1. Purpose

This Data Processing Addendum (“DPA”) supplements our පෞද්ගලිකත්ව ප්‍රතිපත්තිය and සේවා නියමයන් to address the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar data-protection laws where SriLankaExport.com (operated by Harker International (Private) Limited (Reg. No. PV 00338032), Kandy, Sri Lanka) processes Personal Data on behalf of EU or UK-based Buyers and Vendors.

2. Roles

For data the user submits to us directly (account registration, inquiries, transaction data): Harker International is the Controller.

For data a Vendor or Buyer routes through our platform that originates with their own customers or counterparties (e.g. consignee details, end-user information): Harker International acts as a Processor on behalf of that Vendor or Buyer (the Controller).

3. Subject Matter & Duration

The subject matter is the processing required to provide marketplace and trade-facilitation services. The duration is the term of the user’s account plus the retention periods set out in the Privacy Policy and applicable record-keeping law.

4. Nature & Purpose of Processing

• Hosting, storing, and displaying account and transaction data.
• Routing communications between Buyer and Vendor.
• Generating commercial documentation (invoices, packing lists, certificates).
• Sanctions and AML screening as part of compliance obligations.
• Analytics and platform improvement (aggregated).

5. Categories of Data Subjects & Personal Data

• Data subjects: account holders, their employees, consignees, end-users, and (limited) website visitors.
• Personal data: name, business email, business phone, postal address, role/title, payment-instrument identifiers (managed by Stripe, not stored by us), IP address, browsing analytics.
• Special-category data: not processed in the ordinary course.

6. Sub-processors

We rely on the following sub-processors. We give 30 days’ notice via email to the registered Controller before adding or replacing a sub-processor that processes Personal Data.

7. International Transfers

Where Personal Data is transferred outside the EEA / UK, we rely on the EU Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum. Transfers to Sri Lanka (where Harker International is based) are made under the SCCs and supplemented by the security measures described below.

8. Security Measures

• HTTPS / TLS 1.2+ on all public endpoints.
• WP application-level authentication; admin two-factor authentication strongly encouraged and required for sensitive roles.
• Database backed up daily; encrypted at rest.
• Access to production restricted to named operators via SSH key authentication.
• Payment data tokenised via Stripe; we do not store card numbers.
• Quarterly security review of plugins and themes; LiteSpeed Cache rules audited.

9. Data-Subject Rights Assistance

We assist Controllers in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) at no additional charge for routine requests. Forward such requests to info@harker.international; we will respond within 30 days.

10. Breach Notification

We notify Controllers without undue delay (and in any case within 72 hours of becoming aware) of any Personal Data breach affecting their data. The notice will include nature of the breach, categories and approximate numbers of data subjects, likely consequences, and remediation measures.

11. Deletion or Return of Data

On termination of services we delete or return Personal Data on Controller request, except where retention is required by law (e.g. Sri Lankan customs / tax record-keeping of 6 years).

12. Audit

Controllers may request, no more than annually, a summary of our security posture and sub-processor list. On-site audits are accommodated with reasonable notice for Controllers materially affected by the processing.