Legal

Data Processing Agreement

1. Definitions

1.1 The terms “controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing”, “special categories of personal data” and “supervisory authority” have the meanings given in the UK GDPR.

1.2 “Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, and all other laws applicable to the processing of personal data and privacy.

1.3 “UK GDPR” means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018, as amended.

1.4 “Restricted Transfer” means a transfer of the Controller’s personal data to a country outside the United Kingdom that is not covered by UK adequacy regulations.

1.5 “Sub-processor” means any third party engaged by the Processor to process personal data on its behalf in connection with the Services.

1.6 “IDTA” means the International Data Transfer Agreement, and “UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses, each as issued by the Information Commissioner under section 119A of the Data Protection Act 2018.

1.7 Other capitalised terms have the meanings given in the Principal Agreement.

2. Roles and Scope of Processing

2.1 The parties acknowledge that, for the purposes of the Services, the Controller is the controller and the Processor is the processor of the personal data described in Annex 1.

2.2 Annex 1 sets out the subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects. The Controller may update Annex 1 by written notice to reflect changes to the Services.

2.3 The Controller warrants that it has a lawful basis for the processing and that its instructions to the Processor comply with Data Protection Laws.

3. Processor Obligations

The Processor will:

3.1 process the personal data only on the Controller’s documented instructions (including those set out in the Principal Agreement and Annex 1), and for no other purpose, unless required to do otherwise by law (in which case the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest);

3.2 immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws;

3.3 ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3.4 implement and maintain the technical and organisational measures set out in Annex 2, taking account of Article 32 of the UK GDPR;

3.5 comply with the conditions in clause 5 for engaging Sub-processors;

3.6 taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under the UK GDPR;

3.7 assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of the processing and the information available to the Processor;

3.8 notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Controller’s personal data, and provide the information the Controller reasonably requires to meet its own obligations under Data Protection Laws;

3.9 at the choice of the Controller, delete or return all the personal data to the Controller after the end of the provision of the Services, and delete existing copies unless law requires storage of the personal data;

3.10 make available to the Controller all information necessary to demonstrate compliance with Article 28 of the UK GDPR and this DPA, and allow for and contribute to audits, including inspections, in accordance with clause 6.

4. Controller Obligations

4.1 The Controller will ensure that it is entitled to transfer the personal data to the Processor so that the Processor may lawfully process it on the Controller’s behalf.

4.2 The Controller’s instructions to the Processor will comply with Data Protection Laws.

4.3 The Processor is not responsible for the content, accuracy, completeness, quality, lawfulness or suitability of personal data supplied by the Controller.

5. Sub-processors

5.1 The Controller grants the Processor general written authorisation to engage Sub-processors, subject to this clause 5.

5.2 The Sub-processors engaged at the date of this DPA are listed in Annex 3. The Controller authorises their engagement.

5.3 The Processor will inform the Controller of any intended addition or replacement of a Sub-processor, giving the Controller a reasonable opportunity (and in any event at least 14 days) to object on reasonable data protection grounds. If the Controller objects and the parties cannot resolve the matter, the Controller may terminate the affected Services.

5.4 The Processor will impose on each Sub-processor, by written contract, data protection obligations equivalent to those in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor’s obligations.

6. Audit

6.1 The Processor will allow the Controller to verify compliance with this DPA no more than once in any 12-month period (unless required by a supervisory authority or following a personal data breach), on reasonable written notice, during Business Hours, in a manner that does not unreasonably disrupt the Processor’s operations, and subject to confidentiality. The Processor may discharge audit requests by providing relevant certifications, third-party reports or written summaries of its technical and organisational measures.

6.2 Where the Controller requests audit assistance beyond the provision of standard compliance documentation, certifications, summaries or reports, the Processor may charge its reasonable costs at its prevailing professional services rates, unless the audit identifies a material breach of this DPA by the Processor.

7. International Transfers

7.1 The Processor will not make a Restricted Transfer of the Controller’s personal data without the Controller’s prior authorisation, except where required by law.

7.2 The Controller authorises the Restricted Transfers necessary for the Sub-processors listed in Annex 3 to provide their services. Where a Restricted Transfer occurs, the parties will ensure that an appropriate transfer mechanism is in place, such as the IDTA or the UK Addendum to the EU SCCs, together with any supplementary measures identified by a transfer risk assessment.

7.3 Annex 3 identifies, for each Sub-processor, the location(s) of processing and the transfer mechanism relied upon.

8. Liability

8.1 Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement.

8.2 Nothing in this DPA or the Principal Agreement limits or affects the rights of a data subject, or either party’s liability to a supervisory authority, under Data Protection Laws.

9. Term and Termination

9.1 This DPA takes effect on the same date as the Principal Agreement (or, if later, when the processing of personal data on the Controller’s behalf begins) and continues for as long as the Processor processes personal data on behalf of the Controller.

9.2 Termination of the Principal Agreement terminates this DPA, subject to the provisions that survive (including clause 3.9).

10. General

10.1 In the event of conflict between this DPA and the remainder of the Principal Agreement on data protection matters, this DPA prevails.

10.2 This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.

Annex 1 — Details of Processing

Complete or confirm the following for each Project or Retainer under which personal data is processed. Annex 1 must be completed and agreed before commencement of any Project or Retainer involving the processing of personal data.

Subject matter	Provision of the Services (bespoke software development, hosting, maintenance and support of the Deliverables).
Duration	For the term of the Principal Agreement and any further period during which the Processor holds personal data, subject to clause 3.9.
Nature and purpose	Hosting, storing, structuring, retrieving, transmitting and otherwise processing personal data as necessary to develop, operate, host, maintain and support the Deliverables on the Controller’s behalf.
Types of personal data	[e.g. names, email addresses, contact details, user account credentials, usage / behavioural data, and any data specific to the Controller’s application — to be completed]
Special category data	[None / specify — if any, confirm Article 9 condition]
Categories of data subjects	[e.g. the Controller’s customers, end users and staff — to be completed]

Annex 2 — Technical and Organisational Measures

The Processor implements and maintains the following measures. These measures apply only to the extent implemented by the Processor in its then-current operational environment and may be updated from time to time provided that the overall level of protection is not materially reduced.

• Access control on a least-privilege basis, with multi-factor authentication on administrative and platform accounts.
• Encryption of personal data in transit (TLS) and at rest where supported by the underlying platform.
• Separation of production and non-production environments.
• Secrets management via environment variables; credentials and secrets are not stored in source control.
• Regular dependency updates and security patching.
• Backups in accordance with the applicable Hosting Schedule, with restore testing.
• Logging and monitoring of relevant systems.
• Secure development practices, including code review.
• Confidentiality obligations on all personnel.
• A documented incident-response and breach-notification process.
• Data minimisation and retention aligned to the Controller’s documented instructions.

Annex 3 — Approved Sub-processors

The following Sub-processors are authorised at the date of this DPA. Confirm the processing locations and transfer mechanisms against the Controller’s actual configuration before execution.

Sub-processor	Service provided	Location of processing	Transfer mechanism
Vercel Inc.	Application hosting, compute and content delivery	United States / global edge network [verify]	UK IDTA or UK Addendum to the EU SCCs [verify]
Supabase, Inc.	Database, authentication and file storage	Region selectable (EEA/UK available); parent entity US [verify]	UK adequacy (if EEA) or UK IDTA / UK Addendum [verify]

Additional or replacement Sub-processors may be engaged in accordance with clause 5.

Execution