Data Processing Agreement

1. Purpose of this Agreement

The Controller is engaging the Processor to provide client acquisition services, which require the Processor to access, process, or handle customer and lead information stored in the Controller’s CRM system.

This Agreement sets out how personal data must be processed in compliance with UK GDPR and the Data Protection Act 2018.

2. Roles and Responsibilities

The Controller determines the purpose and means of processing personal data.

The Processor processes personal data only on documented instructions from the Controller.

3. Categories of Personal Data

The Processor may access or process the following data within the CRM:

Names

Email addresses

Phone numbers

Company information

Lead notes, deal notes, or communication history

Any other data entered into the CRM by the Controller

No special-category data is expected to be processed.

4. Nature and Purpose of Processing

The Processor will process CRM data only for the following purposes:

Delivering the agreed client acquisition system

Reviewing and improving the Controller’s lead flow

Executing outreach, follow-up, or qualification activities

Providing reporting and performance updates

The Processor will not process data for any other purpose.

5. Confidentiality

The Processor shall:

Treat all CRM data as strictly confidential

Ensure that only authorised personnel have access

Ensure all personnel are bound by confidentiality obligations

6. Security Measures

The Processor will implement appropriate technical and organisational measures, including:

Secure devices with passwords or biometrics

Encrypted storage

Two-factor authentication where available

Access logging and restriction to essential personnel only

7. Sub-Processors

The Processor may use sub-processors (e.g., OpenAI, n8n, Supabase, email providers) only for the purpose of delivering the service.

The Processor will ensure all sub-processors follow GDPR requirements.

A current list of sub-processors will be provided upon request.

8. Data Breach Notification

If a personal data breach occurs, the Processor will notify the Controller without undue delay, providing all relevant information.

9. Data Retention & Deletion

Upon termination of the service:

All CRM access will be removed

Any exported data will be securely deleted within 30 days

No copies will be retained unless required by law

10. International Transfers

Where data is transferred outside the UK or EEA, the Processor will ensure appropriate safeguards (e.g., SCCs or equivalent).

11. Controller Instructions

The Controller may issue written instructions regarding data use.
The Processor will comply unless the instructions conflict with law.

12. Liability

Each party remains responsible for its own compliance with applicable data protection laws.

The Processor’s liability under this Agreement is limited to the extent permitted by law and as outlined in the main Service Agreement.

13. Duration

This Agreement remains in effect for as long as the Processor has access to CRM data.