Data Processing Agreement
VERSION 1.0EFFECTIVE effective date
This DPA forms part of the MetlSys SaaS Subscription Agreement between Reload IT Ltd (processor) and the Customer (controller), and is drafted to satisfy Article 28 UK GDPR. For personal data within Customer Data, the Customer is the controller and Reload IT is the processor.
This policy is being finalised — highlighted items are still to be confirmed, and it is subject to final legal review. For any question in the meantime, contact info@reloadit.co.uk.
1. Background and roles
1.1 This DPA forms part of the Agreement between Reload IT Ltd, company number company number, of registered office address (“Reload IT”) and the Customer.
1.2 For personal data contained within Customer Data, the Customer is the controller and Reload IT is the processor. Terms have the meanings given in the Data Protection Act 2018 and UK GDPR. 1.3 Details of the processing are set out in Annex 1.
2. Processor obligations
2.1 Reload IT shall:
- process personal data only on the Customer’s documented instructions — namely to provide, maintain, support and secure the Service in accordance with the Agreement and the Customer’s configuration — unless required to process otherwise by law;
- ensure persons authorised to process the data are bound by confidentiality obligations;
- implement appropriate technical and organisational measures as described in Annex 2;
- assist the Customer, insofar as reasonably possible, in responding to data subject rights requests, the Service’s built-in export, correction and deletion tools being the primary means;
- assist the Customer with its obligations under Articles 32–36 UK GDPR (security, breach notification, impact assessments);
- notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data;
- at the Customer’s choice, delete or return personal data at the end of the Agreement (per the Export Window), unless UK law requires storage;
- make available information reasonably necessary to demonstrate compliance and, no more than once in any 12-month period on 30 days’ notice, allow for audits at the Customer’s cost, without access to other customers’ data.
3. Sub-processors
3.1 The Customer grants Reload IT general written authorisation to engage the sub-processors listed in Annex 3 and to appoint replacements or additions. Reload IT will give at least 14 days’ notice of intended changes, during which the Customer may object on reasonable data protection grounds; if unresolved, the Customer’s sole remedy is to terminate the affected subscription and receive a pro-rata refund.
3.2 Reload IT will impose materially equivalent data protection obligations on sub-processors and remains responsible for their performance.
4. International transfers
4.1 Reload IT shall not transfer personal data outside the UK unless the transfer is covered by UK adequacy regulations or appropriate safeguards (including the UK IDTA or UK Addendum to the EU SCCs). Current details are in Annex 3.
5. Customer obligations
5.1 The Customer warrants it has a lawful basis for the personal data it uploads, has provided all required notices to data subjects, and that its instructions comply with data protection law. The Customer is responsible for configuring the Service (user roles, portal access, retention settings) appropriately.
5.2 The Customer shall not upload special category data or criminal offence data unless separately agreed in writing.
6. Liability
6.1 Each party’s liability under this DPA is subject to the exclusions and limitations in the Agreement, and liability under this DPA and the Agreement is a single aggregate cap. Nothing limits either party’s liability to data subjects or supervisory authorities where not permitted by law.
Annex 1 — Processing details
- Subject matter: provision of the MetlSys SaaS ERP platform for stainless steel stockholding.
- Duration: the term of the Agreement plus the Export Window and backup rotation period.
- Nature and purpose: hosting, storage, transmission, display, backup, document generation, AI-assisted extraction and analysis of uploaded documents, and related support.
- Data subjects: the Customer’s personnel and Authorised Users; the Customer’s own customers’, suppliers’ and carriers’ personnel; individuals named on trading documents.
- Personal data: names, business contact details, job titles, delivery addresses, signatures on documents, order and account references, portal login details, correspondence. No special category data is intended to be processed.
Annex 2 — Technical and organisational measures
- Multi-tenant isolation, with each organisation’s data separated at the database layer.
- Role-based access control (Super Admin / Company Admin / User) restricting access within each tenant.
- Encryption of data in transit (TLS); encryption at rest provided by hosting providers.
- Document access via signed, time-limited URLs.
- Authentication managed via Supabase Auth; password and session controls, with optional two-factor.
- Segregated environments and access controls for production systems; access limited to authorised personnel.
- Regular backups with defined rotation confirm backup/restore schedule.
- Vulnerability management and dependency updates.
Annex 3 — Approved sub-processors
- Supabase, Inc. — database, authentication and file storage — London, UK (eu-west-2).
- Railway Corp. — backend application hosting — EU/US.
- Vercel Inc. — website hosting and content delivery — Global edge network.
- Stripe Payments Europe, Ltd. — payment processing, billing and vat — EU/US.
- Anthropic — ai-assisted document extraction and analysis — US.
- Resend — transactional email and notifications — US/EU.