Free Data Processing Agreement Template

DATA PROCESSING AGREEMENT

United Kingdom  ·  UK GDPR Article 28  ·  DPA 2018 And DUA Act 2025  ·  England And Wales

This Data Processing Agreement ("Agreement") is entered into as of 2026-04-01 by and between Acme Holdings Ltd ("Controller") and CloudSync Services Ltd ("Processor"), pursuant to Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025). The parties agree as follows:

In this Agreement, unless the context otherwise requires:

"UK GDPR" means the General Data Protection Regulation as it forms part of domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.

"Data Protection Act 2018" or "DPA 2018" means the Data Protection Act 2018 (as amended, including by the Data (Use and Access) Act 2025).

"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Sub-processor" have the meanings given to them in UK GDPR.

"ICO" means the Information Commissioner's Office, the UK supervisory authority for data protection.

Subject matter and purpose: The Processor shall process personal data on behalf of the Controller for the purpose of providing cloud-hosted CRM services, including data storage, retrieval, analytics and AI-assisted lead scoring.

Duration: For the term of the main services agreement between the parties

Types of personal data: Names; Email addresses; Phone numbers; Financial data

Categories of data subjects: Customers and clients; Employees and staff

Instructions: The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by United Kingdom law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

Confidentiality: The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security: The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, in accordance with Article 32 UK GDPR.

Assistance with rights: The Processor shall assist the Controller in responding to data subject access requests and other rights under Articles 15-22 UK GDPR, and shall respond to ICO consultations.

The Processor confirms that it has implemented and maintains the following technical and organisational security measures in accordance with Article 32 UK GDPR:

Encryption of personal data at rest and in transit (AES-256 or equivalent)
Role-based access controls and least-privilege access
Regular backup and recovery testing aligned to RTO / RPO targets
Multi-factor authentication for all administrative system access
Comprehensive audit logging and security monitoring (SIEM)
Annual penetration testing by qualified third parties (CREST or equivalent)

Data Protection Contact (Processor): Sarah Jones, Data Protection Officer

The Processor shall conduct regular reviews of these measures and shall update them in response to evolving risks, including those identified by the National Cyber Security Centre (NCSC) and emerging ICO guidance.

The Processor shall, taking into account the nature of processing and the information available to it, assist the Controller in ensuring compliance with the obligations in Articles 32 to 36 UK GDPR. In particular, the Processor shall:

(a) provide the Controller with the information reasonably necessary for the Controller to carry out a Data Protection Impact Assessment under Article 35 UK GDPR (and the ICO Guidance on DPIAs) prior to any processing likely to result in a high risk to the rights and freedoms of natural persons;
(b) co-operate in any prior consultation with the ICO under Article 36 UK GDPR where the DPIA indicates that processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk; and
(c) maintain its own Article 30(2) record of all categories of processing carried out on behalf of the Controller, in writing (or electronic form), and make it available to the ICO on request.

Where the Processor uses artificial-intelligence ("AI"), machine-learning or automated profiling tools to process the Controller's personal data, the Processor shall:

(a) notify the Controller in writing of the introduction of any new AI-based processing affecting Controller personal data, providing the information necessary for the Controller to comply with its transparency obligations under Articles 13(2)(f), 14(2)(g) and 15(1)(h) UK GDPR;
(b) not undertake any processing constituting a "decision based solely on automated processing" with legal or similarly significant effects under Article 22 UK GDPR on behalf of the Controller, without the Controller's prior written instruction and confirmation of an Article 22(2) basis;
(c) assist the Controller in carrying out a Data Protection Impact Assessment under Article 35 UK GDPR for any high-risk AI processing;
(d) not use the Controller's personal data to train or improve any AI model offered to third parties without the Controller's prior written consent; and
(e) ensure that any AI tools used comply with the ICO's Guidance on AI and data protection and any applicable UK AI regulatory framework as it evolves.

Breach notification (Article 33). The Processor shall notify the Controller of any Personal Data Breach within the meaning of Article 4(12) UK GDPR without undue delay and in any event within 48 hours of becoming aware of the breach. The notification shall include: (a) the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned; (b) the likely consequences; (c) measures taken or proposed to address the breach and to mitigate its effects; and (d) the name and contact details of the Processor's data protection contact. The Processor shall co-operate with the Controller in any onward notification by the Controller to the ICO under Article 33 UK GDPR (within 72 hours where feasible) and (if applicable) to data subjects under Article 34 UK GDPR (where the breach is likely to result in a high risk to their rights and freedoms). The Processor shall maintain an internal record of all Personal Data Breaches in accordance with Article 33(5) UK GDPR.

Sub-processors. The Controller grants general written authorisation for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller at least 14 days written notice. The Controller may object to such changes on reasonable grounds within the notice period. Sub-processors must be bound by equivalent data protection obligations to those set out in this Agreement.

Transfers to the United States shall be made under the UK Extension to the EU-US Data Privacy Framework (the "UK-US Data Bridge"), in force from 12 October 2023, where the recipient is certified under the EU-US Data Privacy Framework with the UK Extension. Transfers to all other third countries shall be made under the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.

Countries / regions of transfer: United States (AWS US-East-1 region), Ireland (failover).

The Processor shall provide the Controller with copies of relevant third-party audit reports (such as SOC 2 Type II or ISO/IEC 27001:2022 certificates) annually. In addition, the Controller retains the right to conduct its own audits and inspections, on at least 10 business days written notice, where the Controller reasonably considers that the third-party reports are insufficient to demonstrate compliance.

On termination or expiry of this Agreement, the Processor shall first return all personal data to the Controller in a commonly used, machine-readable format (CSV, JSON or other agreed format), and shall thereafter securely delete all copies of the personal data and provide written certification of destruction. The Processor shall complete any return or deletion within 60 days of termination or expiry of this Agreement.

Termination Assistance. The Processor shall provide reasonable assistance to the Controller (or its nominated replacement processor) for a transition period not exceeding three (3) months following termination or expiry, at the Processor's then-current reasonable rates. Such assistance shall include: (i) machine-readable export of all Controller personal data and configuration; (ii) knowledge transfer and reasonable documentation; and (iii) reasonable access to logs necessary to verify completion of return / deletion. The Processor shall not condition the return or deletion of Controller personal data on payment of any disputed sum, and any genuine fee disputes shall be resolved without prejudice to the Controller's right to its data.

This Agreement and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the law of England and Wales.

The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.

This Agreement is supplemental to and does not replace or supersede the main services agreement. In the event of any conflict with respect to data protection matters, this Agreement shall prevail.

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

IN WITNESS WHEREOF, the parties have executed this Agreement as of the date indicated.