areturnz
Legal · Article 28 processor terms

Data Processing Addendum

Forms part of the Terms of Service and governs areturnz's processing of Personal Data on behalf of business Customers under GDPR, UK GDPR, CCPA/CPRA and equivalent laws.

Last updated February 18, 2026v1.1

1. Introduction

This Data Processing Addendum (the “DPA”) forms part of the Terms of Service or other written agreement (the “Agreement”) between areturnz (“Processor”) and the Customer identified in the applicable Order Form (“Controller”) for the provision of the areturnz returns processing platform and related services (the “Services”).

It reflects the parties’ agreement on the processing of Personal Data in connection with the Services in accordance with the requirements of Data Protection Laws.

2. Definitions

Capitalized terms not defined here have the meaning in the Agreement.

  • “Data Protection Laws” means all applicable laws relating to the processing of Personal Data, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended (“CCPA/CPRA”), and any successor or equivalent legislation.
  • “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, and “Sub-processor” have the meanings given in the GDPR (or the equivalent terms in the CCPA/CPRA, such as “Business” and “Service Provider”).
  • “Customer Personal Data” means Personal Data contained in Customer Data that is processed by areturnz on behalf of Controller under the Agreement.
  • “SCCs” means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914.
  • “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office.

3. Roles and scope of processing

With respect to Customer Personal Data, Controller is the controller (or, where Controller acts on behalf of another entity, the processor) and areturnz is the processor (or, as applicable, sub-processor).

The subject matter, duration, nature and purpose of processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

areturnz qualifies as a “Service Provider” under the CCPA/CPRA. We do not sell or share Customer Personal Data, do not retain, use, or disclose it outside the direct business relationship, and do not combine it with Personal Data received from other sources except as permitted by the CCPA/CPRA.

4. Controller’s instructions

areturnz will process Customer Personal Data only on documented instructions from Controller, including with regard to international transfers, unless required to do so by applicable law — in which case areturnz will inform Controller of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.

The Agreement, this DPA, the Documentation, and ordinary Customer use of the Services (including dashboard configuration and API calls) constitute Controller’s complete and final instructions for the duration of the Agreement. Any additional or alternative instructions must be agreed in writing.

areturnz will inform Controller without undue delay if, in its opinion, an instruction infringes Data Protection Laws.

5. Confidentiality of personnel

areturnz ensures that persons authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality (whether by statute or contract) and receive training on their data-protection responsibilities. Access to Customer Personal Data is limited to personnel who require it to deliver, support, or secure the Services.

6. Security of processing

areturnz implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (a “Security Incident”). These measures are summarized in Annex II and in our Security overview, and include encryption in transit and at rest, access controls, network segmentation, vulnerability management, logging, and personnel background checks where lawful.

Controller acknowledges that security measures are subject to technical progress and may evolve; areturnz will not materially diminish the protection of Customer Personal Data during the term of the Agreement.

7. Sub-processors

Controller provides general written authorization for areturnz to engage Sub-processors to process Customer Personal Data, subject to this Section. A current list of approved Sub-processors (the “Sub-processor List”) is available on written request to support@areturnz.com and is incorporated into this DPA.

areturnz will give Controller at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor by email to the account contact on file. Controller may object on reasonable data-protection grounds during the notice period; if the parties cannot resolve the objection in good faith, Controller may terminate the affected portion of the Services without penalty.

areturnz imposes on each Sub-processor written data-protection obligations no less protective than those in this DPA and remains liable for the acts and omissions of its Sub-processors to the same extent as for its own.

8. Data subject requests

Taking into account the nature of the processing, areturnz will assist Controller by appropriate technical and organizational measures, insofar as possible, to fulfill Controller’s obligations to respond to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection, automated decision-making).

If a Data Subject contacts areturnz directly, areturnz will promptly forward the request to Controller and will not respond to the Data Subject other than to acknowledge receipt and to refer them to Controller, unless required by law.

9. Personal data breach notification

areturnz will notify Controller without undue delay, and in any event within 72 hours of becoming aware of a Security Incident affecting Customer Personal Data. The notification will, to the extent then known, describe:

  • the nature of the incident, the categories and approximate number of Data Subjects and records concerned;
  • the likely consequences;
  • the measures taken or proposed to address the incident and mitigate its possible adverse effects; and
  • the contact point for further information.

areturnz will provide reasonable cooperation and information to Controller as required to enable Controller to meet its own notification obligations under Data Protection Laws. areturnz’s notification or response to a Security Incident is not an acknowledgement by areturnz of fault or liability.

10. DPIA and prior consultation

areturnz will provide Controller with reasonable assistance, taking into account the nature of the processing and the information available to areturnz, in carrying out data protection impact assessments and prior consultations with supervisory authorities under Articles 35 and 36 of the GDPR (and equivalent provisions of other Data Protection Laws).

