Data Processing Agreement

Last updated: June 5, 2026

This Data Processing Agreement ("DPA") is entered into between Pepliful ("Processor") and the Brand Operator that has accepted the Pepliful Terms of Service ("Controller") and forms part of, and is governed by, the Terms of Service (the "Agreement"). This DPA applies to the extent that Pepliful processes Personal Data on behalf of the Controller in connection with the Pepliful platform (the "Service"). In the event of a conflict between this DPA and the Agreement on the subject of data protection, this DPA controls.

By accepting the Agreement, the Controller is also accepting this DPA. No signature is required.

1. Definitions

Capitalized terms not otherwise defined have the meanings given in the GDPR or, where the CCPA/CPRA applies, in that law. "Data Protection Laws" means all laws applicable to the processing of Personal Data under this DPA, including the GDPR, the UK GDPR, the Swiss FADP, and the CCPA/CPRA. "Personal Data" means any information relating to an identified or identifiable End Customer that the Controller submits to the Service.

2. Roles of the parties

For Personal Data submitted by Controller through the Service, Controller is the Controller (or "Business" under the CCPA/CPRA) and Pepliful is the Processor (or "Service Provider" under the CCPA/CPRA). Each party will comply with its obligations under Data Protection Laws.

3. Scope and purpose of processing

  • Subject matter: fulfillment of orders submitted by Controller on behalf of its End Customers.
  • Duration: the term of the Agreement, plus the retention period described in Section 8.
  • Nature and purpose: receiving, processing, packing, labeling, and shipping orders; providing tracking and account management; supporting and securing the Service.
  • Categories of data subjects: End Customers of the Controller.
  • Categories of Personal Data: name, shipping address, email address (optional), phone number (where collected), order details, and tracking information.
  • Special category data: Controller must not submit any special category data, health data, or government identifiers through the Service.

4. Processor obligations

Pepliful will:

  • Process Personal Data only on documented instructions from the Controller, including the instructions set out in the Agreement, this DPA, and Controller's use of the Service.
  • Not "sell" or "share" Personal Data as those terms are defined under the CCPA/CPRA, and not retain, use, or disclose Personal Data outside the direct business relationship or for any purpose other than the specific purpose of providing the Service.
  • Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organizational security measures as described in Section 6.
  • Assist the Controller, taking into account the nature of processing, in responding to data-subject requests and in complying with the Controller's obligations under Articles 32–36 of the GDPR.
  • Notify the Controller of a Personal Data breach without undue delay after becoming aware of it.
  • At the Controller's choice, delete or return all Personal Data after the end of the provision of the Service, except where retention is required by law.
  • Make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 9.

5. Subprocessors

The Controller provides a general authorization for Pepliful to engage Subprocessors to perform processing on its behalf. Pepliful's current Subprocessors include: cloud hosting and database providers, transactional email providers, analytics and error-monitoring providers, payment processors, and shipping carriers and label printers. A current list is available on request from privacy@pepliful.com.

Pepliful will impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA, and will remain liable to the Controller for each Subprocessor's performance. Pepliful will give the Controller reasonable prior notice of any intended addition or replacement of a Subprocessor. The Controller may object to a new Subprocessor on reasonable, documented data- protection grounds within fifteen (15) days of notice; if the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service.

6. Security measures

Pepliful maintains a written information security program that includes, at a minimum: encryption of Personal Data in transit using modern TLS; encryption at rest in our primary data store; role-based access controls with least-privilege defaults; multi-factor authentication for administrative access; audit logging; secure software-development practices; backup and disaster-recovery procedures; periodic security training for personnel; and incident-response procedures. We review and update these measures from time to time and may replace them with substantially equivalent or better controls.

7. International transfers

Pepliful primarily processes Personal Data in the United States. Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country that has not received an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference and will govern the transfer, with the relevant options completed as follows: docking clause applies; the optional language on independent dispute resolution applies; the supervisory authority is that of the EU Member State in which the Controller is established; and the governing law is the law of that EU Member State. For UK transfers, the UK International Data Transfer Addendum is incorporated. For Swiss transfers, references to the GDPR are deemed to refer also to the Swiss FADP and to the Swiss Federal Data Protection and Information Commissioner.

8. Retention, return, and deletion

Pepliful will retain Personal Data for the duration of the Agreement and for the period necessary to perform the Service. Within thirty (30) days after termination of the Agreement, Pepliful will, at the Controller's written direction, return or delete all Personal Data, except to the extent retention is required by applicable law (for example, tax, accounting, or anti-fraud obligations) or is contained in routine backups, which will be deleted in accordance with our standard backup-rotation schedule.

9. Audits

Pepliful will make available to the Controller, on reasonable request and subject to confidentiality, summary information about its security program (such as a SOC 2 report, ISO 27001 certificate, penetration-test summary, or completed security questionnaire) as evidence of compliance with this DPA. To the extent additional audits are required under Data Protection Laws, the Controller may, no more than once per twelve-month period and at its expense, conduct an audit through a mutually agreed independent third party bound by confidentiality, on at least thirty (30) days' prior written notice, during business hours, and in a manner that does not unreasonably interfere with Pepliful's operations.

10. Data-subject requests

Where Pepliful receives a request from an End Customer to exercise rights under Data Protection Laws, Pepliful will, to the extent legally permitted, promptly forward the request to the Controller and will not respond directly except to confirm that the request has been forwarded. Pepliful will provide reasonable assistance to the Controller in responding to such requests, taking into account the nature of the processing and the information available to Pepliful.

11. Breach notification

Pepliful will notify the Controller without undue delay after becoming aware of a Personal Data breach affecting Personal Data. The notification will include, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Pepliful's notification is not an acknowledgment of fault or liability.

12. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the Agreement.

13. Term and conflicts

This DPA becomes effective when the Controller accepts the Agreement and remains in force for as long as Pepliful processes Personal Data on behalf of the Controller. In the event of a conflict between this DPA and the Agreement on the subject of data protection, this DPA controls.

14. Contact

For requests under this DPA, including Subprocessor lists, security documentation, or breach-response coordination, contact privacy@pepliful.com.