Version: 1.0    ·  Effective from: 1 May 2026

This DPA is issued by Prodigi Group Ltd and applies to the activities of the Group, including its operating companies Prodigi (UK) Ltd, Prodigi BV, Peecho BV, Readymades Framing Ltd, Prodigi USA Inc, Prodigi Global Ltd and Prodigi Platforms Ltd. Where you have contracted with a specific operating company — for example Peecho BV through peecho.com or Readymades Framing Ltd through readymades.co — references in this document to 'Prodigi' should be read as references to your contracting operating company, acting as part of the Group, except where a specific entity is named.

'Prodigi' or 'we' means the Prodigi Group operating company providing the relevant Service to you, on behalf of itself and the wider Group as the context requires. Where the Service is provided through peecho.com, the contracting Group company is Peecho BV. Where the Service is provided through readymades.co, the contracting Group company is Readymades Framing Ltd. In all other cases, unless otherwise specified, the contracting Group company is Prodigi (UK) Ltd.

1. Definitions

1.1In this Addendum:

“Addendum” means this Data Processing Addendum.

“Data Protection Laws” means all laws and regulations relating to privacy, data protection and the processing of Personal Data that apply to the relevant party, including where applicable the UK GDPR, the Data Protection Act 2018, the EU GDPR and the Privacy and Electronic Communications Regulations.

“Merchant Customer Data” means Personal Data submitted to the Services by or on behalf of the Merchant, or otherwise processed by Prodigi on behalf of the Merchant, for the purpose of providing the Services to the Merchant, including Personal Data relating to the Merchant’s customers, recipients and order recipients.

“Restricted Transfer” means a transfer of Personal Data to a country or recipient where such transfer is restricted under applicable Data Protection Laws unless appropriate safeguards are in place.

“Services” means the Prodigi services used by the Merchant, including platform, API, dashboard, manual order, bulk import, production, fulfilment, shipping, support and related services.

“SCCs” means the applicable standard contractual clauses approved under Data Protection Laws for the relevant Restricted Transfer.

1.2The terms “controller”, “processor”, “process”, “processing”, “Personal Data”, “personal data breach”, “special category data” and “subprocessor” have the meanings given to them in applicable Data Protection Laws.

2. Scope and roles

2.1This Addendum applies where Prodigi processes Merchant Customer Data as processor on behalf of the Merchant.

2.2The Merchant is controller of Merchant Customer Data. Prodigi is processor of Merchant Customer Data when processing it on behalf of the Merchant for the purpose of providing the Services.

2.3Prodigi may process some Personal Data as controller, including Merchant account data, billing data, platform security data, fraud prevention data, support data, marketing data, website visitor data, recruitment data and corporate administration data. Such processing is described in Prodigi’s Privacy & Cookie Policy and is not governed by this Addendum except to the extent required by applicable Data Protection Laws.

3. Processing details

3.1The subject matter, duration, nature and purpose of the processing, the categories of Personal Data and categories of data subjects are set out in Schedule 1.

3.2The Merchant acknowledges that Prodigi operates a distributed fulfilment network. In order to provide the Services, Prodigi may process Merchant Customer Data in multiple countries and may disclose limited fulfilment data to group companies, production partners, fulfilment partners, logistics providers, technology providers and other service providers as described in this Addendum.

3.3Merchant Customer Data is typically limited to recipient name, delivery address, contact details where supplied or required, order details, product configuration, image and artwork files, support information and technical information required to provide, secure and support the Services.

4. Merchant obligations

4.1The Merchant must ensure that it has a lawful basis to collect, use and provide Merchant Customer Data to Prodigi for processing under this Addendum.

4.2The Merchant is responsible for providing any required privacy notices to its customers and recipients.

4.3The Merchant is responsible for ensuring that all Content, image files, artwork files and other materials submitted to the Services may lawfully be submitted to Prodigi for production and fulfilment.

4.4Prodigi does not require the Merchant to submit special category data. To the extent Content contains Personal Data or special category data, the Merchant remains responsible for ensuring that the Content is submitted lawfully and that appropriate conditions for processing have been met.

