Data Processing Addendum (Controller–Processor)
Last updated: February 3, 2026
Parties
This Data Processing Addendum (“DPA”) forms part of and is subject to the
[Master Services Agreement / Vendor Terms] between:
- Controller: [Vendor legal name], with registered address [address] (“Vendor”); and
- Processor: MineralCache, LLC · P.O. Box 5, Llano, TX 78643, USA (“MineralCache”).
If the parties process UK or EEA/Swiss personal data transferred to the U.S., this DPA incorporates the EU Standard Contractual Clauses and the UK Addendum as set out below.
1) Scope and relationship to the Agreement
This DPA governs MineralCache’s Processing of Personal Data on behalf of Vendor to provide the Services under the Agreement. The parties acknowledge that, for the Processing described in Annex I, Vendor is the Controller and MineralCache is the Processor. For Processing MineralCache undertakes for its own purposes (e.g., fraud prevention, platform security, compliance), each party acts as an independent Controller for its respective Processing, and this DPA does not apply to such independent Controller Processing.
2) Definitions
Capitalized terms not defined here have the meanings in the Agreement or applicable Data Protection Laws. “Data Protection Laws” means GDPR/UK GDPR and applicable U.S. privacy laws (including the CCPA/CPRA). “Personal Data” means any information relating to an identified or identifiable natural person. “Process,” “Controller,” “Processor,” “Sub-Processor,” and “Data Subject” have the meanings given in Data Protection Laws.
3) Processing instructions
- MineralCache will Process Personal Data only on documented instructions from Vendor, including with respect to international transfers, unless required by law.
- Vendor instructs MineralCache to Process Personal Data as necessary to provide the Services described in Annex I, to engage Sub-Processors per Section 7, and to take measures reasonably necessary for platform security, incident response, and compliance.
- If an instruction violates Data Protection Laws, MineralCache will inform Vendor without undue delay.
4) Vendor responsibilities
- Vendor is responsible for the accuracy, quality, and lawfulness of Personal Data and for the means by which it acquired Personal Data, including providing any required notices and obtaining valid consents.
- Vendor will not instruct MineralCache to Process special categories of data unless expressly agreed in writing.
5) Confidentiality
MineralCache ensures persons authorized to Process Personal Data are bound by confidentiality obligations and access is limited to those with a need to know for the Services.
6) Security
MineralCache will implement appropriate technical and organizational measures to protect Personal Data, as described in Annex II, taking into account the nature of Processing and the risks. Vendor is responsible for configuring and using the Services in a secure manner.
7) Sub-Processors
- Vendor authorizes MineralCache to engage Sub-Processors to support the Services. Current Sub-Processors are listed in Annex III.
- MineralCache will impose data protection terms on Sub-Processors no less protective than this DPA and remains responsible for their performance.
- MineralCache will notify Vendor of changes to Sub-Processors and provide an opportunity to object on reasonable, data-protection grounds. If the parties cannot resolve an objection, Vendor may suspend the affected Services without penalty.
8) Assistance
- Data Subject requests: Taking into account the nature of Processing, MineralCache will assist Vendor by appropriate technical and organizational measures, insofar as possible, for responding to requests to exercise rights under Data Protection Laws.
- DPIAs and consultations: MineralCache will assist Vendor with data protection impact assessments and prior consultations with supervisory authorities, as required and reasonable.
9) Personal Data breaches
After becoming aware of a Personal Data Breach affecting Personal Data Processed for Vendor, MineralCache will notify Vendor without undue delay and provide information reasonably available to assist Vendor in meeting its obligations, including regulatory notifications and communications to Data Subjects.
10) Deletion and return
Upon termination or expiration of the Agreement, MineralCache will, at Vendor’s choice, delete or return Personal Data and delete existing copies within a commercially reasonable period, unless retention is required by law or for archiving, audit, or dispute-resolution purposes.
11) Audits
- MineralCache will make available information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by Vendor or an independent auditor mandated by Vendor, once annually and additionally upon a justified request following a material incident.
- Audits shall be subject to reasonable confidentiality, scheduling, and scope limitations, and Vendor will bear its own costs and MineralCache’s reasonable support costs.
