Data Processing Addendum
Last updated: June 2026
This Data Processing Addendum (“DPA”) forms part of, and is incorporated by reference into, the Terms of Use between you (the “Community Owner”) and Seamstack Ltd, trading as Natterio (“Natterio”, “we”, “us”). It governs our processing of personal data relating to your community members on your behalf, and reflects the requirements of Article 28 of the UK GDPR.
1. Roles of the parties
For personal data relating to your community members (the “Member Data”), you are the data controller and Natterio is the data processor. You determine the purposes and means of processing Member Data; Natterio processes it only to provide the service. (Separately, Natterio is the controller of your own account data, as described in our Privacy Policy — that data is outside the scope of this DPA.)
2. Subject matter and details of processing
- Subject matter: provision of the Natterio community-platform service.
- Duration: for as long as you maintain an account, plus any retention period set out in this DPA or required by law.
- Nature and purpose: hosting, storage, display, and transmission of your site content and member interactions (content management, forum, members, and shop features) so that you can operate your community.
- Types of personal data: typically member names, email addresses, profile details, forum posts and messages, and — where you enable a shop — order and contact details. You control what data your members submit.
- Categories of data subjects: your community members and other people whose data you choose to process through your site.
3. Processing on your instructions
We will process Member Data only on your documented instructions, including those given through your use of the service and its settings, unless we are required to do otherwise by UK or EU law (in which case we will inform you, unless that law prohibits it on important grounds of public interest). We will inform you if, in our opinion, an instruction infringes data protection law.
4. Confidentiality
We ensure that personnel authorised to process Member Data are bound by appropriate obligations of confidentiality and are made aware of the confidential nature of the data.
5. Security
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 UK GDPR). These include encryption of data in transit (HTTPS) and at rest, passwordless authentication, tenant isolation, access controls, and regular review of our security practices.
6. Sub-processors
You provide general authorisation for us to engage sub-processors to provide the service. The current sub-processors are listed in our Privacy Policy (currently Neon, Cloudflare, Resend, Stripe, and Anthropic). We impose data protection obligations on each sub-processor that are no less protective than those in this DPA. We will give you reasonable prior notice of any intended addition or replacement of a sub-processor (by updating the list and, where you have subscribed to notifications, by email), giving you the opportunity to object on reasonable data protection grounds.
7. Assisting with data subject rights
Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, and objection). The service provides tooling (such as data export and account deletion) to help you meet these obligations.
8. Assisting with your wider obligations
We will assist you, taking into account the nature of processing and the information available to us, in ensuring compliance with your obligations regarding security of processing, personal data breach notification, data protection impact assessments, and prior consultation with the ICO (Articles 32 to 36 UK GDPR).
9. Personal data breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting Member Data, and will provide information reasonably available to us to help you meet your own breach-notification obligations.
10. Return or deletion of data
On termination of the service, and at your choice, we will delete or return all Member Data, and delete existing copies, unless UK or EU law requires us to retain it. Member Data is deleted within 30 days of account deletion unless a longer period is required by law.
11. Audits and information
We will make available to you information reasonably necessary to demonstrate compliance with Article 28 UK GDPR, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality, and scheduling so as not to disrupt the service or compromise the security of other customers.
12. International transfers
Where the provision of the service involves transferring Member Data outside the UK or EEA, we ensure an appropriate safeguard is in place — relying on UK adequacy regulations where they apply, and otherwise the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. See the “International data transfers” section of our Privacy Policy for more detail.
13. General
In the event of any conflict between this DPA and the Terms of Use in respect of the processing of Member Data, this DPA prevails. This DPA is governed by the laws of England and Wales.
This document is provided for transparency and is not professional legal advice. Questions about data processing? Contact us at privacy@natterio.com.