4.5The Merchant must not submit Personal Data to the Services that is not reasonably necessary for use of the Services.

5. Processing instructions

5.1The Merchant instructs Prodigi to process Merchant Customer Data as reasonably necessary to provide the Services, including:

• receiving and validating orders;

• routing orders to production locations;

• manufacturing products;

• dispatching and delivering orders;

• managing reprints, returns and support issues;

• quality control and production troubleshooting;

• fraud prevention, misuse prevention and platform security;

• maintaining records required for legal, tax, accounting, dispute and compliance purposes;

• complying with applicable law;

• otherwise operating, maintaining and improving the Services.

5.2The Merchant’s documented instructions include this Addendum, the Terms of Use, the Merchant’s use of the Services, orders submitted through the Services, API calls, dashboard actions, integration settings, support requests and other written instructions agreed by Prodigi.

5.3Prodigi will process Merchant Customer Data only on the Merchant’s documented instructions unless required to do otherwise by applicable law. Where law requires Prodigi to process Merchant Customer Data other than in accordance with the Merchant’s instructions, Prodigi will inform the Merchant unless prohibited by law.

5.4Prodigi may refuse or suspend any instruction that Prodigi reasonably considers to be unlawful, technically unsafe, operationally impracticable or inconsistent with the Services.

6. Confidentiality

6.1Prodigi will ensure that persons authorised to process Merchant Customer Data are subject to appropriate confidentiality obligations.

6.2Prodigi will limit access to Merchant Customer Data to personnel, contractors, group companies and subprocessors who require access for the purpose of providing, securing or supporting the Services.

7. Security measures

7.1Prodigi will implement appropriate technical and organisational measures designed to protect Merchant Customer Data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

7.2The technical and organisational measures are summarised in Schedule 2.

7.3The Merchant acknowledges that the Services are standardised platform services and that the security measures must be assessed in light of the nature of the processing, the limited fulfilment data processed, the state of the art, implementation costs and the risks presented by the processing.

8. Subprocessors and fulfilment network

8.1The Merchant gives Prodigi general written authorisation to appoint subprocessors to process Merchant Customer Data where required to provide, secure, support or improve the Services.

8.2Subprocessors may include Prodigi group companies, hosting and infrastructure providers, software and technology providers, support tools, payment and fraud prevention providers, production and fulfilment partners, logistics providers and other service providers.

8.3Prodigi may disclose limited fulfilment data to production partners, fulfilment partners and logistics providers to the extent necessary to produce and deliver orders. Such data is typically limited to recipient name, delivery address, contact details where required, order details, product configuration and the image or artwork file required to manufacture the product.

8.4Prodigi will maintain a Subprocessor and Fulfilment Network Notice describing the categories of subprocessors and fulfilment recipients used to provide the Services.

8.5Prodigi will impose data protection obligations on subprocessors that are designed to provide an appropriate level of protection for Merchant Customer Data, taking account of the nature of the processing and the role performed by the subprocessor.

8.6Prodigi remains responsible to the Merchant for the performance of its obligations under this Addendum where such performance is carried out by a subprocessor engaged by Prodigi.

8.7Prodigi may update its subprocessors and fulfilment network from time to time. Where required by applicable Data Protection Laws, Prodigi will provide notice of material changes to subprocessors. Notice may be given by updating the Subprocessor and Fulfilment Network Notice, by email, through the dashboard or by another reasonable method.

8.8The Merchant may object to a material new subprocessor on reasonable data protection grounds by notifying Prodigi within 30 days of the relevant notice. The objection must explain the specific data protection concern.

8.9If the Merchant objects under clause 8.8, Prodigi may, at its discretion:

• provide information to address the objection;

• take reasonable steps to mitigate the concern;

• avoid use of the relevant subprocessor for the Merchant where technically and commercially feasible;

• allow the Merchant to stop using the affected Services;

• terminate the affected Services.

8.10An objection by one Merchant does not prevent Prodigi from using the relevant subprocessor for other merchants or from operating the Services for other customers.

8.11Nothing in this Addendum requires Prodigi to disclose commercially sensitive details of its fulfilment network, production routing, operational processes, security architecture or supplier arrangements beyond what is required by applicable Data Protection Laws.

