Skip to content
Supplio

Legal

Data Processing Addendum

Last updated: 24 May 2026

This Data Processing Addendum ("DPA") sets out how Supplio ("Supplio", the Processor) processes personal data on behalf of business customers (the Controller) when providing the Supplio platform. It forms part of the Terms of Serviceand applies whenever Supplio processes personal data subject to the UK GDPR, the Data Protection Act 2018 or the EU GDPR on the Controller's behalf.

A signature-ready PDF version of this DPA is available on request — email founder@supplio.co.ukwith the subject "DPA request". By accepting the Terms of Service, the Controller is treated as having executed this DPA.

1. Definitions

Terms used in this DPA have the meanings given to them in the UK GDPR and the EU GDPR. "Customer Personal Data" means personal data within the Customer Data (as defined in the Terms of Service) that is processed by Supplio on behalf of the Controller. "UK Addendum" means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, issued by the ICO and laid before Parliament on 2 February 2022, as amended). "EU SCCs" means the standard contractual clauses for controller-to-processor or processor-to-processor transfers approved by the European Commission in decision (EU) 2021/914.

2. Roles and scope

The Controller is and remains the controller of Customer Personal Data; Supplio acts as processor (or, where applicable, as sub-processor for the Controller's own controller). Processing is carried out for the purpose of providing the Service and related support, billing and security activities described in the Terms of Service.

3. Subject-matter, duration, nature and purpose of processing

  • Subject matter: provision of the Supplio supplier management platform.
  • Duration: for the duration of the Subscription Term and for the post-termination period set out in section 11 of the Terms of Service.
  • Nature: hosting, storage, organisation, retrieval, use, disclosure to authorised users, transmission, anonymisation, deletion.
  • Purpose: to enable the Controller and its authorised users to onboard, manage, score and audit suppliers; to enable suppliers to submit information through the supplier portal; to deliver communications, billing and support.
  • Categories of data subjects: the Controller's personnel, the Controller's suppliers and the suppliers' personnel.
  • Categories of personal data: identity and contact data (name, email, phone, role), authentication data, employer and organisational data, business addresses, certifications, insurance policy details, supplier risk and performance scoring inputs, free-text fields submitted by the Controller or by suppliers, technical data (IP address, user-agent, session and audit-log entries).
  • Special-category data: Supplio does not require special-category personal data and asks the Controller not to upload it. If the Controller chooses to do so, the Controller is responsible for the Article 9 condition relied on.
  • Criminal-conviction data: not knowingly processed.
  • Children: the Service is not directed to children. Personal data about persons under 18 must not be uploaded.

4. Supplio's obligations as processor

Supplio will:

  • process Customer Personal Data only on documented instructions from the Controller (the Terms of Service, the order, the configuration in the platform and lawful written requests from the Controller). If Supplio is required by law to process Customer Personal Data otherwise, it will inform the Controller of that requirement before processing, unless prohibited from doing so;
  • ensure that all personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
  • implement and maintain the technical and organisational security measures described in section 7 and in our Security Statement;
  • assist the Controller, taking into account the nature of the processing and the information available to Supplio, in responding to data-subject rights requests (section 8) and in meeting the Controller's obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data-protection impact assessments, prior consultation);
  • at the Controller's choice, delete or return all Customer Personal Data after the end of the provision of the Service, subject to the post-termination export window in the Terms of Service and any retention required by law;
  • make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to section 10.

5. Sub-processors

The Controller authorises Supplio to engage sub-processors to provide the Service. The current list of sub-processors, including the country in which each operates, the nature of the processing they carry out and the safeguards in place, is published at /legal/sub-processors.

Supplio will give the Controller at least 30 days' advance notice of any new or replacement sub-processor by updating the sub-processors page and, where the Controller has subscribed, by email. The Controller may object on reasonable data-protection grounds within that notice period; if the objection cannot be resolved by reasonable means, the Controller may terminate the affected portion of the Service and receive a pro rata refund of any prepaid Fees for the unused remainder of the Subscription Term.

Supplio remains liable to the Controller for the acts and omissions of each sub-processor as if they were Supplio's own. Supplio enters into written agreements with each sub-processor imposing data-protection obligations no less protective than those in this DPA.

6. International data transfers

Supplio primarily stores Customer Personal Data in the United Kingdom or the European Economic Area. Where personal data is transferred from the UK to a country which is not the subject of UK adequacy regulations, Supplio relies on the UK Addendum to the EU SCCs. Where personal data is transferred from the EEA to a third country, Supplio relies on the EU SCCs. The Controller is treated as the data exporter and Supplio (or the relevant sub-processor) as the data importer under those clauses, in the appropriate module.

Where required by the UK Addendum or the EU SCCs, the parties make the supplemental commitments set out in those instruments, including in relation to onward transfers, government-access requests and data-subject redress.

7. Security measures

Supplio implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including in particular against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. The current measures are summarised in our Security Statement and include:

  • encryption of Customer Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent at the cloud-provider storage layer);
  • strong password requirements, breached-password screening against the Have I Been Pwned database, secure password hashing (bcrypt), account lockout and refresh-token rotation with re-use detection;
  • role-based access controls, segregated tenant databases for customer data, and an immutable application audit log;
  • rate limiting, origin/referrer protections and the use of an upstream CDN/WAF for DDoS mitigation;
  • operational logging that minimises personal data in error logs, with access restricted to authorised personnel;
  • regular vulnerability monitoring of platform dependencies, security review of significant changes and a documented vulnerability-disclosure channel.

8. Data-subject requests

Supplio will, taking into account the nature of the processing and the information available to it, assist the Controller by appropriate technical and organisational measures to enable the Controller to respond to requests from data subjects to exercise their rights under the UK GDPR. Supplio will not respond to a data-subject request directly except as instructed by the Controller, or where required by law. If a data subject contacts Supplio directly with a request that relates to Customer Personal Data, Supplio will forward the request to the Controller without undue delay.

9. Personal-data breach notification

Supplio will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal-data breach affecting Customer Personal Data. The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, the measures taken or proposed and a contact point. Supplio will provide reasonable cooperation and updates to support the Controller in meeting any notification obligations to supervisory authorities or data subjects.

10. Audit rights

On reasonable prior written notice (and no more than once in any 12-month period, unless there has been a personal-data breach or a regulator requires more frequent audits), Supplio will respond to a reasonable security and compliance questionnaire from the Controller, and will make available copies of relevant certifications, attestations and audit summaries that Supplio holds. Where the Controller can reasonably demonstrate that those materials are insufficient, the Controller (or its mandated independent auditor) may, during normal business hours and subject to appropriate confidentiality obligations, conduct an on-site or remote audit at the Controller's cost. The parties will agree the scope, timing and cost of the audit in advance, in good faith.

11. Liability and order of precedence

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions set out in section 17 (Limitation of liability) of the Terms of Service. In case of conflict between this DPA and the Terms of Service in relation to the processing of personal data, this DPA prevails. To the extent the UK Addendum or the EU SCCs apply, those clauses prevail over this DPA in case of conflict, to the extent of the conflict and only in relation to the relevant transfer.

12. Governing law

This DPA is governed by the laws of England and Wales, except where the UK Addendum or the EU SCCs specify otherwise for the matters they govern.

13. Contact

Questions or requests under this DPA? Email privacy@supplio.co.ukwith the subject "DPA".