olli.

Customer data

Data Processing Addendum

Last updated: 15 June 2026

This DPA applies when Olli processes personal information or customer business data for a paid customer under an order form, proposal, master services agreement, or the Olli Terms of Service.

1. Roles and instructions

The customer is the controller or responsible entity for customer data. Olli processes customer data as a service provider on the customer's documented instructions, including instructions in the agreement, product configuration, support requests, and authorised integrations.

2. Processing scope

Olli may process user details, contact details, inventory exports, product and supplier records, purchase-order data, sales history, operational notes, support content, billing records, logs, and connected-system data. Processing is limited to providing, securing, supporting, troubleshooting, improving, and billing Olli, or complying with law.

3. Confidentiality and security

Olli restricts customer data access to personnel and providers with a business need and confidentiality obligations. Olli maintains reasonable technical and organisational measures including access control, encrypted transport, provider-managed encryption where available, backups, logging, secret management, vendor review, and incident response.

4. Subprocessors

Olli may use subprocessors listed on the Trust page. Olli remains responsible for subprocessors it appoints and will use reasonable review before adding providers that handle production customer data.

5. Assistance and requests

Olli will reasonably assist customers with access, correction, deletion, export, breach assessment, and privacy inquiry requests relating to customer data, taking into account the nature of the service and information available to Olli.

6. Incidents

Olli will assess suspected security or privacy incidents promptly, take reasonable containment steps, maintain an incident register, and notify affected customers without undue delay where an incident materially affects their customer data.

7. Return and deletion

On termination or request, Olli will return, delete, or de-identify customer data within a reasonable time, except where retention is required for law, tax, billing, dispute, security, backup, or legitimate operational records.

8. Order of documents

If this DPA conflicts with an agreed order form, MSA, or signed data processing document, the signed document prevails to the extent of the conflict.