Jurisdiction

England & Wales

Effective

1 April 2026

Version

v1.0

🔐

UK GDPR Article 28 — Required Agreement

Where a controller uses a processor, processing shall be governed by a binding contract. This DPA constitutes that contract. By completing vendor activation and accepting this agreement, you confirm you have read, understood, and agree to be legally bound by its terms.

1. Background & Purpose

TrueMart UK ("TrueMart") operates an online marketplace connecting sellers ("Vendors") with customers in the United Kingdom. In the course of fulfilling orders placed by customers on the Platform, Vendors necessarily receive and process personal data relating to those customers.

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, TrueMart is the Data Controller in respect of customer personal data. Each Vendor, when processing that data to fulfil orders, acts as a Data Processor on TrueMart's behalf.

UK GDPR Article 28 requires that processing by a processor is governed by a contract between the controller and processor. This Data Processing Agreement ("DPA" or "Agreement") is that contract. It applies to all processing of personal data carried out by a Vendor in connection with their activities on the TrueMart platform.

This DPA is incorporated into and forms part of the TrueMart Vendor Terms & Conditions. In the event of any conflict between this DPA and the Vendor Terms, this DPA shall take precedence in respect of data protection matters.

2. Definitions

In this Agreement, the following terms have the meanings set out below. All other capitalised terms have the meanings given in the TrueMart Vendor Terms & Conditions.

"Applicable Data Protection Law"
means the UK GDPR, the Data Protection Act 2018, and any regulations, codes of practice, or guidance issued thereunder, as amended from time to time.
"Controller"
means TrueMart UK Ltd, who determines the purposes and means of processing Customer Personal Data.
"Processor"
means the Vendor, who processes Customer Personal Data on behalf of and under instruction from TrueMart.
"Customer Personal Data"
means any personal data relating to TrueMart customers that TrueMart makes available to the Vendor for the purpose of order fulfilment, including names, delivery addresses, order details, and contact information.
"Data Subject"
means the identified or identifiable natural person to whom Customer Personal Data relates — in this context, TrueMart customers.
"Personal Data Breach"
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
"Processing"
has the meaning given in UK GDPR Article 4(2) and includes any operation performed on personal data, such as collection, recording, storage, use, disclosure, or deletion.
"Sub-processor"
means any third party engaged by the Vendor to carry out processing activities in respect of Customer Personal Data on the Vendor's behalf.
"UK GDPR"
means Regulation (EU) 2016/679 as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

3. Roles of the Parties

3.1 TrueMart as Controller

TrueMart determines the purposes for which Customer Personal Data is collected (operating the marketplace, enabling purchases, providing customer service) and the general means by which it is processed. TrueMart is responsible for ensuring there is a lawful basis for collecting Customer Personal Data in the first place and for providing customers with appropriate privacy information.

3.2 Vendor as Processor

The Vendor processes Customer Personal Data solely for the purpose of fulfilling orders placed via the TrueMart platform. The Vendor acts only on the documented instructions of TrueMart and has no independent right to use Customer Personal Data for its own purposes.

3.3 Independent Controller Responsibilities

Where a Vendor independently collects personal data from customers through channels outside the TrueMart platform (for example, through their own website, email newsletter, or social media), the Vendor acts as an independent Controller in respect of that data. This DPA does not apply to such independent processing. The Vendor is solely responsible for compliance with Applicable Data Protection Law in respect of any data they independently control.

4. Scope of Processing

4.1 Subject Matter

The subject matter of the processing is the fulfilment of customer orders placed on the TrueMart marketplace.

4.2 Nature of Processing

The processing activities carried out by the Vendor include:

  1. Receiving customer order details from TrueMart;
  2. Reading customer delivery names and addresses to pack and dispatch orders;
  3. Printing or generating dispatch labels and invoices;
  4. Communicating with customers via TrueMart's messaging system in connection with the order;
  5. Retaining order records for the period specified in Section 12.