9. Data subject rights

9.1Taking into account the nature of the processing, Prodigi will provide reasonable assistance to the Merchant in responding to requests from data subjects exercising their rights under Data Protection Laws.

9.2If Prodigi receives a request directly from a Merchant customer or recipient in relation to Merchant Customer Data, Prodigi may refer the individual to the Merchant unless Prodigi is legally required to respond directly.

9.3The Merchant is responsible for determining whether and how to respond to data subject requests relating to Merchant Customer Data.

10. Assistance with compliance

10.1Taking into account the nature of the processing and the information available to Prodigi, Prodigi will provide reasonable assistance to the Merchant with the Merchant’s obligations relating to security, personal data breach notification, data protection impact assessments and prior consultation with supervisory authorities, where such assistance relates to Prodigi’s processing of Merchant Customer Data.

10.2Prodigi may charge a reasonable fee for assistance that is not required by this Addendum, is excessive, is repetitive, requires substantial manual effort or arises from the Merchant’s failure to use the Services appropriately.

11. Personal data breaches

11.1Prodigi will notify the Merchant without undue delay after becoming aware of a personal data breach affecting Merchant Customer Data.

11.2The notification will include information reasonably available to Prodigi at the time, which may include:

• the nature of the breach;

• the categories and approximate number of data subjects affected;

• the categories and approximate volume of data affected;

• likely consequences where known;

• measures taken or proposed to address the breach;

• contact details for further information.

11.3Prodigi may provide information in phases as its investigation progresses.

11.4The Merchant is responsible for determining whether it must notify any supervisory authority, customer, recipient or other person, unless Prodigi is separately required by law to make such notification.

12. Deletion and return

12.1On termination of the Services, Prodigi will delete or return Merchant Customer Data in accordance with the Terms of Use, the Merchant’s dashboard options, this Addendum and Prodigi’s retention processes.

12.2Prodigi may retain Merchant Customer Data where and for so long as reasonably required for legal, tax, accounting, audit, fraud prevention, security, dispute, chargeback, warranty, product quality, reprint, insurance or compliance purposes.

12.3Prodigi’s retention approach distinguishes between the following categories of data:

12.3.1Production image and artwork files are retained for the period reasonably required for production, quality control, reprints and support, and are then deleted or rendered inaccessible in accordance with Prodigi’s retention processes.

12.3.2Order and shipping records are retained for the period required for customer service, dispute handling, chargebacks, warranty, statutory record keeping and tax.

12.3.3Invoices and payment records are retained for the period required by applicable accounting and tax laws.

12.3.4Support tickets and related correspondence are retained for the period required for customer service continuity, dispute handling and quality assurance.

12.3.5Operational, security and platform logs are retained for the period required for security, troubleshooting, fraud prevention and audit purposes.

12.3.6Backups are retained in accordance with Prodigi’s standard backup cycles and overwritten on those cycles.

12.4Merchant Customer Data retained in backups, archives and logs is protected from active processing and deleted in accordance with Prodigi’s normal deletion cycles, unless earlier deletion is technically and operationally feasible.

12.5Prodigi is not required to delete order records, invoices, production records, support records or other data that Prodigi is required or permitted to retain under applicable law or for legitimate compliance, security or dispute-resolution purposes.

13. Audit and information rights

13.1Prodigi will make available information reasonably necessary to demonstrate compliance with this Addendum.

13.2The primary method for demonstrating compliance will be through Prodigi’s published policies, security summaries, technical and organisational measures, subprocessor information, written responses, audit summaries or security questionnaires.

13.3The Merchant may request further information where reasonably required to verify Prodigi’s compliance with this Addendum. Prodigi may decline requests that are irrelevant, disproportionate, repetitive, commercially sensitive, security-sensitive or not required by applicable Data Protection Laws.

13.4Any audit, inspection or review must be subject to reasonable prior notice, confidentiality obligations, reasonable scope limits, security requirements and controls to avoid disruption to Prodigi’s business and other merchants.

13.5On-site audits are not available for standard self-serve accounts unless required by applicable law and cannot be reasonably satisfied through documentation or written responses.

