Data Processing Agreement
Last Updated: 29th January 2026
PARTIES
This Data Processing Agreement (“DPA”) is entered into between:
Data Controller (“Customer”): The entity agreeing to the Carrott Terms of Service
Data Processor (“Processor”):
- Company Name: Carrott LTD
- Registered Address: Piccadilly Business Centre, Blackett Street, Manchester, M12 6AE
- Contact Email: admin@carrott.io
This DPA is incorporated into and forms part of the Terms of Service between Customer and Processor.
1. DEFINITIONS
1.1 “Controller” means the natural or legal person which determines the purposes and means of the Processing of Personal Data.
1.2 “Data Subject” means an identified or identifiable natural person whose Personal Data is Processed.
1.3 “GDPR” means the General Data Protection Regulation (EU) 2016/679.
1.4 “Personal Data” means any information relating to an identified or identifiable natural person.
1.5 “Processing” means any operation performed on Personal Data, including collection, storage, alteration, retrieval, use, disclosure, or erasure.
1.6 “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.7 “Services” means the Carrott digital loyalty platform and related services.
1.8 “Sub-processor” means any third party engaged by Processor to Process Personal Data on behalf of Customer.
1.9 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for international data transfers.
1.10 “UK GDPR” means the GDPR as incorporated into UK law pursuant to the UK European Union (Withdrawal) Act 2018.
2. SCOPE AND PURPOSE
2.1 Scope
This DPA applies to the Processing of Personal Data by Processor on behalf of Customer in connection with the provision of the Services.
2.2 Roles
(a) Customer acts as the Controller of Customer Personal Data.
(b) Processor acts as a Processor of Customer Personal Data.
(c) Processor may also act as a Controller for certain data as described in the Privacy Policy.
2.3 Purpose
Processor shall Process Personal Data only for the following purposes:
- Providing the Services as described in the Terms of Service
- Operating and maintaining the digital loyalty platform
- Generating and distributing digital wallet passes
- Processing transactions and tracking loyalty activity
- Sending communications on behalf of Customer
- Providing customer support
- Maintaining security and preventing fraud
3. CATEGORIES OF DATA AND DATA SUBJECTS
3.1 Categories of Data Subjects
- Customer’s end-user customers enrolled in loyalty programs
- Customer’s employees and authorized users
3.2 Categories of Personal Data
| Category | Data Elements |
|---|---|
| Identity Data | Name, email address, phone number, date of birth |
| Contact Data | Email address, phone number |
| Transaction Data | Loyalty transactions, stamps, rewards, redemptions |
| Technical Data | IP address, browser type, device identifiers |
| Usage Data | Card activity, scan history, timestamps |
| Marketing Data | Consent records, preferences, communication history |
| Custom Fields | Any additional data defined by Customer |
3.3 Special Categories of Data
Processor does not intentionally Process special categories of Personal Data (sensitive data) unless explicitly configured by Customer through custom fields. Customer is responsible for obtaining explicit consent and lawful basis for any sensitive data.
4. OBLIGATIONS OF THE PROCESSOR
4.1 Processing Instructions
Processor shall: (a) Process Personal Data only on documented instructions from Customer, unless required by applicable law; (b) Inform Customer if legal requirements prevent following instructions; (c) Not Process Personal Data for any purpose other than providing the Services.
4.2 Confidentiality
Processor shall ensure that persons authorized to Process Personal Data: (a) Have committed to confidentiality or are under statutory confidentiality obligations; (b) Process Personal Data only as instructed and authorized.
4.3 Security Measures
Processor shall implement appropriate technical and organizational measures, including:
| Security Domain | Measures |
|---|---|
| Encryption | TLS 1.3 in transit; AES-256 at rest |
| Access Control | Role-based access, MFA, least privilege |
| Infrastructure | SOC 2 compliant cloud hosting |
| Monitoring | Intrusion detection, security logging |
| Personnel | Background checks, security training |
| Incident Response | Documented procedures, 24/7 monitoring |
| Business Continuity | Regular backups, disaster recovery |
4.4 Sub-processors
(a) Customer authorizes Processor to engage Sub-processors listed in the Data Processors document.
