Legal
Data Processing Addendum
Last updated: May 20, 2026
1. Parties & scope
This Data Processing Addendum ("DPA") supplements the MVP RFID Terms of Service between MVP RFID, Inc. ("Processor") and the customer entity that accepted the Terms ("Controller"). It applies whenever Processor processes personal data on behalf of Controller in connection with the ordering platform.
2. Nature & purpose of processing
Processor processes the categories of personal data Controller submits (account holder name, email, phone, business address, shipping/drop-ship contact details, order history, payment metadata) solely to (a) operate the ordering platform, (b) route manufacturing and fulfilment, (c) issue invoices and collect payment, (d) provide customer support, and (e) comply with legal obligations.
3. Sub-processors
Controller authorises Processor to engage the sub-processors listed below. Processor will give 30 days' notice (via in-app banner or email) before adding or replacing a sub-processor; Controller may object on reasonable data-protection grounds.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Application database, authentication, file storage | United States (AWS us-east-1) |
| Stripe, Inc. | Payment processing, tax calculation, fraud prevention | United States, Ireland |
| Cloudflare, Inc. | Application hosting (Workers), DNS, CDN, DDoS protection | Global edge network |
| Motherson Group | RFID manufacturing & drop-shipping of physical inventory | Multi-region (per order routing) |
| Resend / transactional email provider | Order confirmations, password resets, status notifications | United States, EU |
4. International transfers
Where personal data of EEA, UK, or Swiss data subjects is transferred to a country without an adequacy decision (notably the United States), the parties rely on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor, 2021/914), the UK International Data Transfer Addendum, and the Swiss FDPIC addendum, each incorporated by reference into this DPA. Processor maintains supplementary technical measures including encryption in transit (TLS 1.2+) and at rest.
5. Security measures
Row-Level Security on every database table; private object storage by default; role-based access for staff; HTTPS-only transport; encryption at rest; security-event logging; incident-response procedures with 72-hour breach notification (GDPR Art. 33).
6. Data subject requests
Processor will assist Controller in responding to access, rectification, erasure, restriction, portability, and objection requests within the statutory window. Account holders can self-serve deletion at Account → Settings.
7. Retention & deletion
Personal data is retained for the life of the account plus seven (7) years for invoice, tax, and accounting records, after which it is deleted or anonymised. On termination, Processor will, at Controller's election, return or delete remaining personal data within 30 days, subject to legally-required retention.
8. Audit
Once per twelve (12) months, Controller may request a copy of Processor's most recent third-party security attestations (or, where none exist, a written response to a reasonable security questionnaire) under NDA.
9. Contact
Data protection inquiries: privacy@mvprfid.com. To execute a counter-signed DPA on company letterhead, contact the same address.