Legal

GDPR & Data Processing Agreement

Company Name: Expo Exchange LTD · Website: www.expoexchange.co.uk

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Expo Exchange LTD ("Data Processor") and users of the Platform ("Data Controllers").

It sets out the terms under which personal data is processed in connection with the services provided via the Platform, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data (e.g., collection, storage, use, disclosure, deletion).
  • Data Controller: The party that determines the purposes and means of processing personal data (i.e., Platform users).
  • Data Processor: The party that processes personal data on behalf of the Data Controller (i.e., Expo Exchange).
  • Data Subject: The individual whose personal data is being processed.
  • Sub-processor: A third party engaged by the Data Processor to process personal data.

3. Scope and Purpose

This DPA applies to all personal data processed by Expo Exchange on behalf of users in connection with:

  • Account creation and management
  • Tender posting and bid submission
  • Communication between users
  • Payment processing (where applicable)
  • Platform analytics and improvement

4. Obligations of the Data Processor

Expo Exchange shall:

  • Process personal data only on documented instructions from the Data Controller
  • Ensure that persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Data Controller in responding to data subject rights requests
  • Notify the Data Controller without undue delay of any data breach
  • Delete or return all personal data at the end of the service relationship, unless required by law to retain it
  • Make available all information necessary to demonstrate compliance

5. Sub-processors

Expo Exchange may engage the following categories of sub-processors:

  • Cloud hosting providers (e.g., Vercel, AWS)
  • Authentication services (e.g., Supabase)
  • Payment processors (e.g., Stripe)
  • Analytics tools (e.g., Google Analytics)
  • Communication tools (e.g., email services)

We will inform you of any intended changes to sub-processors and provide you with an opportunity to object.

6. Data Subject Rights

Expo Exchange will assist Data Controllers in fulfilling their obligations to respond to Data Subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

7. Security Measures

We implement appropriate measures including but not limited to:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Incident response procedures
  • Employee training on data protection

8. International Transfers

Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Agreement (IDTA)
  • Adequacy decisions

9. Data Breach Notification

In the event of a personal data breach, Expo Exchange shall:

  • Notify the Data Controller without undue delay (and within 72 hours where feasible)
  • Provide details of the breach, including the nature, categories of data affected, and remedial actions taken
  • Cooperate with the Data Controller in notifying affected individuals and supervisory authorities where required

10. Audit Rights

The Data Controller may request reasonable evidence of compliance with this DPA.

Expo Exchange shall make available all necessary information and allow for audits, subject to reasonable notice and confidentiality obligations.

11. Duration and Termination

This DPA remains in effect for the duration of the service agreement.

Upon termination, Expo Exchange will:

  • Cease processing personal data
  • Delete or return personal data within 30 days, unless required by law

12. Governing Law

This DPA is governed by the laws of England & Wales and is subject to the jurisdiction of the courts of England & Wales.

13. Contact

For data protection queries:

Email: office@expoexchange.co.uk

By using the Platform, you acknowledge that you have read, understood, and agree to this Data Processing Agreement.
Chat with us