Data Processing Agreement

Data Processing Agreement

Data Processing Agreement

The Despatch Company Ltd is committed to protecting the personal data of the stakeholders in that data and to ensuring its compliance with all relevant legislation. This means ensuring that we help our clients (data controllers or data processors subcontracting processing) to comply with the data protection laws. 


The European Union (EU) General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the UK DPPEC (Data Protection, Privacy and Electronic Communications (EU Exit)) (UK GDPR) Regulations 2019 places obligations on a controller of personal data to ensure the protection of that data when they are processed by a third party i.e. a processor. In forming a controller/processor relationship, the GDPR is quite specific about the fact that a contractual agreement must be in place between the two parties, and that it should specify key items of information about the personal data involved and how it is processed. 


The Client is using The Despatch Company Ltd to subcontract some aspects of their data processing on their behalf or on behalf of their clients. In doing so they require that The Despatch Company Ltd maintain compliance with the relevant data processing laws. This Agreement sets out the information about the processing of personal data. 


Meanings

Words and phrases which have been defined meanings in the GDPR have the same meanings when used in this agreement. Where there is a conflict between UK and EU GDPR the definition which applicable to the home state of the data controller will prevail. 


1. Roles

'controller' means the natural or legal person, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. This is the client (you). 'processor' means a natural or legal person, agency or other body which processes personal data on behalf of the controller. This is The Despatch Company Ltd (Us). 


2. GDPR Controller/Processor Agreement Policy

2.1 Information to be processed. The Data controller will pass on data including Personal Data to the data processor. In this case who will subcontract part of this processing (outlined below) to The Despatch Company Ltd. This is limited to the information required by a courier to deliver an order. This will include Name, Address Line 1, Email Address, Telephone Number, and may include the individual Tax number for export orders to certain countries. 


2.1.1 Subject matter and duration of the processing. The data is required for the processing of orders normally this would mean the transfer of a physical good to a named individual by means of a courier. The provider is therefore not permitted to use the data for any other purpose and cannot retain the data for longer than is contractually agreed. 


2.1.2 Nature and purpose of the processing. The processing of orders for physical items which require delivery through a post or courier network. 


2.1.3 Type of personal data and categories of data subjects. Name, contact details & address of individuals who have placed orders for physical products for delivery. 


2.1.4  AI-Assisted Application Hosting. Where the Client utilises the AI App Builder feature, the processing of Client Personal Data shall include the transmission of data to the Client's designated third-party AI provider via API/MCP, and the subsequent storage and hosting of databases generated by the resulting custom applications, provided such applications are hosted on the Provider's infrastructure. 


2.2  Role Demarcation for Custom Applications. The following applies where the Client uses the AI App Builder to generate applications: 


  • Provider-Hosted Deployments: Where an application generated via the AI App Builder is hosted on the Provider's infrastructure, the Client acts as Data Controller and the Provider acts as Data Processor in respect of the hosting and storage of any Client Personal Data within that application's database. 


  • Client-Hosted Deployments: Where the Client elects to host an application generated via the AI App Builder on their own infrastructure or with a third-party hosting provider, the Provider's role as Data Processor ceases at the point the application code is delivered to the Client. The Provider is not a Data Processor, Sub-Processor, or Joint Controller in respect of any live data processed by a Client-Hosted Deployment. 


3.  Obligations and rights of the controller.

3.1 The controller of the personal data must comply with all obligations under the applicable Data Protection Laws and must therefore require the Customer to recognise and agree to specific terms that set out how they will assist the controller in remaining within the law. These terms are described in the following section. 


4. Obligations of the Processor. 

4.1  Comply with all applicable Data Protection laws, which apply to the Data Controllers whose data we process. 


4.2  Processes the personal data only on documented instructions from the controller (or the data processor as an agent of the data controller). 


4.3  Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 


4.4  Take all measures required pursuant to Article 32 of the GDPR (see Note 1). 


4.5  Respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor (see Note 2). A list of Sub-Processors will be provided to you in your statement of Work or updated in writing with thirty (30) days priorwritten notice should a change be made. If Processor engages a Sub-Processor for carrying out any Processing activities on behalf of Client, the same data protection obligations as set out in this Data Processing Agreement shall be imposed on that Sub-Processor in a contract which, in particular, provides sufficient guarantees to meet the requirements of this Agreement and applicable laws, including the GDPR and the UK GDPR ("Laws"). Processor shall remain fully liable to Client for the acts and omissions of all of Processor's Sub-Processors.

