This Data Processing Agreement ("Agreement") forms part of the agreement between you ("Controller") and iTOM ("Processor"), in relation to the use of the iTOM platform.
This Agreement sets out the terms under which iTOM processes personal data on behalf of users in accordance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

1. Definitions
   • Controller: The user (individual or organisation) that determines the purposes and means of processing personal data.
   • Processor: iTOM, acting on behalf of the Controller, by processing data solely for the purposes of delivering its services.
   • Data Subject: An individual whose personal data is processed.
   • Personal Data: Any data that can directly or indirectly identify an individual.
   • Services: The multi-channel listing and inventory management services provided by iTOM.
2. Subject Matter of Processing
   • Create and manage product listings
   • Sync listings across connected marketplaces
   • Enable inventory tracking and stock updates
   • Provide technical and customer support
   • Maintain usage and performance analytics
   • Deliver core functionality and platform improvements
3. Duration of Processing
   This Agreement shall remain in force for as long as the Controller uses iTOM services and requires iTOM to process personal data on their behalf.
4. Types of Personal Data Processed
   • Contact information (e.g. names, emails, phone numbers)
   • Marketplace account identifiers
   • Customer or order data (where imported or connected via API/spreadsheet)
   • Product information associated with listings (including seller profile data)
   • Technical information (e.g. IP addresses, login data, system logs)
   Note: iTOM does not intentionally collect special category data (e.g. health, religion, political opinions).
5. Obligations of the Controller
   • Ensure that it has all necessary rights and lawful bases to submit personal data to iTOM
   • Ensure that data shared with iTOM is accurate, relevant, and limited to what is necessary
   • Comply with all applicable laws and data protection regulations
   • Not use iTOM to process sensitive personal data unless agreed in writing
6. Obligations of the Processor (iTOM)
   • Only process personal data on the Controller’s documented instructions, unless otherwise required by law
   • Implement appropriate technical and organisational measures to protect personal data
   • Ensure all staff handling personal data are subject to confidentiality obligations
   • Assist the Controller with data subject rights requests, such as access or deletion
   • Notify the Controller without undue delay in the event of a data breach
   • Provide necessary information for audits or inspections relating to data processing
   • Upon request or termination, delete or return personal data to the Controller
7. Sub-processors
   iTOM may engage third-party service providers (e.g. cloud hosting, analytics, support tools) as Sub-processors. All Sub-processors are bound by written agreements and data protection obligations equivalent to those set out in this DPA.
   A list of current Sub-processors can be provided upon request. iTOM will notify the Controller of any changes to Sub-processors and allow a reasonable objection period.
8. International Data Transfers
   • Adequacy decisions
   • Standard Contractual Clauses (SCCs)
   • Binding corporate rules or equivalent protections
   If personal data is transferred outside the UK or EEA, iTOM will ensure appropriate safeguards are in place.
9. Security
   • Prevent unauthorised access, loss, or destruction of data
   • Ensure system integrity, access control, and secure data transmission
   • Perform regular risk assessments and platform monitoring
10. Data Subject Requests
    If iTOM receives a data subject request relating to data controlled by the user, it will promptly notify the Controller and provide reasonable assistance in fulfilling the request in accordance with applicable law.
11. Data Breach Notification
    • Notify the Controller without undue delay
    • Provide details of the breach, including scope, cause, and mitigation actions
    • Cooperate with the Controller to resolve the incident
12. Termination
    • Delete all personal data (unless otherwise required by law), or
    • Return data to the Controller if requested within 30 days of termination
    Data may remain in system backups for up to 90 days before being permanently deleted.
13. Governing Law
    This Agreement shall be governed by and construed in accordance with the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
14. Contact
    For all data protection-related enquiries, contact:
    dpo@itomconnect.com

Signed electronically as part of your agreement to use iTOM’s services.