Data Processing Agreement (DPA)
DRAFT — this document has NOT been reviewed by a solicitor. It is a starting point only and must be professionally reviewed before use with real customers.
Version 2026-07-13
This DPA forms part of the Terms of Service and applies where DataDeadline processes personal data on your behalf. It is intended to reflect the requirements of Article 28 UK GDPR.
1. Roles
You are the data controller. DataDeadline is the data processor. You determine the purposes and means of processing; we process only on your documented instructions.
2. Subject matter and duration
Subject matter: processing of personal data contained in data-rights requests. Duration: for as long as your account is active, plus any retention period described below.
3. Nature and purpose of processing
To receive, store, track and help you respond to Subject Access Requests and data-protection complaints submitted to your business.
4. Types of personal data and data subjects
Personal data: requester name, email address, and the content of their request. Data subjects: members of the public who submit requests to you.
5. Our obligations as processor
We will:
- process personal data only on your documented instructions;
- ensure persons authorised to process are bound by confidentiality;
- implement appropriate technical and organisational security measures
(see SECURITY.md), including encryption of personal data at rest;
- assist you, so far as reasonably possible, in responding to data-subject
requests and in meeting your security and breach obligations;
- notify you without undue delay after becoming aware of a personal data breach;
- at your choice, delete or return personal data at the end of the services;
- make available information necessary to demonstrate compliance and allow for
reasonable audits.
6. Sub-processors
We will not engage a sub-processor without your general or specific authorisation, and we will impose equivalent data-protection obligations on any sub-processor we use (for example a hosting or email provider).
7. International transfers
We will not transfer personal data outside the UK without an appropriate transfer mechanism and your authorisation.
8. Security
Technical and organisational measures currently implemented are described in SECURITY.md. You acknowledge the limitations and hardening steps noted there.
9. Personal data breach
We will notify you without undue delay on becoming aware of a breach affecting your data, with the information reasonably available to us to help you meet your own notification duties.
10. Deletion
On termination, and on your written request, we will delete or return the personal data we hold on your behalf, unless we are required by law to retain it.
11. Liability
Liability under this DPA is subject to the limitation of liability in the Terms of Service.