Data Processing Agreement (DPA)
- Background
- Roles and responsibilities
- Processing of Personal Data
- Personnel Confidentiality
- Security Measures
- Subprocessing
- Data Subject Rights
- Personal Data Breach Notification
- Assistance with Compliance Obligations
- Documentation and Records
- Data Retention & Deletion
- Audit Rights
- International Data Transfers
- Liability and Indemnity
- Governing Law & Dispute Resolution
- Contact Information
This DPA is made on the date that the last Party has executed this DPA, between the following parties:
ApprovalMax Limited, a company registered in England and Wales, with company number 11326265 of 3rd Floor, 86-90 Paul St, London EC2A 4NE, United Kingdom ("we", "us" or "our"); and
the Customer ("you" or "your"), as defined in the Terms & Conditions.
Together, the Parties, and each a Party. This DPA supplements the Terms & Conditions entered into between the Parties and applies to the provision of Services.
DEFINITIONS
For the purposes of this DPA:
- "Company Personal Data" means any Personal Data processed by the Processor on behalf of the Controller pursuant to the Services.
- "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-Processor", "Supervisory Authority" have the meanings set out in the UK GDPR and EU GDPR.
- "Data Protection Laws" means all applicable data protection and privacy legislation including the EU GDPR, the UK GDPR, and the Data Protection Act 2018.
- "Services" means the services provided by ApprovalMax under the Terms & Conditions.
The Parties have entered into the Terms & Conditions for the provision of Services. In processing Company Personal Data, each Party will act as either a Controller or a Processor, as applicable.
The Parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Controller and ApprovalMax is the Processor in respect of Company Personal Data.
Each Party shall comply with its respective obligations under the Data Protection Laws with respect to its Processing of Company Personal Data.
Each Party agrees to comply with applicable Data Protection Laws in processing Company Personal Data.
The Processor may only process Company Personal Data upon documented instructions from the Controller, including with regard to transfers of data outside the UK/EEA. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes upon any Data Protection Laws. In such cases, the Processor may suspend the execution of the relevant instruction until the Controller confirms or modifies it.
Processing will only occur within the EEA/UK unless appropriate safeguards (e.g., SCCs, UK GDPR Addendum) are implemented in accordance with Section 13 of this DPA.
The Processor shall ensure that persons authorized to process Company Personal Data are subject to binding confidentiality obligations and receive appropriate data protection training.
The Processor shall limit access to Company Personal Data to those personnel who require such access to perform the Services.
The Processor shall implement appropriate technical and organisational measures as required by Article 32 GDPR. These measures include access controls, encryption, pseudonymisation, and secure deletion.
The Processor shall regularly review and test the effectiveness of such measures and ensure their alignment with industry standards.
For more details, refer to our Privacy Policy.
The Controller authorises the Processor’s engagement of Sub-Processors listed in Annex 3. The Processor will notify the Controller in writing of any new Sub-Processor at least 14 days prior to engagement. The Controller may object to a new Sub-Processor within 7 days, but only for valid data protection reasons. The Processor will ensure that all Sub-Processors comply with this DPA.
Where a Sub-Processor is located outside the UK/EEA, the Processor shall ensure that an appropriate data transfer mechanism (e.g., SCCs or UK Addendum) is in place with the Sub-Processor.
The Processor shall assist the Controller in responding to Data Subject requests (e.g., access, correction, deletion).
If a Data Subject contacts the Processor directly, the Processor will forward the request to the Controller without undue delay.
The Processor shall notify the Controller without undue delay and within 48 hours if it becomes aware of a Personal Data Breach.
The notification will include:
- The nature of the breach;
- Categories and approximate number of affected data subjects;
- Categories and approximate number of affected Personal Data records;
- Likely consequences of the breach;
- Measures taken or proposed to mitigate risks; and
- The name and contact details of the data protection officer or other contact where more information can be obtained.
The Processor shall assist in investigating and mitigating the breach where possible and shall document all Personal Data Breaches, including the facts, effects, and remedial actions taken.
The Processor shall assist the Controller in complying with its obligations under Articles 32 to 36 of the GDPR, including security, data breach notifications, DPIAs, and prior consultations with Supervisory Authorities.
The Processor shall maintain records of processing activities carried out on behalf of the Controller as required by Article 30(2) GDPR and make them available to the Controller upon request.
Upon termination of the Services, the Processor shall delete all Company Personal Data within 30 days, unless required by law to retain it.
At the Controller’s written request before termination or expiry, the Processor shall return a complete copy of all Company Personal Data. The Processor shall confirm deletion or return in writing.
The Controller may audit the Processor once per year, or in case of a Personal Data Breach.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and shall allow for and contribute to audits. Such audits shall occur with reasonable notice and during normal business hours, not more than once per 12-month period unless otherwise required by law. The Controller may request evidence of independent third-party certifications as part of its audit rights.
Audits must be pre-scheduled, limited in scope, and must not disrupt business operations.
The Processor may provide certifications or security reports as evidence of compliance.
If Company Personal Data is transferred outside the UK/EEA, it shall be subject to an approved transfer mechanism (e.g., SCCs, UK GDPR Addendum).
Each Party shall be liable for damages caused by its breach of this DPA or Data Protection Laws. The Processor shall indemnify the Controller for any direct losses, costs, or damages arising from the Processor’s non-compliance with this DPA or applicable law.
Neither Party limits or excludes liability for fraud, gross negligence, or breach of its data protection obligations.
This DPA is governed by the laws of England and Wales. Any disputes shall be resolved in English courts.
For any queries regarding this DPA, contact ApprovalMax’s Data Protection Officer:
3rd Floor, 86-90 Paul St, London EC2A 4NE, United Kingdom
Categories of Data Subjects: Customers, authorised users, employees of customers
Categories of Personal Data: Name, email, usernames, passwords, support communications, metadata, usage logs
Nature of Processing: Collection, storage, access, retrieval, transmission, deletion
Purpose of Processing: Provision and improvement of the Services
Duration of Processing: For the term of the Services Agreement or until deletion as required
The Processor implements the following TOMs:
- Access control (role-based, MFA)
- Encryption of data in transit and at rest
- Pseudonymisation and secure data deletion
- Intrusion detection and vulnerability scanning
- Regular penetration testing
- Backup and disaster recovery processes
- Staff training and confidentiality agreements
The latest list of Sub-Processors is available at our Privacy Policy.
The Processor ensures all Sub-Processors are subject to a written agreement reflecting the obligations of this DPA, including appropriate data protection safeguards.