11. International transfers

Controller acknowledges that areturnz processes Customer Personal Data in the United States and may, through its Sub-processors, process Customer Personal Data in other jurisdictions. To the extent such processing involves the transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the parties incorporate by reference:

  • the SCCs (Module Two: controller-to-processor, or Module Three: processor-to-processor, as applicable), with the optional clauses (clause 7 docking, clause 11 redress, clause 17 governing law, clause 18 forum) completed as described in Annex III; and
  • the UK Addendum where UK Personal Data is transferred.

For transfers from Switzerland, references in the SCCs to the GDPR are deemed to refer to the Swiss Federal Act on Data Protection, and references to EU member-state supervisory authorities are deemed to refer to the Swiss Federal Data Protection and Information Commissioner.

12. Audits

areturnz will make available to Controller all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, by Controller or an auditor mandated by Controller.

To minimize disruption and protect the confidentiality of other customers, Controller agrees that audits will:

  • be satisfied, where available, by areturnz’s then-current third-party security report or certification covering the scope of Controller’s concern. areturnz will use commercially reasonable efforts to obtain a SOC 2 Type II report (or comparable independent attestation) and will make summary findings available under confidentiality once issued;
  • otherwise, take place on at least 30 days’ prior written notice, no more than once per 12-month period (unless required by a supervisory authority or following a confirmed Security Incident), during business hours, and under appropriate confidentiality undertakings; and
  • be at Controller’s expense, except where the audit reveals material non-compliance with this DPA, in which case areturnz will bear its reasonable costs.

13. Deletion or return of data

Upon termination or expiry of the Agreement, areturnz will, at Controller’s choice, delete or return all Customer Personal Data, and delete existing copies, unless applicable law requires storage. Standard deletion timelines are described in the Documentation; backups are overwritten in the ordinary course of the backup retention cycle.

14. Liability and precedence

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In the event of any conflict between this DPA and the Agreement on data-protection matters, this DPA prevails. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.

Annex I — Description of processing

A. List of parties

Data exporter: Controller, as identified in the Order Form. Contact: Controller’s account administrator. Role: controller.

Data importer: areturnz. Contact: support@areturnz.com. Role: processor.

B. Description of transfer

  • Categories of Data Subjects — Controller’s end-customers (consumers initiating returns), Controller’s employees and authorized users with dashboard access, and Controller’s logistics or marketplace partners with Sub-account access.
  • Categories of Personal Data — identification data (name, email, phone), shipping addresses, return order references, item identifiers and condition data, photographs of returned merchandise, communication logs, IP addresses and device identifiers, account login data.
  • Sensitive data — none expected; Controller is responsible for refraining from submitting special categories of data (Article 9 GDPR) unless agreed in writing.
  • Frequency of transfer — continuous, during the term of the Agreement.
  • Nature of processing — hosting, storage, transmission, retrieval, analysis, and physical operations on returned merchandise.
  • Purpose — provision of the Services as described in the Agreement.
  • Duration of processing — for the term of the Agreement plus any retention period required by law or instructed in writing.

C. Competent supervisory authority

The supervisory authority of the EU member state in which the Controller (or the Controller’s EU representative, where applicable) is established. For UK transfers, the UK Information Commissioner’s Office. For Switzerland, the Federal Data Protection and Information Commissioner.

Annex II — Technical and organizational measures

Summary measures (full details in the Security overview):

  • Encryption — TLS 1.2+ in transit; AES-256 at rest for primary stores and backups.
  • Access control — SSO and MFA for staff, least-privilege RBAC, quarterly access reviews, and tenant-level scoping in the platform.
  • Network security — private VPC, WAF, DDoS protection, segmented production environment, restricted egress.
  • Application security — SDLC with code review, dependency scanning, secrets management, and regular penetration testing.
  • Operations — centralized logging, anomaly detection, on-call incident response, and tested backup/restore.
  • Physical security — access-controlled facilities for cloud infrastructure and our processing centers; CCTV and visitor logging.
  • Personnel — pre-employment screening where lawful, confidentiality undertakings, mandatory security and privacy training.
  • Vendor management — risk-tiered due diligence, contractual data-protection terms, and ongoing monitoring.

Annex III — SCC completion

  • Module — Two (controller-to-processor); Module Three applies where Controller acts as processor for an upstream controller.
  • Clause 7 (docking clause) — applies.
  • Clause 9 (sub-processors) — Option 2 (general written authorization); notice period of 30 days as described in Section 7.
  • Clause 11 (independent dispute resolution) — the optional clause does not apply.
  • Clause 17 (governing law) — Ireland.
  • Clause 18 (forum) — courts of Ireland.
  • Annex I to the SCCs — completed by Annex I above.
  • Annex II to the SCCs — completed by Annex II above.
  • Annex III to the SCCs — the Sub-processor List referenced in Section 7.

15. Contact

For questions, concerns, or to execute a countersigned copy of this DPA, please contact us: support@areturnz.com