Data Processing Agreement

This document sets out the Data Processing Agreement (DPA) between us and the customer. It is incorporated into our Terms and Conditions.

0. Document History

VersionCommentDate
Version 1Initial version16th August 2019

1. Definitions

2. Data Processing

We process Customer Data on your behalf in performing the services that we provide to you. This classifies us as a “Data Processor” under the General Data Protection Regulations (GDPR).

2.1 Scope

This DPA applies to when we are processing personal data that you are responsible as the Controller.

We will only process Customer Data to the extent needed to perform the services we provide. We do so in line with this DPA, Terms and Conditions, any extra agreements and as instructed by you.

2.2 Permission to Process

We agree to only process Customer Data under your documented instructions, unless otherwise required by law.

You give permission for us to process Customer Data on your behalf, as required for us to deliver the requested services.

This includes the “Named Services” below in addition to any other requested services.

2.2.1 Named Services

ServiceData ProcessedTypes of Processing
Website
(Hosted)
IP address
Pages requested
Browser meta data
Collection
Storage
Retrieval
Membership Websites
(Hosted)
User Login (e.g. email, username & hashed password)
Membership information
Personalisation information
Collection
Storage
Retrieval
eCommerce Websites
(Hosted)
Shipping information
Billing information
Payment meta-data
Collection
Storage
Retrieval
Data Backups
(Hosted)
All DataRetrieval
Storage

2.3 Duration of the Processing

We will only process Customer Data on your behalf for the duration of the services we provide up until those services are ended.

2.3.1 Termination of Services

When you inform us that you want to end your services with us, you have the option to request the return of the Customer Data. You must state this when you send your request to end services.

If we force your services to end, as per our Terms and Conditions, then you will need to respond promptly with such a request for data.

We will charge a fee to cover the cost of us providing you with the Customer Data.

If you can retrieve the Customer Data yourself using the tools provided as part of the service. In which case you must do so before terminating our services.

If no request for data is received, we will permanently delete all Customer Data after the end of services.

3. Data Confidentiality

We will ensure that the processing of customer data is done so with a duty of confidence.

We will not disclose Customer Data to any other third party, except as legally required or as needed under your instruction. 

If possible, we will redirect such requests to you, in doing so we may pass your basic contact information on to the requesting party.

4. Security of Processing

We take appropriate measures to ensure the Customer Data we process is done so securely.

4.1 Authorisation and Encryption of Data

Where we store data on remote servers we do so using the appropriate level of industry standard mechanisms to restrict access. This helps ensure that only authorised users can gain access the data.

Once access is granted, the transmission of data is completed over encrypted channels.

5. Data Subject Rights

We will take appropriate measures to help you in complying with data subject rights.

We may do this by providing you with the administrative tools required for you to fulfil such obligations. You may need to pay for such tools to be provided.

If no such tools can be provided then we may assist by performing tasks on your behalf. We will charge additional fees in order to cover the cost of doing so.

Any requests received directly from a Data Subject will be forwarded onto you, for you to comply with the request.

6. Sub-Processing

We will only engage with sub-processors that you have provided written authorisation for.

You agree that we may use sub-processors to fulfil our contractual obligation under its Terms and Conditions, this document and to provide certain services on your behalf, such as providing support services.

6.1 Named Sub-Processors

Sub-processorPurposeType of Processing
1&1 IONOS Ltd
(Agreement)
Provision of serversStorage

7. Notification of Data Breach

If we become aware of a Security Incident, we will without undue delay:

8. Data Controller Rights

8.1 Independent Determination

You are responsible for reviewing the information made available by us relating to data security. You are to independently determine whether this meets your legal obligations.

8.2 Auditing

We will make available all requested information necessary for you to show compliance with the GDPR. We will allow for and contribute to Audits (including inspections) conducted by you or on your behalf.

We will notify you if we believe the request infringes the GDPR.

We may not be able to provide specific information relating to our security implementation, as this could undermine the security of that implementation.

8.3 Charges

We are entitled to charge extra fees to cover the costs and expenses involved in completing any requests you make to us relating to this DPA and the GDPR.

In such cases an estimate will be provided in advance.

8.4 Changes

You are responsible for notifying us, with reasonable time, of any changes to applicable data protection laws, codes or regulations which may affect our contractual duties as the Processor.