12) International transfers
- To the extent Vendor Personal Data is transferred from the EEA to a third country lacking an adequacy decision, the parties incorporate the EU Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as follows:
- Module 2 (Controller → Processor) for transfers from Vendor to MineralCache.
- Module 3 (Processor → Processor) for onward transfers to Sub-Processors.
Annex I–II to the SCCs are completed by Annex I–II to this DPA. The parties select the governing law and courts of Ireland for SCC purposes unless otherwise agreed in writing.
- For UK transfers, the ICO-approved International Data Transfer Addendum (IDTA/Addendum to the EU SCCs) is incorporated; for Swiss transfers, the Swiss Addendum is incorporated.
- The parties will implement supplementary measures as reasonably required by Transfer Impact Assessments.
13) CCPA/CPRA service provider terms
- MineralCache shall act as Vendor’s “service provider” or “contractor” and shall not sell or share Personal Information, retain, use, or disclose it for any purpose other than providing the Services, or combine it with Personal Information from other sources except as permitted by law.
- MineralCache will notify Vendor if it can no longer meet these obligations and will allow Vendor to take reasonable steps to stop and remediate unauthorized use.
- MineralCache shall pass down equivalent restrictions to Sub-Processors.
14) Liability; order of precedence
Each party’s liability arising from or in connection with this DPA is subject to the limitations and exclusions set out in the Agreement, except to the extent prohibited by Data Protection Laws or the SCCs. In the event of conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict; in the event of conflict between this DPA and the SCCs, the SCCs prevail.
15) Term
This DPA remains in force for the duration of the Agreement and thereafter as long as MineralCache Processes Personal Data for Vendor.
Signatures
Vendor: ____________________ Date: ___________
MineralCache, LLC: ____________________ Date: ___________
Annex I – Details of Processing
A. Subject matter and duration
Provision of the marketplace platform and related Services to Vendor under the Agreement; duration: term of the Agreement plus any legally required retention.
B. Nature and purpose
Hosting listings and media; facilitating orders, payments, shipping, support; fraud prevention; platform security; analytics configured by Vendor.
C. Categories of Data Subjects
- Vendor’s customers and prospective customers
- Vendor personnel (account users, admins)
D. Categories of Personal Data
- Identification: name, username, contact details
- Order and delivery details: shipping address, items purchased, order history
- Support communications and preferences
- Technical data: IP address, device identifiers, logs
- Payment tokens and status data from payment processors (no raw card data stored by MineralCache)
E. Special categories
Not intended. Vendor will not instruct MineralCache to Process special categories unless agreed in writing.
F. Retention
As necessary to provide the Services and meet legal, accounting, or audit obligations, then securely deleted or anonymized.
Annex II – Technical and Organizational Measures
- Governance: documented security program; risk assessments; personnel security and access reviews.
- Access control: role-based access; least privilege; MFA for privileged access; session management.
- Data protection: encryption in transit (TLS) and at rest where supported; key management; data minimization.
- Secure development: code review; dependency scanning; vulnerability management; change management; logging and monitoring.
- Business continuity: backups; recovery procedures; availability and capacity planning.
- Incident response: defined runbooks; breach triage and notification procedures; post-incident review.
- Vendor management: Sub-Processor due diligence; contractual security obligations; ongoing monitoring.
- Physical security: secured facilities provided by reputable infrastructure providers.
- Training and awareness: onboarding and periodic security/privacy training.
Annex III – Authorized Sub-Processors
| Sub-Processor | Location | Purpose | Data categories |
|---|
| Stripe, Inc. | USA/EU | Payments processing | Order metadata, payment status, tokens |
| Render Services, Inc. | USA/EU | Hosting and storage | Platform data, logs, media |
| Plus Five Five, Inc. | USA/EU | Transactional communications | Contact info, order notifications |
Note: This DPA is intended to satisfy GDPR Art. 28 controller–processor requirements and CPRA service provider terms.
For cross-border transfers, the EU SCCs (2021/914) and applicable UK/Swiss addenda are incorporated by reference.