Inselan

Data Processing Agreement

Effective Date: April 4, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the platform operator ("Processor") and the registered user ("Controller"), pursuant to Article 28 of the General Data Protection Regulation (GDPR).

1. Scope of Processing

The Processor processes personal data on behalf of the Controller solely to provide the platform services, including:

  • Synchronization of marketplace data (orders, buyers, messages, cases, feedback, payouts)
  • Storage and display of business data for management purposes
  • Geocoding of buyer addresses for analytics (Buyers Map)
  • Generation of business reports and dashboards

Data subjects include: marketplace buyers, message senders/recipients, and the Controller themselves.

Categories of data: names, email addresses, physical addresses, phone numbers, transaction details, and communication content.

2. Duration

Processing continues for the duration of the Controller's active account. Upon account deletion, all personal data is permanently removed within 30 days.

3. Processor Obligations

  • Process personal data only on documented instructions from the Controller (i.e., through the platform's functionality)
  • Ensure that persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures (see Section 4)
  • Not engage sub-processors without prior authorization (see Section 6)
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all personal data upon termination of services
  • Make available all information necessary to demonstrate compliance

4. Security Measures

The Processor implements the following security measures:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Session encryption and CSRF protection
  • Password hashing (bcrypt) with no plaintext storage
  • Role-based access control
  • Rate limiting on sensitive endpoints
  • Secure file storage with per-user isolation
  • Automated data retention and purging schedules
  • Webhook signature verification for API integrations

5. Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
  • Provide details of the breach including nature, scope, likely consequences, and measures taken
  • Cooperate with the Controller to mitigate effects and fulfill notification obligations to supervisory authorities

6. Sub-processors

The Controller authorizes the use of the following sub-processors:

Sub-processor Purpose Location
DigitalOcean, LLC Cloud hosting & storage EU / US
Cloudflare, Inc. CDN, DDoS protection, DNS Global
eBay, Inc. Marketplace API data source US
OpenStreetMap / Nominatim Address geocoding EU
Google LLC (reCAPTCHA) Bot protection US

The Processor will inform the Controller of any intended changes to sub-processors, giving the Controller an opportunity to object.

7. Data Deletion

Upon account deletion or contract termination:

  • All user account data is deleted immediately
  • All associated business data (orders, inventory, buyers, etc.) is cascaded and deleted
  • User file storage is purged
  • Non-attributable system logs (without PII) may be retained for operational purposes

8. Controller Obligations

The Controller is responsible for:

  • Ensuring lawful basis for processing buyer personal data (legitimate interest of fulfilling marketplace transactions)
  • Providing notice to data subjects as required
  • Instructing the Processor only in accordance with applicable law

9. Governing Law

This DPA is governed by the laws applicable to the Terms of Service and the General Data Protection Regulation (EU) 2016/679.

For questions about this agreement, contact: [email protected]