Sign In Get Started Free
Legal

Data Processing Agreement

Our commitment to data protection and processing standards.

Data Processing Agreement

This Data Processing Agreement (“DPA“) forms part of the Terms of Service or other agreement between ResellPortal (“Processor“, “we“, “us“) and the reseller account holder (“Controller“, “you“) governing your use of the ResellPortal platform (the “Services“).

This DPA applies where and to the extent that ResellPortal processes Personal Data on behalf of the Controller in connection with the provision of the Services, and such processing is subject to applicable Data Protection Laws including but not limited to the EU General Data Protection Regulation 2016/679 (“GDPR“), the UK GDPR, the California Consumer Privacy Act (“CCPA“), and other applicable data protection legislation.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined herein shall have the meaning given to them in the principal agreement or applicable Data Protection Laws.

  1. “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services.
  2. “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, the UK GDPR, the CCPA, and any national implementing legislation.
  3. “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  4. “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates (i.e., your end-user customers and clients).
  5. “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  6. “Security Incident” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  7. “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).
  8. “EU-US DPF” means the EU-U.S. Data Privacy Framework as adopted by the European Commission adequacy decision of July 10, 2023.

2. Scope and Roles

  1. Controller. You (the reseller) determine the purposes and means of the processing of your end-user customers’ Personal Data. You are the Controller under applicable Data Protection Laws.
  2. Processor. ResellPortal processes Personal Data solely on your behalf and in accordance with your documented instructions to provide the Services. ResellPortal acts as the Processor.
  3. Sub-processor relationship. Where your end-user customers interact directly with third-party services provisioned through ResellPortal (e.g., hosted applications, payment processing), ResellPortal acts as a Sub-processor to you. You remain responsible for establishing lawful bases and providing privacy notices to your end-user customers.

3. Details of Processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex A of this DPA.

4. Controller Obligations

The Controller warrants and undertakes that:

  1. It has a lawful basis for the processing of Personal Data and has provided all required notices and obtained all required consents from Data Subjects, where applicable.
  2. It shall comply with all applicable Data Protection Laws in respect of its use of the Services and its instructions to the Processor.
  3. It is responsible for maintaining its own privacy policy that accurately describes its data processing activities, including the use of ResellPortal as a service provider.
  4. It shall promptly notify the Processor of any data subject requests it receives that require the Processor’s assistance.

5. Processor Obligations

The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing unless prohibited from doing so.
  2. Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement and maintain the technical and organizational security measures described in Annex B.
  4. Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller, subject to Section 8 below.
  5. Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to Data Subject requests.
  6. Assist the Controller in ensuring compliance with its obligations regarding security of processing, notification of Security Incidents, data protection impact assessments, and prior consultation with supervisory authorities.
  7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage.
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and applicable Data Protection Laws, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.

6. Security Measures

  1. The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures are detailed in Annex B.
  2. The Processor shall regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of the processing.
  3. The Controller acknowledges that security measures are subject to technical progress and development, and the Processor may update the security measures from time to time provided that such updates do not materially decrease the overall security of the Services.

7. Security Incident Notification

  1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Security Incident affecting the Controller’s Personal Data.
  2. Such notification shall include, to the extent reasonably available:
    • A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records concerned;
    • The name and contact details of the Processor’s point of contact;
    • A description of the likely consequences of the Security Incident;
    • A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects.
  3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Security Incident.

8. Sub-processors

  1. The Controller provides general written authorization for the Processor to engage Sub-processors to assist in providing the Services. The current list of Sub-processors is set out in Annex C.
  2. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors by updating the Sub-processor list and providing notice via email or through the platform dashboard, giving the Controller an opportunity to object to such changes within 30 days.
  3. If the Controller reasonably objects to a new Sub-processor on legitimate data protection grounds, the Processor shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative is reasonably available, either party may terminate the affected Services.
  4. The Processor shall impose data protection obligations on each Sub-processor no less protective than those set out in this DPA by way of a written contract. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations.

9. Data Subject Rights

  1. The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject in respect of their Personal Data. The Processor shall not respond to such request directly except on the documented instructions of the Controller or as required by applicable law.
  2. The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:
    • Right of access
    • Right to rectification
    • Right to erasure (“right to be forgotten”)
    • Right to restriction of processing
    • Right to data portability
    • Right to object to processing
  3. The Controller may export, retrieve, or request deletion of client data through the ResellPortal platform interface, API, or by contacting ResellPortal support.

