Data Processing Agreement (DPA)
Between: Data Controller: The Client (hereinafter referred to as the “Controller”) Data Processor: Brand9 (hereinafter referred to as the “Processor”) Effective Date: 01-03-2026.
1. Purpose and Scope
This Data Processing Agreement sets out the terms under which the Processor shall process personal data on behalf of the Controller in connection with the provision of website design, hosting, and related services. This Agreement is supplementary to the main service agreement between the parties and is entered into to ensure compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The Processor provides website hosting services using server infrastructure leased from Fasthosts, a United Kingdom-based hosting provider. The Processor also performs routine data backup operations using multiple platforms as detailed in this Agreement. This DPA governs all personal data processed by the Processor in the course of delivering these services.
2. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person, as defined under Article 4(1) of the UK GDPR. “Processing” means any operation or set of operations performed on personal data, including but not limited to collection, storage, hosting, backup, retrieval, transmission, and erasure. “Sub-processor” means any third party engaged by the Processor to process personal data on behalf of the Controller. “Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, and any successor or supplementary legislation applicable in the United Kingdom.
3. Data Processing Details
Types of personal data processed: Names, email addresses, IP addresses, contact form submissions, account credentials, and any other personal data submitted by end users through websites hosted by the Processor. Categories of data subjects: Website visitors, registered users, customers, and contacts of the Controller’s website(s). Nature and purpose of processing: The hosting, storage, transmission, display, and backup of personal data as required to operate and maintain the Controller’s website(s). Duration of processing: For the duration of the service agreement between the parties, and for such additional period as is necessary to fulfil backup retention obligations or legal requirements.
4. Obligations of the Processor
The Processor shall:
4.1. Process personal data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited from doing so by law).
4.2. Ensure that all personnel authorised to process personal data are bound by appropriate obligations of confidentiality.
4.3. Implement and maintain the technical and organisational security measures described in Section 7 of this Agreement.
4.4. Not engage any sub-processor without the prior written consent of the Controller, subject to the provisions of Section 6.
4.5. Assist the Controller, taking into account the nature of processing, in responding to requests from data subjects exercising their rights under Data Protection Laws.
4.6. Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and information available to the Processor.
4.7. At the choice of the Controller, delete or return all personal data to the Controller upon termination of the service agreement, and delete existing copies unless retention is required by applicable law.
4.8. Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this Agreement, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, provided reasonable notice is given.
5. Location of Data Processing and Storage
5.1. Primary hosting infrastructure: All primary website data is stored on a dedicated server leased by the Processor from Fasthosts. Fasthosts is a United Kingdom-based hosting provider, and the server infrastructure is located within the United Kingdom.
5.2. Backup locations: The Processor maintains three concurrent backup copies of all hosted website data, stored in the following locations:
- Server Backup: Stored on the Fasthosts server infrastructure in the United Kingdom.
- Google Drive Backup: Stored on Google’s cloud infrastructure. Google LLC is a US-based company; however, data may be stored in data centres located within the European Economic Area (EEA) or the United States, subject to Google’s data processing terms and applicable transfer safeguards (see Section 8).
- pCloud Backup: Stored on pCloud infrastructure located in Switzerland.
5.3. The Processor shall not transfer personal data to any country or territory outside the United Kingdom without ensuring that adequate safeguards are in place in accordance with Data Protection Laws, as detailed in Section 8.
6. Sub-processors
6.1. The Controller provides general written authorisation for the Processor to engage the following sub-processors:
| Sub-processor | Service Provided | Data Location |
|---|---|---|
| Fasthosts | Server hosting infrastructure | United Kingdom |
| Google LLC (Google Drive) | Cloud backup storage | EEA / United States |
| pCloud AG | Cloud backup storage | Switzerland |
6.2. The Processor shall ensure that each sub-processor is bound by a written contract imposing data protection obligations no less protective than those set out in this Agreement.