4.6  Client-Selected AI Models. The Client acknowledges that when using the AI App Builder, the third-party artificial intelligence provider (e.g., Anthropic) is engaged directly by the Client via the Client's own account and API credentials. Such third-party AI providers are not Sub-Processors of the Provider under this Agreement. The Client is solely responsible for establishing a lawful basis and appropriate data processing terms directly with their chosen AI provider. 


4.7  Assists the controller and/or the data processor by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR (see Note 3). 


4.8  Assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (see Note 4) at the choice of the controller, or the data processor acting as an agent of the data controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless the law which applies to the controller requires storage of the personal data. 


4.9  Makes available to the controller or data processor all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR (see Note 5) and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller. 


4.10  Ensure that no personal data we are responsible for is transferred outside of the United Kingdom and the European Economic Area (EEA) in a manner engaging Chapter V of the UK GDPR or EU GDPR, unless first obtaining written consent from each Data Controller (understanding that such consent may be reasonably withheld) and implementing appropriate safeguards contemplated by Chapter V to protect the rights and freedoms of the affected data subjects. 


4.10.1  Where such a transfer constitutes a Restricted Transfer under the UK GDPR, the parties agree that the appropriate safeguard shall be the UK International Data Transfer Agreement (IDTA) located at https://thedespatchcompany.com/international-data-transfer-agreement. The IDTA shall operate as a supplement to this Data Processing Agreement, applying exclusively to the Restricted Transfer, with the Part 4 Mandatory Clauses applying unamended as issued by the Information Commissioner's Office. 


4.11  Keep an up-to-date Security Incident Response plan, which details how any security incident should be handled, including such matters as data preservation and communication with stakeholders. For the avoidance of doubt, this includes a requirement to alert all Data Controllers as soon as possible and certainly within 24 hours of a breach or suspected breach, of personal data. 


4.12  At the election of the data controller delete or make available for the return of, all the personal data to the controller after the end of the provision of services relating to the processing, and delete existing copies unless the relevant laws require it continued storage, in each case in accordance with the time frames specified in clause 6.2 of the Extended Terms and Conditions. 


4.13  In the event that Processor receives a request from a data subject regarding their personal data, Processor shall forward the request to Client in writing within four (4) business days of the receipt of such request and shall provide all reasonable assistance and cooperation to Client to comply with the request. Further, Processor shall, taking into account the nature of the Processing, reasonably assist Client (insofar as possible) in: (1) ensuring compliance with Client's obligations under Laws in respect of security of Processing, notification of Personal Data Breaches, data protection impact assessments and prior consultation with Supervisory Authorities; and (2) enabling Client to: (i) conduct a defence of any claim or allegation that there has been any unauthorized use, Processing, disclosure or acquisition of or access to any data, and (ii) investigate, prevent, mitigate or rectify any Personal Data Breach, breach of Laws, or breach of this Agreement. Processor shall allow for and contribute to audits, including inspections, conducted by Client, or another auditor mandated by Client. 


4.14  Breach Notification and Process. In the event that there is a Personal Data Breach, Processor shall without undue delay (and in any event within 72 hours of becoming aware of such breach) notify Client of that Personal Data Breach in writing, including: (a) the nature of the Personal Data Breach, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) the likely consequences of the Personal Data Breach; and (c) the measures which Processor proposes to take to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Processor shall take such measures to address the Personal Data Breach or to mitigate its possible adverse effects as Client may from time to time require. Processor shall provide Client with such reasonable cooperation and assistance with managing that Personal Data Breach as Client may reasonably require. Processor shall consult with Client in advance regarding any public statements to be made relating to the Personal Data Breach which directly reference Client. Unless required to do so by law, Processor shall not make any public statement relating to the Personal Data Breach which directly references Client without the prior written consent of Client. 


5. Security Baselines

The following are the Security Baselines for the processing of personal data.


5.1 Data Encryption

The Despatch Company Ltd implements encryption as a core security control across all stages of data processing. All Client Personal Data transmitted between the Client and The Despatch Company Ltd, and between The Despatch Company Ltd and its Sub-processors, is encrypted in transit using Transport Layer Security (TLS) version 1.2 or higher. All databases, storage volumes and backup systems containing Client Personal Data are encrypted at rest using AES-256 encryption or an equivalent industry-standard algorithm. Encryption keys are managed through a formal key management process, with access to keys restricted to authorised personnel only.


5.2 Access Control and Authentication

Access to Client Personal Data is governed by the principle of least privilege. Role-Based Access Control (RBAC) is implemented across all systems, ensuring that personnel are granted only the level of access necessary to perform their specific job functions. All access to systems containing Client Personal Data requires multi-factor authentication (MFA). User access rights are reviewed on a regular basis and are promptly revoked upon any change in role, employment status, or business need. A formal access request and approval process is maintained.