10. International Data Transfers

  1. The Processor’s primary infrastructure is located in the United States. The Controller acknowledges and authorizes the processing of Personal Data in the United States subject to the safeguards described in this section.
  2. For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, the Processor relies on the following transfer mechanisms in order of applicability:
    • EU-U.S. Data Privacy Framework (DPF): Where the Processor or its Sub-processors are certified under the EU-U.S. Data Privacy Framework, such certification serves as the lawful transfer mechanism.
    • Standard Contractual Clauses (SCCs): Where the DPF does not apply, the parties agree that transfers shall be governed by the SCCs (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor). The SCCs are hereby incorporated by reference into this DPA. For UK transfers, the UK International Data Transfer Addendum shall apply.
  3. The Processor has conducted a transfer impact assessment and implements supplementary measures including encryption in transit, access controls, and contractual protections with Sub-processors to ensure an essentially equivalent level of protection for transferred Personal Data.
  4. The Processor shall promptly inform the Controller if it becomes aware of any legal requirement that would prevent it from fulfilling its obligations under this DPA, including any government access request for Personal Data.

11. Data Retention and Deletion

  1. The Processor shall retain Personal Data only for as long as necessary to provide the Services or as required by applicable law.
  2. Upon termination or expiration of the Services, or upon the Controller’s written request, the Processor shall:
    • Delete or return all Personal Data within 30 days, unless applicable law requires further retention;
    • Delete existing copies of Personal Data within 90 days, unless retention is required by law;
    • Provide written confirmation of deletion upon the Controller’s request.
  3. Transaction records and billing data may be retained for up to 7 years after termination to comply with tax, accounting, and legal obligations.

12. Audits

  1. The Processor shall make available to the Controller, on request, all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA.
  2. The Controller (or its appointed third-party auditor, subject to reasonable confidentiality obligations) may conduct an audit of the Processor’s processing activities and security measures no more than once per calendar year, with at least 30 days prior written notice.
  3. Audits shall be conducted during normal business hours, shall not unreasonably interfere with the Processor’s operations, and shall be at the Controller’s expense.
  4. If an audit reveals material non-compliance, the Processor shall promptly remediate the identified issues at its own cost.

13. Liability

  1. Each party’s liability under this DPA shall be subject to the limitations and exclusions of liability set out in the principal agreement between the parties.
  2. Nothing in this DPA limits or excludes either party’s liability for damages arising from a breach of Data Protection Laws to the extent that such limitation or exclusion is not permitted under applicable law.

14. Term and Termination

  1. This DPA shall come into effect on the date the Controller accepts the Terms of Service or begins using the Services, whichever is earlier, and shall remain in effect for the duration of the Processor’s processing of Personal Data on behalf of the Controller.
  2. The obligations of the Processor under this DPA shall survive termination or expiration of the principal agreement to the extent that the Processor continues to process Personal Data on behalf of the Controller.

15. Governing Law and Jurisdiction

  1. This DPA shall be governed by and construed in accordance with the laws that govern the principal agreement between the parties, unless otherwise required by applicable Data Protection Laws.
  2. For Controllers located in the EEA, this DPA is governed by the laws of the Republic of Ireland. For Controllers located in the United Kingdom, this DPA is governed by the laws of England and Wales.

16. GDPR Compliance Statement

  1. The Processor confirms that it processes Personal Data in compliance with the GDPR and applicable EU/EEA data protection legislation. This includes adherence to the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
  2. The Processor does not sell Personal Data, does not use Personal Data for purposes other than providing the Services, and does not combine Personal Data received from the Controller with data obtained from other sources except as necessary to provide the Services.
  3. The Processor maintains a record of processing activities (Article 30 GDPR) for all processing carried out on behalf of Controllers.
  4. Data Protection Contact: For all data protection inquiries, requests from supervisory authorities, or matters requiring coordination with a representative in the European Union, Controllers and authorities may contact:

    Email: privacy@resellportal.com
    Subject line: “Data Protection Inquiry”

    The Processor will respond to all inquiries within 10 business days and will coordinate with appropriate local contacts within the EEA where required.

17. Amendments

  1. ResellPortal may update this DPA from time to time to reflect changes in Data Protection Laws, our processing activities, or security measures. We will notify Controllers of material changes via email or through the platform at least 30 days before they take effect.
  2. Continued use of the Services after the effective date of an updated DPA constitutes acceptance of the revised terms. If the Controller does not agree with the changes, the Controller may terminate the Services before the updated DPA takes effect.