(b) Processor shall:
- Impose equivalent data protection obligations on Sub-processors;
- Remain liable for Sub-processor compliance;
- Notify Customer of intended Sub-processor changes at least 30 days in advance.
(c) Customer may object to a new Sub-processor within 14 days of notification. If objection cannot be resolved, Customer may terminate affected Services.
4.5 Assistance with Data Subject Rights
Processor shall: (a) Implement measures to assist Customer in responding to Data Subject requests; (b) Promptly notify Customer of any Data Subject requests received; (c) Not respond directly to Data Subjects unless authorized by Customer; (d) Provide tools and functionality to enable Customer to fulfill requests.
4.6 Assistance with Compliance
Processor shall assist Customer with: (a) Data protection impact assessments; (b) Prior consultation with supervisory authorities; (c) Demonstrating compliance with GDPR obligations; (d) Security measures and breach notifications.
5. PERSONAL DATA BREACH
5.1 Notification
Processor shall notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.
5.2 Notification Content
Notification shall include: (a) Description of the nature of the breach; (b) Categories and approximate number of Data Subjects affected; (c) Categories and approximate number of records affected; (d) Contact point for further information; (e) Likely consequences of the breach; (f) Measures taken or proposed to address the breach.
5.3 Cooperation
Processor shall: (a) Cooperate with Customer in investigating the breach; (b) Take reasonable steps to mitigate effects; (c) Preserve evidence related to the breach; (d) Assist with regulatory notifications and communications.
5.4 No Public Disclosure
Processor shall not notify Data Subjects or make public statements about a breach without Customer’s prior written approval, unless required by law.
6. AUDITS AND INSPECTIONS
6.1 Information Provision
Processor shall make available to Customer all information necessary to demonstrate compliance with this DPA and GDPR Article 28 obligations.
6.2 Audit Rights
(a) Customer may conduct audits, including inspections, to verify Processor’s compliance with this DPA.
(b) Audits shall be conducted:
- During normal business hours;
- With reasonable advance notice (minimum 30 days);
- No more than once per year (unless required by a supervisory authority or following a breach);
- At Customer’s expense.
6.3 Third-Party Audits
Processor may satisfy audit requirements by providing: (a) SOC 2 Type II reports from reputable auditors; (b) Certifications from recognized standards bodies; (c) Completed security questionnaires; (d) Summaries of penetration test results.
6.4 Confidentiality
Audit findings shall be treated as confidential information of Processor and used solely for compliance verification.
7. INTERNATIONAL DATA TRANSFERS
7.1 Transfer Mechanisms
For transfers of Personal Data outside the EEA/UK to countries without adequacy decisions, the parties agree to the following transfer mechanisms:
(a) Standard Contractual Clauses: Module Two (Controller to Processor) of the EU SCCs (Commission Decision 2021/914) is incorporated by reference.
(b) UK Transfers: The UK International Data Transfer Agreement or UK Addendum to the EU SCCs, as applicable.
7.2 Transfer Impact Assessment
Processor has conducted transfer impact assessments for transfers to Sub-processors and implemented supplementary measures where necessary.
7.3 Alternative Mechanisms
If transfer mechanisms become invalid or inadequate, parties shall cooperate to implement alternative lawful mechanisms.
8. TERM AND TERMINATION
8.1 Duration
This DPA remains in effect for the duration of Customer’s use of the Services.
8.2 Termination
This DPA terminates automatically upon termination of the underlying Services agreement.
8.3 Data Return and Deletion
Upon termination:
(a) Processor shall, at Customer’s election:
- Return all Personal Data in a structured, commonly used format; or
- Delete all Personal Data and certify deletion in writing.
(b) Processor shall complete return or deletion within 90 days of termination.