13.6The Merchant is responsible for its own costs of any audit or review. Prodigi may charge a reasonable fee for assistance with audits or reviews that exceed standard documentation and questionnaire responses.

14. International transfers

14.1The Merchant acknowledges that Prodigi provides global services and may process Merchant Customer Data in, or transfer Merchant Customer Data to, countries in which Prodigi, its group companies, fulfilment partners, logistics providers, technology providers and other service providers operate.

14.2Where a Restricted Transfer requires appropriate safeguards, Prodigi will use appropriate transfer mechanisms as required by Data Protection Laws. These may include an adequacy decision, the EU SCCs, the UK International Data Transfer Addendum, the UK International Data Transfer Agreement or another lawful transfer mechanism.

14.3Where the EU SCCs are required, they are incorporated into this Addendum by reference and apply as follows: Module Two applies where the Merchant is controller and Prodigi is processor; Module Three applies where Prodigi appoints a subprocessor for a Restricted Transfer; Annex I (Description of transfer) is completed by Schedule 1 of this Addendum; Annex II (Technical and organisational measures) is completed by Schedule 2 of this Addendum; and Annex III (Subprocessors) is completed by the Subprocessor and Fulfilment Network Notice.

14.4Where the UK International Data Transfer Addendum to the EU SCCs is required, it is incorporated into this Addendum by reference and applies to the relevant EU SCCs. Where the UK International Data Transfer Agreement applies in place of the UK Addendum, the parameters of this Addendum apply to the corresponding sections of that instrument.

14.5The Merchant authorises Prodigi to enter into applicable transfer mechanisms with relevant subprocessors and recipients on behalf of the Merchant where required to provide the Services.

14.6The Merchant acknowledges that international transfers may be necessary to route orders to fulfilment locations, produce products, deliver products, provide support, maintain platform infrastructure and operate the Services.

15. Liability

15.1This Addendum forms part of the Terms of Use. The limitations and exclusions of liability in the Terms of Use apply to this Addendum unless expressly stated otherwise in a separately agreed written contract.

15.2Nothing in this Addendum limits or excludes liability to the extent that such liability cannot be limited or excluded under applicable law.

16. Changes to this Addendum

16.1Prodigi may update this Addendum from time to time in accordance with the Terms of Use.

16.2Prodigi will not materially reduce the level of protection for Merchant Customer Data under this Addendum without giving reasonable notice where required by applicable law.

17. Conflict

17.1If there is a conflict between this Addendum and the Terms of Use in relation to the processing of Merchant Customer Data as processor, this Addendum will prevail to the extent of that conflict.

17.2If the Merchant has entered into a separately signed written agreement with Prodigi that expressly governs data processing, that agreement will prevail to the extent stated in that agreement.

 

Schedule 1: Processing details

 

Schedule 2: Technical and organisational measures

Prodigi maintains technical and organisational measures appropriate to the nature of the Services and the Merchant Customer Data processed. These measures may include the following.

1. Access control

• Access to systems containing Merchant Customer Data is restricted to authorised personnel.

• Access rights are granted on a role-based and least-privilege basis, with reference to business need.

• Access rights are reviewed periodically and revoked promptly when no longer required, including on role change and on departure from the Group.

• Administrative access is restricted to personnel who require it and is subject to additional controls.

2. Authentication

• User accounts are protected by authentication controls.

• Multi-factor authentication is applied to administrative accounts and to remote access to production systems.

• Password and account controls are applied to relevant systems.

3. Confidentiality

• Personnel authorised to process Personal Data are subject to confidentiality obligations.

• Contractors and service providers are subject to contractual confidentiality obligations where appropriate.

• Onboarding includes data protection and security awareness; offboarding includes prompt revocation of access.

4. Encryption and transmission

• Data transmitted through the Services over public networks is protected using current industry-standard encryption in transit.

• Production and support processes are designed to avoid unnecessary transmission of Merchant Customer Data.

5. Data minimisation

• Prodigi limits fulfilment data disclosed to production and logistics partners to what is reasonably necessary to produce and deliver orders.