5.3 Physical and Environmental Security

The Despatch Company Ltd processes all Client Personal Data in UK or EEA-based data centres, which meet ISO27001. These facilities are operated with 24/7 physical security monitoring, biometric and card-based access controls, CCTV surveillance, and environmental controls including fire suppression and climate management systems. Access to data centre facilities is restricted to authorised personnel only. The Despatch Company Ltd.'s offices are secured with appropriate physical access controls.


5.4 Network and System Security

The Despatch Company Ltd maintains a layered network security architecture. Firewalls and network segmentation are used to protect systems containing Client Personal Data from unauthorised access. Intrusion Detection and Prevention Systems (IDPS) are deployed to monitor network traffic for malicious activity and to block potential threats. Regular vulnerability assessments and penetration testing are conducted on systems and applications that process Client Personal Data. Security patches and updates are applied in a timely manner in accordance with The Despatch Company Ltd.'s patch management policy.


5.5 Data Minimisation and Secure Deletion

In accordance with clause 4.2 of the Data Processing Agreement, The Despatch Company Ltd processes only the Client Personal Data that is strictly necessary to provide the Hosted Services described in the Statement of Works. Client Personal Data is securely deleted in accordance with the retention periods set out clause 4.11 of the Data Processing Agreement. Secure deletion procedures ensure that data cannot be recovered or reconstructed following deletion.


5.6 Security Incident Management and Breach Notification

The Despatch Company Ltd maintains a Security Incident Response Plan, as required by clause 4.10 of the Data Processing Agreement. This plan details the procedures for identifying, containing, investigating and remediating Security Incidents, including those involving Client Personal Data. In the event of a Personal Data breach or suspected breach, The Despatch Company Ltd will notify the Client as soon as possible and in any event within 24 hours of becoming aware of the incident, in accordance with clause 4.10 of the Data Processing Agreement. Breach notifications will include the information required to allow the Client to meet its own notification obligations under applicable Data Protection Laws.


5.7 Personnel Security and Confidentiality

All personnel employed or engaged by The Despatch Company Ltd who have access to Client Personal Data are subject to contractual confidentiality obligations, in accordance with clause 4.3 of the Data Processing Agreement. The Despatch Company Ltd provides regular data protection and information security training to all relevant personnel. Background checks are conducted on personnel in accordance with applicable law and The Despatch Company Ltd.'s HR policies.


5.8 Sub-processor Management

The Despatch Company Ltd engages Sub-processors only in accordance with clause 4.5 of the Data Processing Agreement and the requirements of Article 28 of the UK GDPR. All Sub-processors are subject to written contracts that impose data protection obligations equivalent to those set out in the Data Processing Agreement and this Fallback Provision. The Despatch Company Ltd remains fully liable to the Client for the performance of Sub-processors' obligations, subject always to the limitations and exclusions of liability set out in Clause 15 of the Extended Terms.


5.9 Business Continuity and Disaster Recovery

The Despatch Company Ltd maintains documented business continuity and disaster recovery plans. Regular backups of Client Personal Data are performed and stored securely. Recovery procedures are tested periodically to ensure that data can be restored within acceptable timeframes. 


5.10 Data Protection by Design and by Default

The Despatch Company Ltd integrates data protection considerations into the design and operation of its Hosted Services. Privacy-enhancing technologies and data minimisation techniques are applied by default. Data protection impact assessments are carried out where processing activities are likely to result in a high risk to the rights and freedoms of Data Subjects.


Notes 

Note 1:  Article 32 – Security of processing requires both controllers and processors to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (to the rights and freedoms of natural persons)". The level of risk may be evaluated from a data protection impact assessment and therefore the extent of security controls required will vary across contracts. These may include the use of encryption, backup systems and other techniques to provide an appropriate level of confidentiality, integrity, availability and resilience of the system that are used to process personal data. 


Note 2:  These conditions dictate that the Customer may not engage another processor (sub-processor) without the prior authorisation of the controller. In cases where another processor is engaged, the sub-processor must be subject to the same contractual terms as described in this policy. 


Note 3:  Chapter III – Rights of the data subject sets out the information that must be provided to the data subject and the types of request they may make to the controller. These include the right to access their personal data, have it erased and object to them being processed. 


Note 4:  Articles 32 to 36 address the areas of security of processing, personal data breaches and data protection impact assessments. 


Note 5:  Article 28 – Processor is the main article that addresses the contractual requirements of the GDPR and is largely the subject of this policy document.