4.3 Purpose of Processing

The sole purpose of processing is the fulfilment of orders placed via TrueMart. The Vendor must not process Customer Personal Data for any other purpose without the express written consent of TrueMart.

4.4 Categories of Personal Data

The personal data processed under this Agreement includes:

  1. Customer full name;
  2. Delivery address (including postcode);
  3. Order reference number;
  4. Product(s) ordered and quantities;
  5. Contact telephone number (where provided by the customer);
  6. Order value and payment confirmation status (not payment card details — these are never shared with Vendors).

4.5 Categories of Data Subjects

The data subjects are TrueMart customers who have placed orders for products listed by the Vendor on the Platform.

4.6 Special Category Data

TrueMart does not intentionally share special category personal data (as defined in UK GDPR Article 9) with Vendors. If a Vendor inadvertently receives such data, they must notify TrueMart immediately and delete it unless specifically instructed otherwise.

5. Processor Obligations

The Vendor, as Processor, shall:

5.1 Instructions Only

Process Customer Personal Data only on documented instructions from TrueMart. The primary instruction is to process data solely for order fulfilment as set out in Section 4. If the Vendor believes any instruction infringes Applicable Data Protection Law, it shall inform TrueMart immediately and must not act on that instruction pending resolution.

5.2 Confidentiality

Ensure that all personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory. Access to Customer Personal Data must be limited to those individuals who need access to fulfil orders.

5.3 Security

Implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against unauthorised access, destruction, loss, alteration, or disclosure, as required by UK GDPR Article 32. See Section 9 for specific security requirements.

5.4 Sub-processors

Not engage any Sub-processor to process Customer Personal Data without complying with the requirements of Section 7. The Vendor remains fully liable to TrueMart for the acts or omissions of any Sub-processor.

5.5 Assistance with Data Subject Rights

Assist TrueMart in fulfilling its obligations to respond to Data Subject rights requests (access, erasure, restriction, portability, objection) by providing TrueMart with all information necessary to respond to such requests within 5 working days of TrueMart's written request.

5.6 Assistance with Compliance

Assist TrueMart in ensuring compliance with UK GDPR Articles 32–36, including security obligations, breach notification, data protection impact assessments, and prior consultation with the ICO.

5.7 No Independent Use

Not use Customer Personal Data for any purpose other than order fulfilment. In particular, the Vendor must not:

  1. Use Customer Personal Data for direct marketing without the customer's separate consent;
  2. Sell, rent, or transfer Customer Personal Data to any third party;
  3. Combine Customer Personal Data with data obtained from other sources to build customer profiles;
  4. Retain Customer Personal Data beyond the periods specified in Section 12.

5.8 UK GDPR Compliance Self-Certification

The Vendor confirms that, in processing Customer Personal Data as described in this DPA, it independently complies with all obligations of a Processor under Applicable Data Protection Law. The Vendor shall maintain appropriate records of its processing activities as required by UK GDPR Article 30(2).

6. Controller Obligations

TrueMart, as Controller, shall:

  1. Ensure there is a valid lawful basis for sharing Customer Personal Data with Vendors under UK GDPR Article 6;
  2. Provide customers with appropriate privacy information (privacy notice) at the point of data collection;
  3. Only instruct Vendors to process Customer Personal Data in ways that are lawful and compliant with this DPA;
  4. Notify Vendors of any changes to the categories or volumes of Customer Personal Data being shared that may affect the Vendor's security measures;
  5. Provide Vendors with this DPA and ensure it remains available on the TrueMart platform.

7. Sub-processors

7.1 Prior Written Authorisation

The Vendor must not engage any Sub-processor to process Customer Personal Data without the prior written authorisation of TrueMart. This requirement does not apply to standard operational services that do not involve the Vendor actively providing Customer Personal Data to a third party — for example, using a standard shipping carrier to deliver a parcel (where only the delivery label address is shared) is permitted without separate authorisation.

