Effective Date 5 July 2025

1. Definitions Controller:

The party determining the purpose and means of processing personal data.

Processor: Hermetic Rubber Company Limited (SealStream), which processes data on behalf of the Controller.

Data Subject: An individual whose personal data is processed.

Personal Data: Any information relating to an identified or identifiable person.

2. Subject Matter and Duration

This DPA applies to all personal data processed by the Processor in providing services under any agreement with the Controller. It remains in force for the duration of the relationship between the parties and until all personal data is returned or deleted.

3. Nature and Purpose of Processing

The Processor may process personal data for the following purposes:

- Facilitating introductions between buyers and OEMs.
- Managing and communicating regarding transactions.
- Providing technical consulting and advisory services.
- Operating the SealStream platform and support systems.
- Ensuring secure financial transactions via third parties (e.g. Transpact).

4. Types of Personal Data

Typical personal data processed may include:

- Names, job titles, company contact information.
- Email addresses and phone numbers.
- Delivery or billing addresses.
- Communication records.

No special category or sensitive data is intended to be processed unless explicitly agreed.

5. Obligations of the Processor

The Processor shall: 

- Only process personal data on documented instructions from the Controller.
- Ensure personnel are subject to confidentiality obligations.
- Implement appropriate technical and organisational measures to ensure data security.
- Assist the Controller in responding to data subject rights.
- Notify the Controller without undue delay in the event of a personal data breach.
- Maintain records of processing activities.

6. Sub-Processors

The Controller authorises the use of sub-processors including:

- Transpact Limited, for secure escrow account processing.
- Wix.com Ltd - hosting and website infrastructure.
- OEMs (Original equipment manufacturers).
- Other sub-processors may be added with prior written notice.

The Processor ensures sub-processors are subject to equivalent data protection obligations.

7. Data Transfers

Where personal data is transferred outside the UK/EEA, the Processor will ensure appropriate safeguards are in place, such as:

- UK Addendum to the EU Standard Contractual Clauses (SCCs)
- Transfers to countries with adequacy decisions

8. Data Subject Rights

The Processor shall promptly notify the Controller of any request received from a data subject (e.g. access, deletion, rectification) and shall not respond unless authorised.

9. Return or Deletion of Data

At the end of the service relationship, the Processor shall, at the choice of the Controller:

- Return all personal data, or
- Delete all personal data, unless retention is required by law

10. Audit and Inspection

The Controller may audit the Processor's data handling practices upon reasonable written notice. The Processor shall make relevant records available and cooperate with any audit, subject to confidentiality obligations.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the main agreement between the parties.

12. Governing Law

This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

13. Contact

Hermetic Rubber Company Limited (SealStream)

Email: accounts@hermeticrubber.co.uk