Data Processing Addendum (DPA)
Last updated: 9th December 2025
Between: Customer (the Controller) and KEW DATA CONSULTANTS LTD (trading as KEWData / kewdata.ai) of 60 Garden Road, Richmond, England, TW9 4NR, company number 15188400 (the Processor).
Contacts
Processor privacy/DPA contact: privacy@kewdata.ai ·
General: contact@kewdata.ai · Phone: +44 3333 395 993.
Effective date: the date the Customer accepts the online Terms & Conditions or signs an Order (the Master Agreement).
Term: coterminous with the Master Agreement.
This DPA forms part of and is incorporated into the Master Agreement. Capitalised terms have the meanings in this DPA or the Master Agreement. This DPA is designed to meet UK GDPR/EU GDPR Article 28 requirements and comparable global standards.
1) Definitions
Applicable Data Protection Law: all laws and regulations applicable to the Processing under this DPA, including UK GDPR, EU GDPR (if applicable), the Data Protection Act 2018, and any implementing laws.
Customer Personal Data: Personal Data processed by Processor on behalf of Customer under the Services.
Subprocessor: any Processor-engaged subcontractor that Processes Customer Personal Data.
SCCs: the EU Commission 2021/914 Standard Contractual Clauses (Module 2) and the UK ICO Addendum or UK IDTA, as relevant.
2) Roles & processing instructions
2.1 Roles. Customer is Controller; KEW DATA CONSULTANTS LTD is Processor.
2.2 Instructions. Processor will Process Customer Personal Data only on documented instructions from Customer, including as set out in Annex I and the Master Agreement. Processor shall promptly inform Customer if instructions infringe Applicable Law.
2.3 Purpose limitation. Processor shall not Process for any other purpose and shall not sell or share Personal Data for cross-context behavioural advertising.
3) Confidentiality
Processor ensures persons authorised to Process Customer Personal Data are bound by confidentiality obligations and receive appropriate training.
4) Security
Processor implements and maintains appropriate technical and organisational measures (TOMs) as described in Annex II, considering the state of the art, costs, and risks.
5) Subprocessors
5.1 Authorisation. Customer provides a general authorisation for Processor to engage Subprocessors. Processor remains responsible for their performance.
5.2 List and updates. Initial Subprocessors are listed in Annex III. Processor will notify Customer of changes and provide an opportunity to object on reasonable grounds within 10 days.
5.3 Flowdown. Processor will impose data protection terms on Subprocessors no less protective than this DPA.
6) International transfers
Where Customer Personal Data is transferred outside the UK/EEA, Processor will ensure an adequate safeguard, including SCCs with the UK Addendum (or UK IDTA) and any required transfer risk assessment and supplementary measures.
7) Assistance to Customer
Data subject rights. Processor will assist Customer by appropriate technical and organisational measures in responding to requests (access, deletion, etc.).
Impact assessments & consultation. Processor will provide information reasonably required for DPIAs and consultations with supervisory authorities relating to the Services.
8) Personal data breach
Processor will notify Customer without undue delay and within 48 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide regular updates until containment and remediation.
9) Audit & compliance
Upon written notice, no more than once per 12 months (unless required by a regulator or following a breach), Customer may audit Processor’s compliance, including via independent third party reports (e.g., summaries of security controls). Onsite audits are subject to reasonable scheduling, confidentiality and safety measures.
10) Return & deletion
Upon termination/expiry, Processor will delete Customer Personal Data (and procure deletion by Subprocessors) within 30 days. If Customer requests a return, Processor will make data available in a commonly used format within 30 days, then delete. Backups are securely overwritten per retention cycles within 90 days.
11) Records; cooperation with authorities
Processor maintains records of processing activities (Article 30(2) UK/EU GDPR) and will cooperate with competent supervisory authorities on request.
12) Liability & indemnity
Each party’s liability under this DPA is governed by the limitation and exclusions in the Master Agreement. Nothing limits liability where not permitted by law.
13) Order of precedence
If there is a conflict between this DPA and the Master Agreement, this DPA prevails for Processing of Customer Personal Data. If there is a conflict between this DPA and the SCCs/UK Addendum, the SCCs/UK Addendum prevail.
14) Governing law and jurisdiction
This DPA follows the governing law and courts stated in the Master Agreement, except that the SCCs/UK Addendum specify their own governing law as required.
Annex I – Description of Processing
Subject matter: Provision of advisory subscriptions (e.g., vDPO/vCISO) and related deliverables.
Duration: For the Term of the Master Agreement.
Nature & purpose: Accessing, storing, and using Customer Personal Data to provide advice, manage meetings, prepare documents (e.g., policies/DPIAs), and communicate about the Services.
Categories of data subjects: Customer employees/contractors; vendors; (optionally) Customer’s end users or clients where necessary.
Categories of personal data: Business contact details, account identifiers, meeting metadata, project artifacts, and any other data supplied by Customer.
Special category data: Not intended; may be Processed only if explicitly instructed and safeguards are applied.
Frequency: Continuous and as needed.
Data retention: As per the Master Agreement and Section 10 of this DPA.
Annex II – Technical & Organisational Measures (TOMs)
Governance & access: role-based access; least privilege; onboarding/offboarding; quarterly access reviews.
Identity & auth: SSO/MFA for admin systems; password manager; device policies (disk encryption, screenlock).
Data protection: TLS 1.2+ in transit; encryption at rest; segregation of Customer workspaces; change control.
Monitoring & logging: event logging; alerting for suspicious activity.
Development & handling: no production data in test by default; secure file transfer.
Resilience: backups; continuity plan; SLAs.
Supplier risk: due diligence on Subprocessors; SCCs/UK Addendum; transfer risk assessments.
People & training: annual security and privacy training.
Incident response: escalation matrix; breach notification within 48h.
Physical security: provider-managed datacentres; device security.
Annex III – Subprocessors
Initial list based on publicly available information on kewdata.ai. Update within 10 days if this list changes.
| Subprocessor | Purpose | Data types | Location | Transfer safeguard |
|---|---|---|---|---|
| Calendly, LLC | Meeting scheduling | Names, work email, meeting metadata | US/EU | SCCs + UK Addendum |
| Website hosting Hostinger /CDN | Hosting marketing site/forms | Lead contact details | UK/EU/Global | As applicable |
| Email service provider Microsoft 365 | Business communications | Business contact details, support emails | UK/EU or US | As applicable |
| Video conferencing provider (Teams/Zoom/Google Meet) | Calls/workshops | Names, email, call metadata | Regional | As applicable |
Annex IV – Crossborder transfer terms
Where Processor or a Subprocessor is located outside the UK/EEA and no adequacy decision applies, the parties will rely on:
EU SCCs (2021/914, Module 2), with Docking Clause enabled; and
For UK data, the ICO Addendum to the EU SCCs (or UK IDTA, if preferred).
Supplementary measures (encryption, access controls, transparency commitments) will be applied as needed following a transfer risk assessment.
Acceptance
This DPA is accepted by the parties upon acceptance of the Master Agreement or execution of an Order that incorporates it. This DPA is an electronic agreement and does not require separate handwritten signatures; electronic acceptance of the Master Agreement or Order (including click-through) constitutes execution and a binding contract.