7.2 Sub-processor Requirements

Where a Sub-processor is authorised, the Vendor must impose data protection obligations equivalent to those set out in this DPA on the Sub-processor by way of a written contract. The Vendor shall provide TrueMart with a copy of such contract on request.

7.3 Vendor Remains Liable

The engagement of a Sub-processor does not relieve the Vendor of its obligations under this DPA. The Vendor remains fully liable to TrueMart for the performance of the Sub-processor's data protection obligations.

8. International Transfers

8.1 UK-Only Processing

The Vendor must process Customer Personal Data within the United Kingdom only, unless TrueMart has given prior written authorisation for processing in a specific third country.

8.2 Adequacy Decisions

Where TrueMart authorises processing outside the UK, such processing must be governed by an appropriate transfer mechanism under UK GDPR Chapter V, including an adequacy regulation made by the UK Secretary of State, UK International Data Transfer Agreements (IDTAs), or UK Addendum to EU Standard Contractual Clauses.

8.3 Shipping Carriers

For the avoidance of doubt, sharing a customer's name and delivery address with a UK-based shipping carrier for the purpose of parcel delivery is not an international transfer and does not require prior authorisation under this section, provided the carrier processes data within the UK.

9. Security Measures

The Vendor shall implement, at minimum, the following technical and organisational security measures in respect of Customer Personal Data:

9.1 Access Controls

  1. Customer Personal Data must only be accessible to individuals who need it to fulfil orders;
  2. Access must be protected by appropriate authentication (password-protected systems at minimum);
  3. Shared access to systems containing Customer Personal Data is not permitted without appropriate access controls.

9.2 Data Minimisation

  1. Customer Personal Data must not be copied, duplicated, or retained beyond what is necessary for order fulfilment;
  2. Physical documents (packing slips, delivery labels) containing personal data must be disposed of securely after the order is fulfilled.

9.3 Device & Network Security

  1. Devices used to access order information must be protected with up-to-date security software;
  2. Customer Personal Data must not be accessed from public or unsecured Wi-Fi networks without appropriate encryption (VPN or equivalent);
  3. Customer Personal Data must not be stored on unencrypted removable media (USB drives, etc.).

9.4 Email & Communication Security

  1. Customer Personal Data must not be transmitted via unencrypted email to third parties;
  2. All order-related customer communication must be conducted via TrueMart's platform messaging system wherever possible.

10. Personal Data Breaches

10.1 Notification Obligation

The Vendor must notify TrueMart without undue delay, and in any event within 24 hours of becoming aware of any actual or suspected Personal Data Breach involving Customer Personal Data. Notification must be made by email to [email protected] with the subject line "URGENT — Personal Data Breach".

10.2 Breach Notification Content

The notification must include, to the extent known at the time:

  1. A description of the nature of the breach, including categories and approximate number of data subjects and records affected;
  2. The name and contact details of the Vendor's data protection point of contact;
  3. A description of the likely consequences of the breach;
  4. A description of measures taken or proposed to address the breach and mitigate its effects.

Where all of the above information cannot be provided in the initial notification, it may be provided in phases without undue further delay.

10.3 Assistance with Regulatory Notification

The Vendor shall provide all reasonable assistance to TrueMart in complying with TrueMart's own obligation to notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach under UK GDPR Article 33. The Vendor must not make any public statement about a breach involving Customer Personal Data without TrueMart's prior written consent.

11. Data Subject Rights

TrueMart is responsible for responding to Data Subject rights requests from customers. Where TrueMart receives a request that requires information held by a Vendor (for example, a request to confirm what data was used to fulfil a specific order), the Vendor must:

  1. Respond to TrueMart's request for information within 5 working days;
  2. Provide all Customer Personal Data it holds relating to the Data Subject in a commonly used, machine-readable format if requested;
  3. Securely delete or return Customer Personal Data relating to a specific Data Subject within 10 working days of TrueMart's written instruction to do so, subject to any legal retention obligations;
  4. Not respond directly to Data Subject rights requests from TrueMart customers without TrueMart's prior authorisation — all such requests must be referred to TrueMart immediately.