6.3. The Processor shall inform the Controller of any intended changes to the list of sub-processors, including the addition or replacement of sub-processors, giving the Controller a minimum of 30 days’ prior written notice to raise objections. If the Controller raises a reasonable objection, the parties shall discuss the matter in good faith. If no resolution can be reached, the Controller may terminate the service agreement without penalty.
6.4. The Processor shall remain fully liable to the Controller for the performance of each sub-processor’s obligations.
7. Technical and Organisational Security Measures
The Processor implements and maintains the following security measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage:
7.1. Encryption in Transit All websites hosted by the Processor are secured with SSL/TLS certificates, ensuring that all data transmitted between end users and the hosted websites is encrypted. 7.2. Access Controls Access to the server administration area is protected by two-factor authentication (2FA). Access to all backup platforms (server backup, Google Drive, and pCloud) is also secured with two-factor authentication (2FA). Access is restricted to authorised personnel of the Processor only. 7.3. Backup and Resilience The Processor performs nightly backups of all hosted websites. Each backup cycle produces three independent copies stored across geographically separate locations: the Fasthosts server (United Kingdom), Google Drive, and pCloud (Switzerland). This approach ensures data redundancy and supports timely restoration in the event of data loss or system failure. 7.4. Organisational Measures The Processor maintains appropriate internal policies and procedures to ensure that personnel are aware of their data protection responsibilities. Access to personal data is granted on a need-to-know basis only. 7.5. Incident Management The Processor maintains procedures for detecting, reporting, and investigating personal data breaches. In the event of a breach, the Processor shall comply with the notification obligations in Section 9.
8. International Data Transfers
8.1. Where personal data is transferred outside the United Kingdom, the Processor shall ensure that appropriate safeguards are in place as required by Data Protection Laws.
8.2. Switzerland has been recognised by the UK Government as providing an adequate level of data protection. Accordingly, transfers of personal data to pCloud AG in Switzerland are made on the basis of this adequacy decision.
8.3. Transfers of personal data to Google LLC in the United States are made subject to Google’s Data Processing Amendment and Standard Contractual Clauses (SCCs) as approved for use under UK GDPR, or any successor transfer mechanism recognised as adequate under Data Protection Laws. The Processor shall monitor the ongoing validity of any transfer mechanism relied upon and shall notify the Controller if it becomes aware of any material change affecting the lawfulness of such transfers.
8.4. The Processor shall not transfer personal data to any other country outside the United Kingdom without the prior written consent of the Controller and without ensuring that adequate safeguards are in place.
9. Personal Data Breach Notification
9.1. The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller’s data.
9.2. The notification shall include, to the extent reasonably available, the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address and mitigate the breach.
9.3. The Processor shall cooperate fully with the Controller in investigating and remediating any breach and shall provide such further information as the Controller may reasonably require.
10. Data Subject Rights
10.1. The Processor shall promptly assist the Controller in responding to any request received from a data subject exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
10.2. If the Processor receives a request directly from a data subject, it shall promptly forward the request to the Controller and shall not respond to the data subject directly unless instructed to do so by the Controller.
11. Audit Rights
11.1. The Controller, or an independent auditor appointed by the Controller, shall have the right to conduct audits and inspections of the Processor’s processing activities and compliance with this Agreement, upon reasonable written notice.
11.2. The Processor shall make available all information reasonably necessary to demonstrate compliance and shall cooperate fully with any such audit or inspection.
12. Term and Termination
12.1. This Agreement shall remain in force for the duration of the service agreement between the parties.
12.2. Upon termination of the service agreement, the Processor shall, at the Controller’s election, either return all personal data to the Controller in a commonly used format or securely delete all personal data, including all backup copies, within 30 days of termination, unless retention is required by applicable law.
12.3. The Processor shall provide written confirmation of deletion upon request.
13. Liability
The liability of each party under this Agreement shall be subject to the limitations and exclusions of liability set out in the main service agreement between the parties.
14. Governing Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of England and Wales. Any dispute arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.