1. Parties and Background

This Data Processing Agreement (DPA) is entered into between the client (the Controller) and Fully Coded Solutions Limited, trading as FullyCoded, of Barn Owl Cottage, Chapel Hill, Ponsanooth, TR3 7ET, United Kingdom (the Processor), company registration number 8649718.

The Controller has engaged the Processor to provide services that involve the processing of personal data on the Controller’s behalf. This DPA sets out the terms on which that processing takes place, as required by Article 28 of the UK General Data Protection Regulation (UK GDPR).

2. Definitions

Personal data: Has the meaning given in UK GDPR.
Processing: Has the meaning given in UK GDPR.
Data subject: An identified or identifiable natural person whose personal data is processed.
Sub-processor: A third party engaged by the Processor to process personal data under this DPA.

3. Scope and Purpose of Processing

The Processor will process personal data only on documented instructions from the Controller, including for transfers of personal data to a third country, unless required to do so by applicable law.

4. Processor Obligations

The Processor agrees to:

  • Process personal data only on documented instructions from the Controller.
  • Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction or damage.
  • Not engage a sub-processor without prior written consent of the Controller.
  • Assist the Controller in fulfilling its obligations to respond to data subject rights requests.
  • Assist the Controller in ensuring compliance with data security, breach notification, data protection impact assessment and prior consultation obligations.
  • Delete or return all personal data to the Controller on termination of the service agreement, and delete existing copies unless retention is required by law.
  • Make available all information necessary to demonstrate compliance with this DPA and allow for audits and inspections.

5. Sub-Processors

The Processor uses the following sub-processors in the delivery of its services. The Controller provides general written authorisation for the Processor to engage these sub-processors.

  • Amazon Web Services (AWS): cloud hosting and infrastructure. Processing location: EU and UK regions.
  • Cloudflare: content delivery, DDoS protection and web application firewall. Processing location: global CDN, data centres in UK and EU.
  • Intuit (QuickBooks): invoicing and financial records. Processing location: United States (appropriate safeguards in place).
  • Stripe: online payment processing. Processing location: United States and EU (appropriate safeguards in place).

The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Equivalent data protection obligations are imposed on all sub-processors.

6. Data Subject Rights

The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to fulfil the Controller’s obligations to respond to requests from data subjects exercising their rights under UK GDPR.

7. Security

The Processor has implemented and maintains appropriate technical and organisational security measures including:

  • ISO 27001 certified hosting infrastructure.
  • Encryption of data in transit using TLS and at rest where appropriate.
  • Access controls limiting data access to authorised personnel only.
  • Regular security monitoring and vulnerability management.
  • Cloudflare WAF providing additional protection against web-based attacks.

8. Personal Data Breaches

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach involving the Controller’s data. The notification will include: the nature of the breach, the categories and approximate numbers of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

9. Governing Law

This DPA is governed by the laws of England and Wales.

To request a signed DPA for your engagement, contact [email protected].