DataShield HQ Start Free Trial

Data Processing Agreement

Effective date: 25 February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between DataShield HQ ("Processor", "we", "us") and the customer organisation ("Controller", "you") that subscribes to the DataShield HQ platform. It sets out the terms under which we process personal data on your behalf in accordance with the EU/UK General Data Protection Regulation (GDPR).

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that you upload to or create within the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, alteration, disclosure, erasure or destruction.
  • "Sub-Processor" means a third party engaged by us to process Personal Data on your behalf.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  • "Applicable Data Protection Law" means the GDPR (EU Regulation 2016/679), the UK GDPR and any successor or supplementary legislation.

2. Scope & Roles

You (the Controller) determine the purposes and means of processing Personal Data relating to your data subjects. We (the Processor) process that data solely on your documented instructions and for the purpose of providing the Service.

This DPA applies to all Personal Data processed by us on your behalf, including:

Categories of data subjects Your employees, customers, contacts, end users and other individuals whose data you enter into the platform.
Types of Personal Data Names, email addresses, postal addresses, phone numbers, identification numbers, consent records, request history and any other fields you configure.
Processing activities Storage, retrieval, display, search, export, reporting, anonymisation, deletion.
Duration For the term of the subscription plus 30 days, unless a longer retention period is required by law.

3. Processor Obligations

We shall:

  1. Process Personal Data only on your documented instructions, unless required by law (in which case we will inform you, where legally permitted, before processing).
  2. Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
  3. Implement and maintain appropriate technical and organisational security measures (see Section 5).
  4. Assist you, at your cost, in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) using the features built into the Service.
  5. Assist you in meeting your obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and the information available to us.
  6. At your choice, delete or return all Personal Data upon termination of the Service, and delete existing copies within 30 days, unless storage is required by law.
  7. Make available to you all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 8).

4. Controller Obligations

You shall:

  1. Ensure that your use of the Service and your instructions to us comply with Applicable Data Protection Law.
  2. Have a lawful basis for any Personal Data you upload to the Service.
  3. Promptly notify us if you become aware that any of your processing instructions may violate Applicable Data Protection Law.
  4. Maintain appropriate records of processing activities as required by Article 30 GDPR (the Service provides ROPA functionality to assist with this).

5. Security Measures

We implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These include:

Encryption

  • TLS 1.2+ for data in transit
  • AES-256 for data at rest

Access Control

  • Mandatory 2FA for all accounts
  • Role-based access control
  • JWT + API key authentication

Isolation

  • Per-tenant database isolation
  • Customer-selected data region

Monitoring

  • Immutable audit logging
  • Automated vulnerability scanning
  • Incident response procedures

6. Sub-Processors

You provide general authorisation for us to engage Sub-Processors to assist in delivering the Service. We maintain a list of current Sub-Processors and will notify you by email at least 14 days before adding or replacing a Sub-Processor.

Current Sub-Processors include:

Sub-Processor Purpose Location
Cloud hosting provider Infrastructure & database hosting Customer-selected region
Stripe Payment processing USA (with SCCs)
Transactional email provider System notifications & alerts EU / USA (with SCCs)
Freshdesk Customer support ticketing EU / USA (with SCCs)

If you object to a new Sub-Processor on reasonable grounds related to data protection, you may notify us within 14 days of being informed. We will work with you to find a reasonable solution. If no resolution is possible, you may terminate the affected Service without penalty.

Each Sub-Processor is bound by a written agreement imposing data protection obligations no less protective than those in this DPA.

7. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on your behalf, we will:

  1. Notify you without undue delay (and in any event within 48 hours) after becoming aware of the breach.
  2. Provide you with sufficient information to enable you to meet your own notification obligations under Articles 33 and 34 GDPR, including:
    • The nature of the breach and, where possible, the categories and approximate number of data subjects and records concerned
    • The likely consequences of the breach
    • The measures taken or proposed to address the breach and mitigate its effects
  3. Cooperate with you and take reasonable steps to assist in the investigation, mitigation and remediation of the breach.

8. Audits

We will make available to you, upon reasonable request (no more than once per year unless a Data Breach or supervisory authority investigation requires otherwise), the information necessary to demonstrate our compliance with this DPA.

You (or an independent auditor appointed by you, subject to reasonable confidentiality obligations) may conduct an audit of our processing activities. Audits must be conducted during normal business hours with at least 30 days' written notice, and must not unreasonably disrupt our operations.

Where we have obtained relevant third-party certifications or audit reports, we may provide those in lieu of an on-site audit, unless specific circumstances require further verification.

9. International Transfers

Personal Data will be stored in the data region you select at account setup. Where processing requires transfer outside the European Economic Area (EEA) or the United Kingdom, we ensure an adequate level of protection through:

  • European Commission adequacy decisions (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision 2021/914)
  • Supplementary technical measures (encryption, pseudonymisation) where required by transfer impact assessments

Enterprise-tier customers may select custom data regions to maintain data sovereignty requirements.

10. Data Retention & Deletion

We will process Personal Data for the duration of the subscription agreement. Upon termination or expiry:

  • You may export your data using the Service's built-in export features (CSV, Excel, PDF) during the 30-day post-termination retention period.
  • After 30 days, we will permanently delete all Personal Data from active systems, unless retention is required by Applicable Data Protection Law.
  • Backup copies will be overwritten in the normal backup rotation cycle (no longer than 90 days post-termination).

11. Data Subject Requests

The Service provides built-in tools for you to manage data subject requests (access, rectification, erasure, portability, restriction and objection). If we receive a data subject request directly, we will promptly redirect the individual to you unless legally prohibited from doing so.

12. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service. Each party is liable for damage caused by processing that infringes the GDPR to the extent set out in Article 82 GDPR.

13. Term & Termination

This DPA takes effect when you accept the Terms of Service and remains in force for as long as we process Personal Data on your behalf. Provisions that by their nature should survive termination (including Sections 7, 8, 10 and 12) shall survive.

14. Governing Law

This DPA is governed by and construed in accordance with the same governing law as the Terms of Service (laws of England and Wales), without prejudice to the mandatory provisions of Applicable Data Protection Law.

15. Contact

For questions about this DPA or to request the current Sub-Processor list, contact us:

DataShield HQ
Email: dpa@datashieldhq.com
Privacy enquiries: privacy@datashieldhq.com
Support: datashieldhq.freshdesk.com