Data Processing Addendum
Last updated: 2025-12-06
1. Parties
This Data Processing Agreement (“DPA”) is between:
- The Company (“Processor”)
- The Customer (“Controller”)
This DPA forms part of the Terms of Service.
2. Purpose
The Processor will process personal data on behalf of the Controller for:
- Website hosting
- Bookings and scheduling
- Staff and client management
- File storage
3. Data Categories
Controller may store:
- Names
- Email addresses
- Phone numbers
- Addresses
- Uploaded images/files
No special category data is intended to be processed.
4. Processing Location
Primary processing:
- eu-west-1 (Ireland)
- eu-west-2 (London)
Supporting processing:
- us-east-1 (Virginia) (AWS services)
- CloudFront global edge network
5. Subprocessors
Processor may use subprocessors listed in the Subprocessor Disclosure.
6. International Transfers
Where data is transferred outside the UK/EU, Processor relies on:
- Standard Contractual Clauses (SCCs)
- UK GDPR Addendum
7. Security Measures
Processor implements:
- Encryption
- Access controls
- Network isolation
- Monitoring and logging
- Backup and recovery
Details in our Security & Data Protection page.
8. Controller Obligations
Controller must:
- Obtain consent for personal data collected
- Comply with applicable laws
- Ensure lawful basis for processing
- Respond to data subjects’ rights
9. Processor Obligations
Processor will:
- Only process data on documented instructions
- Ensure confidentiality
- Notify Controller of breaches
- Assist with Data Subject Rights
- Assist with DPIAs
- Delete or return data on termination
10. Data Breach
Processor will notify Controller without undue delay of breaches involving personal data.
11. Termination
Upon termination:
- Data is deleted within 90 days
- Backups expire automatically within their lifecycle
Contact
privacy@kimshiltd.com