Skip to content

Data Processing Addendum

Last updated 27 June 2026

How we process personal data on your behalf as a processor, including security, sub-processors, and breach handling.

Roles and scope

This Data Processing Addendum ("DPA") forms part of the agreement between you and KillStock for the Services. When you use the Services to process personal data about your customers, suppliers, and staff, you are the data fiduciary/controller and we are the data processor acting on your documented instructions. This DPA applies to the extent we process such personal data on your behalf.

Subject matter, nature, and duration

Subject matter and purpose: providing the inventory-management Services you subscribe to. Nature of processing: hosting, storage, transmission, and computation needed to operate those Services. Duration: for the term of your subscription plus any grace period for return or deletion.

Categories of data subjects and personal data are those you choose to enter into the product — typically business contacts (names, contact details) and transactional records.

Processing on instructions

We process personal data only on your documented instructions, including as configured through the product, unless required to act otherwise by law — in which case we will inform you where legally permitted. We will notify you if, in our opinion, an instruction infringes applicable data-protection law.

Confidentiality

We ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations and are trained on their responsibilities.

Security measures

We implement and maintain the technical and organisational measures described in the Annex below, appropriate to the risk, to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Sub-processors

You authorise us to engage vetted sub-processors (for example, cloud hosting, managed database, authentication, error monitoring, analytics, email, and payments) to support the Services. We impose data-protection obligations on each sub-processor that are no less protective than this DPA, and we remain responsible for their performance. A current list is available on request, and we give notice before adding or replacing sub-processors so you can object on reasonable grounds.

Assistance with data-subject requests

Taking into account the nature of the processing, we provide tools and reasonable assistance to help you respond to data-subject requests (access, correction, erasure, portability, restriction, and objection). The product supports per-record export and erasure for customer and supplier records.

Personal data breach

We maintain processes to detect and respond to personal-data breaches and will notify you without undue delay after becoming aware of a breach affecting your personal data, with information reasonably available to help you meet your own notification obligations.

Data protection impact assessments

Taking into account the nature of processing and the information available to us, we provide reasonable assistance with your data protection impact assessments and prior consultations with supervisory authorities.

International transfers

Where we transfer personal data across borders on your behalf, we do so using appropriate safeguards (such as standard contractual clauses) and only to jurisdictions permitted by applicable law.

Return and deletion

On termination or expiry of the Services, you may export your personal data during a defined grace period. After that period we delete or anonymise the personal data we hold on your behalf, except where retention is required by law.

Audits

On reasonable request and subject to confidentiality, we make available information necessary to demonstrate compliance with this DPA and allow for reasonable audits, including by an independent auditor you mandate, within agreed scope and frequency.

Annex — technical and organisational measures

Encryption of personal data in transit; access governed by role-based controls with tenant isolation and least-privilege.

Audit logging of sensitive actions; monitoring and alerting for security events.

Secure software development practices, dependency management, and change control.

Routine backups and tested recovery; physical and environmental security provided by our infrastructure sub-processors.

Personnel confidentiality obligations, access reviews, and security awareness.

Questions about this policy? Contact us.