DATA PROCESSING AGREEMENT (DPA)

Redder Ltd

This Data Processing Agreement (“DPA”) forms part of the agreement between:

(1) Redder Ltd (“Processor”, “we”, “us”)
(2) The Client (“Controller”, “you”)

1. Purpose of this Agreement

1.1 This DPA governs the processing of Personal Data by Redder on behalf of the Client in connection with services provided.

1.2 This DPA ensures compliance with:

  • UK GDPR
  • Data Protection Act 2018

2. Definitions

  • Personal Data: Any information relating to an identifiable individual
  • Processing: Any operation performed on Personal Data
  • Data Subject: The individual to whom the data relates
  • Controller: The party determining purposes and means
  • Processor: The party processing data on behalf of the Controller

3. Roles of the Parties

3.1 The Client is the Data Controller.
3.2 Redder is the Data Processor.

3.3 The Controller is responsible for:

  • Lawful basis for processing
  • Privacy notices
  • Consent (where required)

4. Nature and Purpose of Processing

4.1 Processing may include:

  • Website hosting (WordPress and other CMS platforms)
  • Email hosting services
  • Storage of databases and website content
  • Backup and disaster recovery
  • Logging, monitoring and security
  • Technical support and troubleshooting

4.2 Processing is limited to what is necessary to deliver the services.

5. Categories of Personal Data

May include:

  • Names
  • Email addresses
  • Telephone numbers
  • IP addresses
  • Website form submissions
  • Customer and user data stored in CMS systems

6. Categories of Data Subjects

May include:

  • The Client’s customers
  • Website users
  • Employees or contractors of the Client

7. Processor Obligations

Redder shall:

7.1 Process Personal Data only:

  • On documented instructions from the Client
  • As required to provide services

7.2 Ensure all personnel:

  • Are bound by confidentiality obligations

7.3 Implement appropriate technical and organisational measures (see Clause 10)

7.4 Not:

  • Sell, share or use data for its own purposes
  • Process data beyond agreed scope

8. Security Measures

8.1 Redder shall implement appropriate security measures, including:

  • Secure UK-based hosting infrastructure
  • Firewalls and server security controls
  • Access controls and authentication
  • Monitoring and logging
  • Regular software updates and patching
  • Backup systems stored in a separate data centre

8.2 While we follow best practices, no system is completely secure.

9. Sub-Processors

9.1 Redder may engage sub-processors, including:

  • Data centre providers
  • Infrastructure providers
  • Email service infrastructure

9.2 Redder shall:

  • Ensure sub-processors are subject to equivalent data protection obligations
  • Remain responsible for their actions

9.3 A list of sub-processors is available on request.

10. International Transfers

10.1 Data is primarily hosted in the UK.

10.2 If data is transferred outside the UK:

  • Appropriate safeguards will be used (e.g. UK IDTA or equivalent)

11. Data Subject Rights

11.1 The Client is responsible for responding to data subject requests.

11.2 Redder shall assist where reasonably possible with:

  • Access requests
  • Rectification
  • Erasure
  • Data portability

11.3 Assistance may be chargeable where significant work is required.

12. Personal Data Breaches

12.1 Redder shall notify the Client without undue delay upon becoming aware of a personal data breach.

12.2 Notification will include (where available):

  • Nature of the breach
  • Likely consequences
  • Steps taken or proposed

13. Data Retention & Deletion

13.1 Upon termination of services:

  • Data will be returned or deleted where reasonably possible

13.2 Exception:

  • Backup systems may retain data for a limited period
  • These backups:
    • Are not actively processed
    • Are only used for disaster recovery

13.3 It is not technically feasible to selectively remove individual records from backup archives.

14. Audit Rights

14.1 The Client may request information demonstrating compliance.

14.2 Formal audits:

  • Must be reasonable
  • Require prior notice
  • May be chargeable

15. Assistance to the Controller

Redder will assist, where reasonable, with:

  • Data protection impact assessments (DPIAs)
  • Security consultations
  • Regulatory enquiries

16. Liability

16.1 Each party is responsible for its own compliance with data protection laws.

16.2 Redder’s liability is subject to the limitation of liability in the main Terms.

17. Confidentiality

All Personal Data processed under this agreement shall be treated as confidential.

18. Duration

This DPA remains in force for the duration of the services and until all Personal Data is deleted or returned.

19. Governing Law

This DPA is governed by the laws of England and Wales.

Registered Office Address:

Redder Ltd, Carlton House, Maundrell Road, Calne, Wiltshire, SN11 9PU