Policies, Statements and Terms

Data Processing Agreement

v1.1

Effective as of: 24/08/2024Agreement between Controller and Processor:

This Agreement is made between:

  1. Controller: [Insert the name and address of the Controller]

  2. Processor: Dovetailed Technology Ltd, 71-75 Shelton Street, London, Greater London, United Kingdom, WC2H 9JQ (Company No. 12232490) ("Dovetech"), hereinafter referred to as "Processor."

The Controller and Processor are hereinafter referred to jointly as "Parties" and individually as "Party."

1. Purpose and Scope

The purpose of this Agreement is to ensure compliance with Article 28(3) and (4) of the UK General Data Protection Regulation ("UK GDPR") as it relates to the processing of personal data by the Processor on behalf of the Controller.

This Agreement applies to the processing of personal data as specified in Annex 2. Annexes 1 to 4 are an integral part of this Agreement.

2. Interpretation

Where terms are defined in the UK GDPR, they shall have the same meaning in this Agreement.

3. Hierarchy

In the event of any conflict between this Agreement and any other agreements between the Parties, this Agreement shall prevail.

4. Docking Clause

Any entity not a Party to this Agreement may, with the consent of all Parties, accede to this Agreement as a Controller or Processor by completing the relevant Annexes and signing Annex 1.

5. Description of Processing(s)

The details of the processing operations, including categories of personal data and purposes for processing, are specified in Annex 2.

6. Obligations of the Parties

6.1. Instructions

The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by law. If further instructions are provided by the Controller that exceed the scope of services agreed upon, the Controller shall bear the costs.

6.2. Purpose Limitation

The Processor shall process personal data only for the purposes set out in Annex 2.

6.3. Duration of Processing

Processing by the Processor shall only take place for the duration specified in Annex 2.

6.4. Security of Processing

The Processor shall implement appropriate technical and organizational measures to ensure the security of personal data, as detailed in Annex 3.

6.5. Documentation and Compliance

The Processor shall maintain documentation to demonstrate compliance with this Agreement and shall allow for audits by the Controller, subject to reasonable notice and terms.

6.6. Use of Sub-Processors

The Processor may engage sub-processors only with the general authorization of the Controller. The Processor shall inform the Controller of any intended changes to sub-processors at least two weeks in advance, allowing the Controller to object if necessary.

6.7. Assistance to the Controller

The Processor shall assist the Controller in responding to data subjects' requests and complying with legal obligations, including data protection impact assessments and consultations with supervisory authorities.

6.8. Notification of Personal Data Breach

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and assist the Controller in fulfilling its obligations under the UK GDPR.

7. Liability

The liability of the Parties is subject to Article 82 of the UK GDPR. The Controller shall indemnify the Processor against any claims arising from unlawful or incorrect processing of personal data, except where the Processor is solely responsible.

8. Non-Compliance and Termination

The Controller may suspend data processing if the Processor fails to comply with this Agreement. The Controller may also terminate the contract if compliance is not restored within a reasonable time.

Following termination, the Processor shall either delete or return all personal data to the Controller as instructed.

List of Appendices

  • Annex 1: List of Parties

  • Annex 2: Description of the Processing

  • Annex 3: Technical and Organizational Measures

  • Annex 4: List of Sub-Processors

Annex 1: List of Parties

  • Controller: [Insert Details]

  • Processor: Dovetech

Annex 2: Description of the Processing

  1. Categories of data subjects: Customers, employees, and suppliers.

  2. Categories of personal data: Contact data (e.g., name, email, address), user data (e.g., customer lifetime value), potentially GPS data, and other necessary data.

  3. Nature of processing: Hosting promotions, loyalty programs, and related activities.

  4. Purpose: Providing Dovetech's services as initiated by the Controller.

  5. Duration: As per the main Agreement, with a retention period of 12 months post-termination, with backups retained for 7 days.

Annex 3: Technical and Organizational Measures

  1. Encryption and pseudonymisation: Encryption of data in transit and at rest.

  2. Confidentiality, integrity, availability: Implementation of AWS security measures.

  3. Resilience and recovery: Backup and disaster recovery plans.

  4. Access control: Role-based access, two-factor authentication, VPN usage.

  5. Monitoring and logging: Regular audits, penetration tests, and incident response protocols.

Annex 4: List of Sub-Processors

  • Amazon Web Services EMEA SARL: Cloud hosting and storage.