Data Processing Addendum
The UK GDPR Article 28 data-processing terms for sellers who send buyer delivery data and order files to Makr3D for fulfilment.
Last updated
1. Scope and order of precedence
This Data Processing Addendum forms part of the Terms of Service where Makr3D processes personal data on behalf of a seller under UK GDPR or equivalent data protection law. If this DPA conflicts with the Terms of Service, this DPA controls only for processor obligations.
2. Roles
For buyer delivery data and order data submitted by a seller for fulfilment, the seller is normally the controller and Makr3D is normally the processor. Makr3D is controller for its own seller account data, billing data, payment references, fraud prevention, security logs, support records, legal notices, tax, accounting, safety, audit and business records.
3. Processing details
| Subject matter | 3D-print fulfilment, packing, dispatch, support, returns, remakes and related platform services. |
|---|---|
| Duration | The life of the seller account, each order, and any required retention period for disputes, tax, safety, audit, fraud or legal records. |
| Nature and purpose | Receiving order data, producing goods, generating labels, shipping parcels, providing tracking, handling support, investigating issues and keeping required records. |
| Data subjects | Sellers, seller staff, buyers, recipients, customer support contacts and authorised representatives. |
| Personal data | Names, delivery addresses, email or phone where needed for delivery, order references, tracking, product choices, support messages, IP/log data and limited marketplace identifiers. |
| Special category data | Not intentionally required. Sellers must not submit special category data unless necessary, lawful and expressly agreed. |
4. Documented instructions
Makr3D will process processor data only on the seller's documented instructions, including instructions in the Terms of Service, order data, dashboard settings, API calls, integrations, support tickets and this DPA. If we believe an instruction breaches data protection law, we will tell the seller where lawful and reasonably practicable.
5. Confidentiality
Makr3D will ensure that people authorised to process processor data are subject to confidentiality obligations or an appropriate statutory duty of confidentiality. Access is limited to those who need it for fulfilment, platform operations, support, security, finance, compliance or legal reasons.
6. Security measures
Makr3D will implement appropriate technical and organisational measures for the nature of the processing, including access controls, authentication, private storage, role-gated admin workflows, logging, provider security controls, secrets management, transport encryption where supported, backup or recovery controls, and procedures for investigating incidents.
7. Subprocessors
The seller gives Makr3D general written authorisation to use subprocessors for the service. The current list is in the Subprocessor List. Makr3D will impose data-protection obligations on subprocessors that are intended to provide at least the same level of protection required by this DPA for the relevant processing. Makr3D remains responsible to the seller for subprocessor performance of processor obligations.
We may update the Subprocessor List as providers change. Where legally required or commercially reasonable for launch, we will provide notice through the platform, by email or by updating the policy page. A seller with a reasonable data-protection objection should contact us promptly.
8. International transfers
Some subprocessors, carriers, platforms, sellers or buyers may be outside the UK. Where Makr3D transfers processor data from the UK to a country without an applicable UK adequacy regulation, we will use a lawful transfer mechanism where required, such as the UK International Data Transfer Agreement, the UK Addendum to EU standard contractual clauses, binding provider terms or another lawful safeguard.
9. Assistance with rights requests
Makr3D will provide reasonable assistance to sellers for data-subject requests relating to processor data, taking into account the nature of the processing and information available to us. If a buyer contacts Makr3D directly about data controlled by a seller, we may refer the request to that seller unless Makr3D has its own controller obligation to respond.
10. Personal data breaches
Makr3D will notify affected sellers without undue delay after becoming aware of a personal data breach affecting processor data. The notice will include information reasonably available to us so the seller can assess its own notification duties. We may provide information in stages as an investigation develops.
11. DPIAs, regulators and audits
Makr3D will provide reasonable assistance for data protection impact assessments, prior consultation and regulator correspondence where required by law and related to our processing. We will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, privilege, third-party restrictions and reasonable limits. On-site audits require prior written agreement and must not compromise other sellers, platform security or provider confidentiality.
12. Return and deletion
On account closure or written request, Makr3D will delete or return processor data where reasonably possible unless retention is required or permitted for legal, tax, accounting, safety, fraud, IP, disputes, carrier claims, security, audit, backups or defence of claims. Backup and log deletion may follow normal lifecycle schedules.
13. Seller obligations
Sellers must provide clear instructions, maintain lawful bases and notices for their buyers, collect only data needed for fulfilment, avoid special category data unless agreed, keep account and API credentials secure, and respond to data rights requests or complaints where they are controller.