• Production partners typically receive only recipient name, delivery address, order details and the image or artwork file required to manufacture the product.

• Operational data flows are reviewed for opportunities to reduce the personal data shared with each recipient category.

6. Segregation and platform controls

• Merchant accounts are logically separated through platform permissions and account controls.

• Production workflows are designed to route only relevant order data to the relevant fulfilment location or provider.

• Production, staging and corporate environments are separated.

7. Logging and monitoring

• Production systems and administrative access are logged for security, operational, fraud prevention and troubleshooting purposes.

• Logs are retained for operational and security purposes in accordance with Prodigi’s retention practices.

• Logs are reviewed and alerted on for anomalous or unauthorised activity.

8. Vulnerability and patch management

• Production systems are subject to vulnerability management, including periodic vulnerability scanning and patching.

• Identified vulnerabilities are triaged and remediated based on severity.

9. Incident response

• Prodigi maintains processes for identifying, escalating, investigating and responding to security incidents and personal data breaches.

• Incidents involving Merchant Customer Data are assessed to determine notification obligations.

• The processes are tested and reviewed periodically.

10. Backup and resilience

• Prodigi maintains backup and resilience processes appropriate to the Services.

• Backup data is retained and deleted in accordance with applicable retention cycles.

• Restoration of backups is tested periodically.

11. Supplier controls

• Prodigi conducts onboarding diligence on subprocessors and fulfilment partners before engagement.

• Prodigi uses contractual controls with relevant subprocessors and fulfilment partners requiring appropriate technical and organisational measures.

• Prodigi requires subprocessors and fulfilment partners to use Personal Data only for the services they provide to Prodigi.

• Supplier controls vary based on supplier category, risk and role.

12. Secure development and change control

• Platform changes are managed through internal development and deployment processes.

• Security and privacy considerations are taken into account in platform operation and development.

• Changes to production are reviewed and authorised.

13. Physical and operational security

• Prodigi-operated facilities use physical and operational controls appropriate to the facility and activity, including controlled access to production areas.

• Production waste containing Merchant Customer Data, such as misprints or damaged products, is disposed of securely.

• Partner facilities are required to maintain controls appropriate to their production and fulfilment role.

 

Schedule 3: Subprocessor and Fulfilment Network Notice

1. Purpose

Prodigi operates a global print-on-demand platform and fulfilment network. To provide the Services, Prodigi uses group companies, technology providers, production partners, fulfilment partners, logistics providers and other service providers.

This notice describes the categories of recipients that may process or receive Merchant Customer Data.

2. Data disclosed for fulfilment

For production and delivery, Prodigi typically discloses only limited fulfilment data, such as:

• recipient name;

• delivery address;

• contact details where required for delivery or support;

• order details;

• product configuration;

• image or artwork file required to manufacture the product;

• shipping and tracking information.

Prodigi does not sell Merchant Customer Data and does not use Merchant Customer Data to market directly to Merchant customers.

3. Recipient categories

Some recipients act as subprocessors to Prodigi, while others may act as independent controllers depending on their role, the service provided and applicable law. For example, shipping carriers, payment service providers, tax authorities and professional advisers typically act as independent controllers in respect of the personal data they process for their own purposes. The categories below describe both types of recipient where relevant.

4. Fulfilment partners

Prodigi may use production and fulfilment partners to produce and dispatch orders. Fulfilment partners are provided with only the information reasonably necessary to produce and ship the relevant order.

In line with clause 8.11, Prodigi publishes recipient categories and typical processing locations rather than a public list of named production partners. Production routing changes over time, and partner identity, capacity, capability and routing logic form part of Prodigi’s commercial and operational infrastructure. Where required by applicable Data Protection Laws, or where agreed under an enterprise agreement, further information about the production and fulfilment partners applicable to a Merchant’s orders may be made available subject to confidentiality obligations and reasonable scope limits.

5. Updates

Prodigi updates this notice from time to time. The current version is published at https://www.prodigi.com/subprocessor-and-fulfilment-network-notice/. Material changes are notified in accordance with clause 8.7 of this Addendum.

6. Contact

Questions about this notice should be addressed to dpo@prodigi.com.