← DataDeadline
Draft — not yet reviewed by a solicitor. This document is a starting point and must be professionally reviewed before use with real customers. Version 2026-07-13.

Data Processing Agreement (DPA)

DRAFT — this document has NOT been reviewed by a solicitor. It is a starting point only and must be professionally reviewed before use with real customers.

Version 2026-07-13

This DPA forms part of the Terms of Service and applies where DataDeadline processes personal data on your behalf. It is intended to reflect the requirements of Article 28 UK GDPR.

1. Roles

You are the data controller. DataDeadline is the data processor. You determine the purposes and means of processing; we process only on your documented instructions.

2. Subject matter and duration

Subject matter: processing of personal data contained in data-rights requests. Duration: for as long as your account is active, plus any retention period described below.

3. Nature and purpose of processing

To receive, store, track and help you respond to Subject Access Requests and data-protection complaints submitted to your business.

4. Types of personal data and data subjects

Personal data: requester name, email address, and the content of their request. Data subjects: members of the public who submit requests to you.

5. Our obligations as processor

We will:

(see SECURITY.md), including encryption of personal data at rest;

requests and in meeting your security and breach obligations;

reasonable audits.

6. Sub-processors

We will not engage a sub-processor without your general or specific authorisation, and we will impose equivalent data-protection obligations on any sub-processor we use (for example a hosting or email provider).

7. International transfers

We will not transfer personal data outside the UK without an appropriate transfer mechanism and your authorisation.

8. Security

Technical and organisational measures currently implemented are described in SECURITY.md. You acknowledge the limitations and hardening steps noted there.

9. Personal data breach

We will notify you without undue delay on becoming aware of a breach affecting your data, with the information reasonably available to us to help you meet your own notification duties.

10. Deletion

On termination, and on your written request, we will delete or return the personal data we hold on your behalf, unless we are required by law to retain it.

11. Liability

Liability under this DPA is subject to the limitation of liability in the Terms of Service.