12. Retention & Deletion

12.1 Retention Period

Customer Personal Data must be retained by the Vendor only for as long as necessary for the purpose for which it was processed. The Vendor must delete or anonymise Customer Personal Data relating to a specific order no later than 7 years after the date of that order, to comply with HMRC record-keeping obligations under the Taxes Management Act 1970.

12.2 Deletion on Instruction

The Vendor must delete Customer Personal Data (or return it to TrueMart) promptly on TrueMart's written instruction, unless the Vendor is required to retain it by applicable law, in which case the Vendor must notify TrueMart of that legal obligation and the period for which retention is required.

12.3 Deletion on Termination

On termination of the Vendor's account with TrueMart for any reason, the Vendor must delete all Customer Personal Data received from TrueMart (other than data retained under legal obligation) within 30 days of termination, and confirm such deletion to TrueMart in writing.

13. Audit & Compliance

13.1 Records

The Vendor must maintain sufficient records of its processing activities under this DPA to demonstrate compliance with Applicable Data Protection Law, as required by UK GDPR Article 30(2).

13.2 Information & Audit Rights

The Vendor must make available to TrueMart all information necessary to demonstrate compliance with UK GDPR Article 28 and this DPA. The Vendor must allow for and contribute to audits, including inspections, conducted by TrueMart or an auditor mandated by TrueMart, on reasonable written notice of not less than 14 days, provided that such audits are conducted no more than once per 12-month period unless TrueMart has reasonable grounds to believe a breach has occurred.

13.3 Certifications

The Vendor may satisfy the audit requirements of Section 13.2 by submitting relevant third-party certifications or audit reports (such as ISO 27001 or Cyber Essentials) to TrueMart, where TrueMart agrees that such certifications provide sufficient evidence of compliance.

14. Liability

14.1 Vendor Liability

The Vendor shall be liable to TrueMart for any loss, damage, costs, or expenses (including regulatory fines and reasonable legal fees) suffered by TrueMart arising from the Vendor's breach of this DPA or Applicable Data Protection Law.

14.2 Regulatory Fines

Where TrueMart incurs a regulatory fine from the ICO that is attributable wholly or partly to the Vendor's breach of this DPA, TrueMart may recover from the Vendor the proportion of such fine attributable to the Vendor's breach.

14.3 Mutual Indemnity

Each party shall indemnify the other against any third-party claims brought by Data Subjects arising from that party's breach of Applicable Data Protection Law in connection with this DPA, to the extent the claim is attributable to that party's breach.

15. Term & Termination

This DPA takes effect on the date the Vendor completes the activation process and accepts its terms. It continues in force for as long as the Vendor holds an active Vendor account with TrueMart.

This DPA terminates automatically on termination of the Vendor's account with TrueMart for any reason. Termination does not affect any obligations relating to Customer Personal Data already received by the Vendor — in particular, Sections 9, 10, 11, 12, and 13 survive termination.

16. Governing Law

This DPA and any disputes arising from or in connection with it shall be governed by and construed in accordance with the laws of England and Wales. Both parties submit to the exclusive jurisdiction of the courts of England and Wales.

Nothing in this DPA limits either party's right to bring a complaint before the Information Commissioner's Office (ICO) or to seek urgent injunctive relief from the courts.

17. Contact & Notices

All notices under this DPA must be sent in writing by email. Notices to TrueMart must be sent to:

TrueMart UK

United Kingdom

Data protection enquiries & breach notifications: [email protected]

For breach notifications, use subject line: "URGENT — Personal Data Breach"

TrueMart UK · v1.0 · Effective 1 April 2026

UK GDPR Article 28 · England & Wales

Your Cart

Your cart is empty

Add some products to get started