Corporate merch in other countries:GEGeorgiaTRTürkiyeRSSerbiaAEUAECYCyprus

Data Processing Agreement (summary)

Summary of our standard Data Processing Agreement (DPA) terms: processor obligations, sub-processors, security, breach notification.

Important. This is a summary of our standard DPA. The binding DPA for any engagement is the executed document signed with the Master Services Agreement.

1. Roles

For recipient fulfillment data (names, addresses, optional personalization fields) provided by Client to deliver corporate-merch kits, Client is the Controller and we (merch.am) are the Processor. For our own business-contact data, we are Controller.

2. Subject matter and duration

The DPA governs our processing of Client's personal data solely to perform the Services described in the MSA. The DPA runs for the duration of the MSA plus a defined retention/return-or-delete period (typically 12 months post-termination unless otherwise agreed).

3. Nature and purpose of processing

Storage, transmission, organization, and disclosure (to logistics partners) of recipient fulfillment data, strictly to deliver the corporate merchandise kits in scope of the relevant Order.

4. Categories of data subjects

  • Client's employees (welcome kits, anniversary gifts, recognition merch)
  • Client's customers / event attendees (event kits, conference merch)
  • Client's partners / VIP recipients (executive gifts)

5. Categories of personal data

  • Identifiers: name, work email, phone (where used for delivery coordination)
  • Delivery: street address, city, postal code, country
  • Optional personalization: T-shirt size, dietary preferences, monogram initials
  • No special categories of data unless explicitly agreed in writing in the MSA

6. Processor obligations

  • Process only on documented Client instructions
  • Ensure personnel are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist Client with data-subject requests (within reasonable cost)
  • Assist Client with DPIAs and prior consultations
  • Notify Client of personal-data breaches within 48 hours of becoming aware
  • At end of services, return or delete personal data per Client's choice
  • Make available information necessary to demonstrate compliance and support audits

7. Sub-processors

We use sub-processors for hosting, email, analytics, logistics, and customs brokerage. The current list of sub-processors is maintained at merch.am/sub-processors (placeholder) and updated with at least 30 days' advance notice for material additions. Client may object on reasonable grounds; if objection cannot be resolved, Client may terminate the affected service.

8. Security measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 for sensitive stores)
  • Multi-factor authentication for all employee access
  • Role-based access control with principle of least privilege
  • Audit logging of all access to recipient fulfillment data
  • Annual penetration testing and continuous vulnerability scanning
  • Background checks on personnel handling fulfillment data
  • Documented incident response plan with defined escalation paths
  • Pursuing ISO 27001 certification (target Q4 2026)

9. International transfers

Where personal data is transferred to a country without an adequacy decision, we rely on EU Standard Contractual Clauses (Module 2 or 3 as applicable), UK IDTA, or equivalent transfer mechanisms. We complete a transfer impact assessment for each transfer chain and apply supplementary measures where indicated.

10. Breach notification

We will notify Client without undue delay and within 48 hours of becoming aware of a personal-data breach affecting Client's data. Notification will include: nature of the breach, categories and approximate number of data subjects, likely consequences, mitigation measures, and contact point.

11. Audit rights

Client may request our latest third-party security audit reports (e.g., ISO 27001 once certified) once per year. On-site audits are permitted with reasonable notice and at Client's cost where third-party reports are insufficient. Audit findings are addressed via a remediation plan.

12. Liability and indemnification

Liability under the DPA mirrors the MSA. Each party indemnifies the other against fines or claims to the extent caused by its own breach of the DPA or applicable data protection law.

13. Governing law

The DPA is governed by the same law as the MSA. Disputes are resolved per the MSA dispute-resolution clause.

14. Get the full DPA

To request the full executable DPA tailored to your jurisdiction (GDPR, UAE PDPL, Cyprus PDPL, KVKK, CCPA references), email privacy@merch.am. We respond within 1 business day with the latest signed-version PDF.