Annex A — Details of Processing

ElementDescription
Subject MatterProvision of the ResellPortal white-label reseller platform, including service provisioning, client management, billing, support, and storefront hosting.
DurationFor the term of the principal agreement plus any retention period described in Section 11.
Nature and PurposeProcessing is carried out to: provision and manage digital services on behalf of the Controller; manage end-user client accounts and authentication; process payments and maintain billing records; deliver transactional communications; provide support ticketing; generate analytics and reports.
Categories of Data Subjects
  • Resellers (Controller’s authorized users)
  • End-user customers/clients of the reseller
Types of Personal Data
  • Identity data: name, email address, phone number, company name
  • Authentication data: hashed passwords, session tokens, password reset tokens
  • Financial data: payment processor customer identifiers, payment method references, transaction history, billing amounts, balance records
  • Service data: provisioned subdomains, account usernames, license keys, service configuration
  • Communications data: support ticket content, email correspondence
  • Usage data: storefront analytics, visit counts, notification logs
  • Technical data: IP addresses (for rate limiting and security), browser metadata
Sensitive/Special Category DataNone. The Processor does not knowingly collect or process special category data. The Controller must not submit sensitive personal data through the Services.

Annex B — Technical and Organizational Security Measures

The Processor maintains the following security measures to protect Personal Data:

Access Controls

  • Role-based access control for platform administration
  • Anti-forgery token verification for authenticated requests
  • Session token authentication with SHA-256 hashing and 24-hour expiry for client accounts
  • Rate limiting on authentication endpoints (5 failed attempts per 15 minutes triggers lockout)
  • Rate limiting on financial operations (5 failed attempts per 30 minutes triggers 1-hour lockout)

Data Protection

  • Password hashing using bcrypt (PHP PASSWORD_DEFAULT algorithm)
  • Transport encryption via TLS/HTTPS for all client-facing communications
  • Parameterized database queries to prevent SQL injection
  • CORS policy enforcement on API endpoints
  • Payment card data handled via PCI DSS Level 1 certified payment processor infrastructure — no raw card data is stored on ResellPortal servers

Infrastructure Security

  • Server infrastructure hosted on professionally managed cloud providers
  • Application-level firewall and request filtering
  • API key authentication for third-party service integrations
  • Separation of credential storage from application logic

Operational Security

  • Automated service status monitoring and failure detection
  • API request logging for audit trail purposes
  • Notification system for billing failures and account events
  • Webhook signature verification for payment processing events

Incident Response

  • Documented incident response procedures
  • 48-hour notification commitment for confirmed Security Incidents
  • Transaction logging for forensic analysis capability

Annex C — Authorized Sub-processor Categories

ResellPortal engages the following categories of Sub-processors to deliver the Services. Specific provider identities are confidential to protect the integrity of the white-label platform and are available to Controllers upon execution of a mutual non-disclosure agreement.

CategoryPurposeData ProcessedLocation
Primary Payment ProcessorPayment processing, recurring billing, and merchant account management via connected accountsName, email, payment method tokens, transaction amounts, customer identifiersUnited States
Secondary Payment ProcessorAlternative payment processing for supported payment methodsName, email, transaction amounts, payer identifiersUnited States
Authentication ProviderThird-party OAuth sign-in (optional social login)Account ID, name, email, profile photo URLUnited States
Cloud Infrastructure ProviderServer hosting for platform and deployed service instances (CRM, E-Commerce, Website Builder, Appointments, Web Hosting, Invoicing, AI Tools, Social Media Automation, Doc Signer)Email, name, business name, subdomain, branding preferences, service configuration dataUnited States
Domain Registration ProviderDomain name registration, renewal, and DNS managementDomain registrant contact details as required by ICANN policiesUnited States
VPN Infrastructure ProviderVPN account provisioning and managementAccount username, encrypted credentialsUnited States / Europe
eSIM Service ProvidereSIM package ordering, activation, and lifecycle managementOrder reference identifiers, package selection dataAsia / Global
Software Licensing ProviderWordPress plugin and theme license provisioningLicense keys, activation domain dataUnited States
Social Media Marketing ProviderSMM service order fulfillmentOrder identifiers, service specificationsVaries
Email Delivery InfrastructureTransactional and notification email delivery (welcome emails, billing alerts, password resets)Recipient email address, email contentUnited States

The Processor maintains an internal register of specific Sub-processor identities. Controllers may request the full Sub-processor list subject to a confidentiality agreement by contacting contact@resellportal.com.

Annex D — Data Subject Request Procedures

  1. Controller-initiated requests. The Controller may manage client data directly through the ResellPortal dashboard, including viewing, editing, and deleting client records. For bulk exports or deletion requests, the Controller may contact ResellPortal support.
  2. Direct Data Subject requests. If a Data Subject contacts ResellPortal directly, we will redirect them to the relevant Controller (reseller) unless legally required to respond directly.
  3. Response timeline. The Processor will provide reasonable assistance within 10 business days of a Controller’s request for help in responding to a Data Subject request.
  4. API access. Controllers with API access may programmatically retrieve and manage client data through the ResellPortal API endpoints for the purpose of fulfilling Data Subject requests.