This Data Processing Agreement ("DPA") forms part of the contract between Cultrix and you (the "Customer") where Cultrix processes personal data on your behalf in the course of providing services.

It applies whenever we act as a data processor (or sub-processor) under UK data protection law, for example when we manage your Microsoft 365 tenant, backups, monitoring tools or other hosted services.

1. Roles and scope

For the purposes of this DPA:

  • you are the data controller for the personal data processed under your instructions; and
  • Cultrix acts as your data processor in relation to that data.

The nature and purpose of processing, types of personal data and categories of data subjects depend on the services you have ordered and are described in your Order and related service descriptions.

2. Processing on documented instructions

We will only process personal data on your documented instructions, unless we are required to do otherwise by law. In that case we will, where legally permitted, let you know before acting.

Your instructions include:

  • the terms of our contract and this DPA;
  • your use and configuration of the services we provide;
  • reasonable written instructions you give us from time to time.

3. Confidentiality

We ensure that anyone at Cultrix who has access to your personal data:

  • is subject to an appropriate duty of confidentiality; and
  • only accesses the data where it is necessary to perform their role.

4. Security of processing

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures are described in our security and IT service documentation and may include:

  • access controls and authentication;
  • encryption in transit and at rest where appropriate;
  • network and endpoint security tools;
  • backup and recovery processes;
  • logging and monitoring;
  • staff training and awareness.

We review and update our measures periodically to reflect changes in risk, technology and best practice.

5. Sub-processors

We use a small number of trusted sub-processors to help us deliver services (for example hosting providers, backup platforms and security tools). Details of key third parties are set out in our GDPR pages.

Where we engage a sub-processor to process personal data on your behalf, we will:

  • impose data protection obligations on them that are no less protective than those in this DPA; and
  • remain responsible to you for their performance in relation to the processing they carry out for us.

6. International transfers

Where personal data is transferred outside the UK or European Economic Area by us or our sub-processors, we will ensure that appropriate safeguards are in place, such as:

  • an adequacy decision by the UK government; or
  • standard contractual clauses or equivalent transfer mechanisms.

7. Assistance with data subject rights and compliance

Taking into account the nature of the processing and the information available to us, we will reasonably assist you in:

  • responding to requests from data subjects to exercise their rights; and
  • meeting your obligations relating to security, personal data breaches and data protection impact assessments.

Where such assistance is substantial or falls outside the scope of the contracted services, we may agree a reasonable fee with you before proceeding.

8. Personal data breaches

If we become aware of a personal data breach affecting personal data we process on your behalf, we will:

  • notify you without undue delay; and
  • provide information reasonably required to help you meet your obligations, as far as that information is known to us.

You are responsible for assessing the impact of any breach on data subjects and for making any required notifications to regulators or individuals, unless we have expressly agreed otherwise in writing.

9. Return and deletion of data

At the end of the provision of services relating to processing, we will, at your choice and where technically practicable:

  • return personal data to you; or
  • delete or anonymise the personal data we hold on your behalf.

We may keep copies of personal data where required to do so by law, or in backup systems for a limited period in line with our backup policies. Any such data will remain protected and will not be used for any other purpose.

10. Audit and information

We will make available to you, on request, information reasonably necessary to demonstrate our compliance with this DPA. Where appropriate, this may include sharing summaries of audits or certifications.

Formal audits or inspections at our premises will only take place:

  • where required by law; or
  • where agreed in advance between us, subject to reasonable notice, scope and cost arrangements.

11. Other terms

If there is any conflict between this DPA and the rest of our contract in relation to data protection, this DPA will take precedence to the extent of the conflict.

Nothing in this DPA reduces your or our obligations under applicable data protection law.