Skip to content
Sellarix

Legal

Data processing addendum

The Article 28 terms under which Sellarix Ltd processes personal data on your behalf as your processor.

Last updated 9 June 2026

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Controller") and Sellarix Ltd ("Processor", "we", "us") for your use of the Service (the "Agreement"), and sets out how we process personal data on your behalf. It is designed to meet the requirements of Article 28 of the UK GDPR and, where it applies, the EU GDPR. If there is a conflict, this DPA prevails over the rest of the Agreement on the subject of data processing.

Definitions

Terms such as "personal data", "processing", "controller", "processor", "data subject", "personal data breach" and "supervisory authority" have the meanings given in the UK GDPR. "Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and any other applicable data-protection law, including the EU GDPR where relevant. "Sub-processor" means any processor we engage to process personal data on your behalf.

Roles of the parties

For the personal data within the data you connect to the Service (for example your customers' data), you are the controller and we are your processor. For personal data we process for our own purposes (such as your account and billing data), we are the controller, as described in our Privacy policy. This DPA governs only our processing as your processor.

Your obligations as Controller

You warrant that you have a lawful basis to provide the personal data to us and to instruct the processing described here, that your instructions comply with Data Protection Law, and that you have provided any notices and obtained any consents required from data subjects.

Annex 1: details of the processing

  • Subject-matter: the provision of the Service to you.
  • Duration: for the term of the Agreement, plus any deletion or return period.
  • Nature and purpose: ingesting the catalogue, customer and order data you connect, and using it to power AI features such as search, recommendations, content, customer service, growth, merchandising and operations, on your documented instructions.
  • Types of personal data: identifiers and contact details, account identifiers, order and transaction data, communications, and behavioural or usage data, as determined by you.
  • Categories of data subjects: your customers, prospects, and other individuals whose data appears in the data you connect.

Our obligations as Processor

We will, in line with Article 28(3) of the UK GDPR:

  • process personal data only on your documented instructions, including in relation to international transfers, unless required to do otherwise by law (in which case we will tell you, unless the law prohibits it);
  • ensure that people authorised to process the personal data are bound by confidentiality;
  • implement appropriate technical and organisational security measures (see Annex 2);
  • respect the conditions for engaging sub-processors (see below);
  • assist you, by appropriate technical and organisational measures and taking account of the nature of processing, to respond to data subject requests;
  • assist you in ensuring compliance with your obligations on security, breach notification, data protection impact assessments and prior consultation;
  • at your choice, delete or return the personal data at the end of the Service, and delete existing copies unless the law requires storage; and
  • make available the information needed to demonstrate compliance with Article 28, and allow for and contribute to audits.

Instructions

Your instructions are set out in this DPA and the Agreement, and through your configuration and use of the Service. If we believe an instruction breaches Data Protection Law, we will tell you.

Confidentiality

We keep personal data confidential and ensure that our personnel and sub-processors who process it are subject to appropriate confidentiality obligations.

Annex 2: security measures

Taking account of the state of the art, the costs of implementation and the risk to data subjects, we maintain measures in line with Article 32 of the UK GDPR, including:

  • encryption of personal data in transit and at rest;
  • access control, least privilege and authentication, with multi-factor authentication for administrative access;
  • tenant isolation, enforced at the data layer, so each customer's data is logically separated;
  • network protection, including firewalls and segmentation;
  • logging, monitoring and alerting;
  • secure software-development practices and change management;
  • regular backups and tested restoration;
  • vendor due diligence; and
  • regular testing and review of the effectiveness of these measures.

Annex 3: sub-processors

You authorise us to engage sub-processors to help deliver the Service, such as hosting, infrastructure, database, email-delivery and security providers. We impose data-protection terms on each sub-processor that are no less protective than this DPA, and we remain responsible for their performance. We maintain a current list of sub-processors and will give you a way to be notified of changes, and a reasonable period to object on legitimate data-protection grounds before a new sub-processor starts processing.

International transfers

Where you choose UK or EU residency, personal data stays in that region. Where personal data is transferred outside the UK or the EEA, we use an adequacy decision or appropriate safeguards, such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses, together with any supplementary measures needed. You instruct and authorise us to make such transfers to provide the Service.

Data subject requests

If we receive a request directly from a data subject in relation to your data, we will, unless legally prohibited, promptly direct them to you and will not respond ourselves except on your instructions. We will assist you, by appropriate technical and organisational measures, to respond to such requests.

Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting personal data we process for you, and will provide the information you reasonably need to meet your own notification obligations, including the nature of the breach, its likely consequences, and the measures taken or proposed.

Assistance with DPIAs

Taking account of the nature of processing and the information available to us, we will provide reasonable assistance with your data protection impact assessments and any prior consultation with a supervisory authority.

Audits

We will make available the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, no more than once a year except where required by a supervisory authority or following a breach, subject to reasonable notice, confidentiality, and security conditions. We may satisfy audit requests by providing current certifications or third-party reports where available.

Deletion or return of data

On termination or expiry of the Service, we will, at your choice made within 30 days, delete or return the personal data we process on your behalf, and delete existing copies, unless the law requires us to keep them, in which case we will continue to protect them and process them only as required by that law.

Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

Term

This DPA takes effect when you start using the Service and continues for as long as we process personal data on your behalf.

Governing law

This DPA is governed by the same law as the Agreement, which is the law of England and Wales unless your Agreement states otherwise.

Contact us

To request a signed copy of this DPA, or for any data-processing question, contact us:

Sellarix Ltd, 20 Wenlock Road, London, England, N1 7GU. Email: hello@sellarix.ai.