DPA

Data Processing Addendum

The Data Processing Addendum (DPA) that governs how Oliver POS, as a processor, handles personal data on behalf of merchants subject to GDPR, UK GDPR, and similar data-protection laws.

Last updated: 2026-05-18

Roles

Where a merchant uses Oliver POS to process personal data of EU, EEA, UK, or Swiss data subjects, the merchant is the controller and Oliver POS Inc. is the processor.

Scope of processing

Oliver processes personal data (a) to provide the Oliver POS service to the merchant, (b) to facilitate the merchant's WooCommerce sync, and (c) to provide support. We do not process personal data for any other purpose without the merchant's documented instructions.

Sub-processors

Current sub-processors:

  • Amazon Web Services — infrastructure hosting (US + EU regions)
  • Vercel — front-end hosting and CDN
  • Stripe / Moneris / Vendara / Sensi Pay — payment processing (only where the merchant enables)
  • Postmark — transactional email
  • Intercom — customer support chat
  • Plausible / PostHog — anonymous product analytics

We notify merchants 30 days in advance of adding a new sub-processor. Merchants may object to a new sub-processor by writing to legal@oliverpos.com.

Transfer mechanisms

For transfers of EU/UK personal data to Canada we rely on the adequacy decision (Canada). For transfers to the United States we rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU–U.S. Data Privacy Framework certification of the relevant sub-processor.

Security measures

Oliver implements appropriate technical and organisational measures per Art. 32 GDPR. See the Security Policy for the operational detail.

Data subject rights

Where a data subject contacts Oliver directly with a rights request about data held on behalf of a merchant, we forward the request to the merchant within 5 business days and assist the merchant in responding.

Audits

Merchants may audit Oliver's compliance with this DPA once per year, at the merchant's expense, on 30 days' notice. We provide third-party audit reports (when available) to satisfy most audit requirements without on-site visits.

Term and termination

This DPA applies for the term of the merchant's subscription. On termination, Oliver returns or deletes merchant personal data within 90 days, except where retention is legally required.

Signing the DPA

Enterprise merchants who require a signed DPA can request a countersigned copy from legal@oliverpos.com.

Questions? Email legal@oliverpos.com.