Data Processing Agreement

Last updated: May 2026 · Version 1.0

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Controller", or "Merchant") and Fordify Limited, a company registered in England and Wales (the "Processor", or "TapReceipt"), governing the processing of personal data carried out by TapReceipt on behalf of the Merchant in connection with the TapReceipt service.

This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation ("UK GDPR") and applies whenever TapReceipt processes personal data on behalf of the Merchant. By creating a TapReceipt merchant account and accepting our Terms of Service, you agree to be bound by this DPA.

This DPA is automatically binding as part of your TapReceipt subscription. No separate signature is required. If you require a counter-signed copy of this DPA for your own records, please contact us at fordifylimited@gmail.com.

1. Definitions

In this DPA the following terms have the meanings set out below. Other defined terms have the meaning given in UK GDPR or our Terms of Service.

"Controller" means the Merchant, who determines the purposes and means of processing personal data of its end customers.
"Processor" means Fordify Limited (trading as TapReceipt), who processes personal data on the Controller's behalf.
"Personal Data" means any data relating to an identified or identifiable natural person processed under this DPA.
"Data Subject" means an end customer of the Merchant whose personal data is processed.
"Sub-processor" means any third party engaged by the Processor to assist with processing.
"Personal Data Breach" has the meaning given in UK GDPR Article 4(12).

2. Scope and roles

The Merchant is the Controller of its end customers' personal data. Fordify Limited acts as the Processor of that personal data, processing it on the Merchant's behalf for the sole purpose of providing the TapReceipt service as described in our Terms of Service.

3. Processing instructions

Fordify Limited shall process personal data only:

On the Merchant's documented instructions, as set out in the Terms of Service, this DPA, and any reasonable written instructions from the Merchant;
For the purposes described in Schedule 1 below;
In compliance with applicable data protection laws, including UK GDPR and the Data Protection Act 2018.

If Fordify Limited believes any instruction from the Merchant infringes UK GDPR, it will inform the Merchant without delay.

4. Confidentiality

Fordify Limited ensures that any personnel authorised to process personal data are bound by confidentiality obligations and trained on data protection.

5. Security measures

Fordify Limited implements appropriate technical and organisational measures to ensure the security of personal data, as set out in Schedule 2. These measures include:

Encryption of personal data in transit (HTTPS / TLS 1.2 or higher);
Industry-standard password hashing (PBKDF2) for all stored credentials;
Optional two-factor authentication (2FA) for merchant accounts;
Mandatory 2FA for administrative access;
Webhook signature verification (HMAC-SHA256) where supported by integration partners;
Regular, automated backups stored securely;
Automatic deletion of personal data after defined retention periods;
Logical access controls limiting data access to authorised personnel only.

6. Sub-processors

The Merchant authorises Fordify Limited to engage the sub-processors listed in Schedule 3 for the purposes of providing the service. Fordify Limited shall:

Ensure each sub-processor is bound by data protection obligations no less protective than this DPA;
Remain liable to the Merchant for the acts and omissions of its sub-processors;
Notify the Merchant of any proposed additions or replacements to the sub-processor list at least 30 days in advance by email or via this page. The Merchant may object on reasonable data protection grounds, in which case the parties will work in good faith to resolve the objection.

7. Data subject rights

Fordify Limited shall provide the Merchant with reasonable assistance, through appropriate technical and organisational measures, to enable the Merchant to respond to requests from Data Subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

TapReceipt provides Data Subjects with direct self-service tools to exercise these rights via the Settings page on any TapReceipt receipt.

8. Personal Data Breaches

Fordify Limited shall notify the Merchant without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting the Merchant's personal data. The notification will include:

A description of the nature of the breach, including (where possible) the categories and approximate number of Data Subjects and records affected;
The likely consequences of the breach;
The measures taken or proposed to address the breach and mitigate its effects;
Contact details for further information.

9. Data Protection Impact Assessments (DPIAs)

Fordify Limited shall provide reasonable assistance to the Merchant in carrying out Data Protection Impact Assessments and, where required, in consulting with the Information Commissioner's Office (ICO) prior to processing.

10. International transfers

Some of our sub-processors (e.g. Postmark) are located outside the UK or EEA. Where such transfers occur, they are made under the UK International Data Transfer Agreement (IDTA), UK Addendum to the EU Standard Contractual Clauses, or an applicable adequacy decision, ensuring an essentially equivalent level of protection to UK GDPR.

11. Return or deletion of data

On termination of the Terms of Service, Fordify Limited shall, at the Merchant's choice:

Return all personal data to the Merchant in a structured, commonly-used, machine-readable format; or
Delete all personal data from its systems, except where retention is required by law (in which case it will be securely stored and access-limited until lawful deletion is permitted).

By default, on termination, transaction records are anonymised (personal identifiers removed) and retained for the statutory UK accounting period of seven years; all other personal data is deleted within 30 days.

12. Audits

Fordify Limited shall make available to the Merchant all information necessary to demonstrate compliance with this DPA, and shall allow for audits, including inspections, conducted by the Merchant or another auditor mandated by the Merchant, on reasonable prior notice and at the Merchant's expense. To minimise disruption, the Merchant agrees to accept third-party audit reports and certifications (where available) as evidence of compliance.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in our Terms of Service.

14. Governing law

This DPA is governed by the laws of England and Wales, and subject to the exclusive jurisdiction of the courts of England and Wales.

Schedule 1 — Subject matter and details of processing

Subject matter	Provision of the TapReceipt digital receipt service to the Merchant.
Duration of processing	For the duration of the Merchant's TapReceipt account, plus the retention period set out in our Privacy Policy.
Nature and purpose	Storage, transmission and management of customer receipt data; sending of transactional and (with consent) marketing emails to Data Subjects on behalf of the Merchant.
Types of personal data	Email addresses; receipt data (items, prices, timestamps); device identifiers (cookies); marketing consent records; IP address hashes; user-agent hashes.
Categories of Data Subjects	End customers of the Merchant who tap a TapReceipt NFC sticker and provide their email address.

Schedule 2 — Technical and organisational measures

See Section 5 of this DPA. Full details are available on request.

Schedule 3 — Approved sub-processors

Sub-processor	Location	Purpose
Hetzner Online GmbH	Germany	Hosting and data storage
Postmark / ActiveCampaign	USA (under SCCs)	Transactional email delivery
Square, Inc.	USA	POS sale event source (only for Merchants who connect Square)
iZettle / PayPal	Sweden / Luxembourg	POS sale event source (only for Merchants who connect Zettle)
SumUp Ltd	UK / Ireland	POS sale event source (only for Merchants who connect SumUp)
Lightspeed Commerce	Canada	POS sale event source (only for Merchants who connect Lightspeed)

← Back to home · Terms · Privacy Policy · Contact