(c) Processor may retain Personal Data:
- As required by applicable law;
- In standard backup systems until normal deletion cycles;
- In anonymized form for statistical purposes.
9. OBLIGATIONS OF THE CUSTOMER
Customer warrants and undertakes that:
9.1 Lawful Basis
Customer has and will maintain a lawful basis for Processing, including valid consent where required.
9.2 Data Subject Information
Customer has provided and will provide adequate privacy notices to Data Subjects.
9.3 Instructions
Customer’s Processing instructions comply with applicable law.
9.4 Data Accuracy
Customer is responsible for ensuring the accuracy of Personal Data provided.
9.5 Security
Customer will implement appropriate security measures within its own systems.
9.6 Sensitive Data
Customer will obtain explicit consent before collecting sensitive data through custom fields.
10. LIABILITY
10.1 Allocation
Liability under this DPA is subject to the limitations in the Terms of Service.
10.2 Regulatory Fines
Each party shall be responsible for administrative fines imposed on it by supervisory authorities.
10.3 Data Subject Claims
If either party receives a claim from a Data Subject regarding Processing under this DPA, it shall promptly notify the other party.
11. GENERAL PROVISIONS
11.1 Conflict
In case of conflict between this DPA and the Terms of Service regarding data protection, this DPA prevails.
11.2 Amendments
This DPA may be amended: (a) By mutual written agreement; (b) By Processor to reflect legal or regulatory changes, with 30 days’ notice.
11.3 Severability
If any provision is found invalid, the remaining provisions remain in effect.
11.4 Governing Law
This DPA is governed by: (a) For EU data: Laws of Ireland; (b) For UK data: Laws of England and Wales; (c) For other data: Laws of United Kingdom.
11.5 Entire Agreement
This DPA, together with the Terms of Service and Privacy Policy, constitutes the complete agreement regarding data Processing.
ANNEX A: DETAILS OF PROCESSING
A.1 Subject Matter
Processing of Personal Data in connection with the Carrott digital loyalty platform.
A.2 Duration
For the term of Customer’s subscription to the Services.
A.3 Nature and Purpose
| Activity | Purpose |
|---|---|
| Collection | Enroll customers in loyalty programs |
| Storage | Maintain customer profiles and card data |
| Organization | Categorize and segment customers |
| Retrieval | Display customer information to authorized users |
| Use | Track loyalty transactions and rewards |
| Disclosure | Generate wallet passes via Apple/Google |
| Combination | Link customers across locations/cards |
| Erasure | Delete data upon request or retention expiry |
A.4 Types of Personal Data
As described in Section 3.2 above.
A.5 Categories of Data Subjects
As described in Section 3.1 above.
ANNEX B: TECHNICAL AND ORGANIZATIONAL MEASURES
B.1 Physical Security
- Cloud infrastructure with SOC 2 certified data centers
- No on-premises servers processing Customer data
B.2 Access Controls
- Role-based access control (RBAC)
- Multi-factor authentication available
- Unique user credentials
- Automatic session timeout
- Access logging and monitoring
B.3 Data Encryption
- TLS 1.3 for data in transit
- AES-256 encryption at rest
- Encrypted backups
B.4 Network Security
- Firewalls and network segmentation
- DDoS protection
- Intrusion detection systems
B.5 Application Security
- Secure development practices
- Regular security assessments
- Vulnerability management
- Input validation and sanitization
B.6 Data Backup and Recovery
- Automated daily backups
- Geographic redundancy
- Tested recovery procedures
B.7 Incident Management
- 24/7 monitoring
- Documented incident response procedures
- Post-incident analysis
B.8 Personnel Security
- Security awareness training
- Confidentiality agreements
- Background checks where permitted
ANNEX C: APPROVED SUB-PROCESSORS
See Data Processors document for the current list of approved Sub-processors.
SIGNATURES
By using the Services, Customer agrees to this Data Processing Agreement.
Carrott LTD
This DPA is effective as of the date Customer agrees to the Terms of Service.
Data Processing Agreement effective as of 23rd January 2026.