Data Processing Agreement
Standard contractual terms for when Strontian Ltd processes personal data on behalf of a client.
1. Definitions
Terms used in this DPA have the meanings given in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
- "Controller" — the client engaging Strontian Ltd, who determines the purposes and means of processing personal data.
- "Processor" — Strontian Ltd, processing personal data on behalf of the Controller.
- "Personal data" — any information relating to an identified or identifiable natural person that the Processor accesses or handles in the course of delivering the services.
- "Services" — the advisory or consulting services described in the applicable SOW or engagement letter.
2. Scope and role of the parties
The Controller engages the Processor to deliver the Services. In the course of delivering the Services, the Processor may access or handle personal data that the Controller provides. The Processor acts solely as a data processor on the Controller's instructions. The Controller remains the data controller and is responsible for the lawfulness of the processing and for providing its own privacy notice to data subjects.
3. Nature and purpose of processing
The Processor will process personal data only:
- As necessary to deliver the Services described in the SOW.
- On the documented instructions of the Controller (including by email).
- As required by applicable law (in which case the Processor will notify the Controller unless prohibited by law).
4. Categories of data and data subjects
The categories of personal data and data subjects depend on the Services. Typically:
- Data subjects: employees, contractors, and system users of the Controller.
- Data categories: names, email addresses, job titles, system usernames, access-rights information, and information about the Controller's IT systems and security posture (which may incidentally contain personal data).
The Controller agrees to provide only the minimum personal data necessary for the Services and to redact or pseudonymise personal data where feasible.
5. Duration
This DPA takes effect on the date the associated SOW or engagement letter is signed and continues until the Processor has deleted or returned all personal data in accordance with section 8.
6. Processor obligations
The Processor agrees to:
- Process personal data only on the Controller's documented instructions.
- Ensure that any person authorised to process personal data is bound by confidentiality obligations.
- Implement appropriate technical and organisational measures to protect personal data (see section 7).
- Assist the Controller in responding to data subject rights requests, where the Controller cannot respond without the Processor's assistance.
- Assist the Controller in meeting its obligations under UK GDPR Articles 32–36 (security, breach notification, DPIAs), taking into account the nature of the processing and the information available to the Processor.
- Notify the Controller without undue delay on becoming aware of a personal data breach.
- Not engage any sub-processor without the Controller's prior written authorisation.
7. Security measures
The Processor maintains the following technical and organisational measures:
- All personal data is stored in access-controlled environments with multi-factor authentication.
- Data in transit is encrypted (TLS 1.2+).
- Data at rest is encrypted where technically feasible.
- Access to personal data is limited to the sole director of Strontian Ltd (Lee Johnson).
- Personal data is segregated by engagement and not used for any purpose other than the specific Services.
- Security incidents are documented and, where they involve personal data, reported to the Controller within 72 hours of discovery.
8. Return or deletion of data
At the Controller's election, on termination of the Services, the Processor will either return all personal data in a commonly used format or securely delete it. The Processor may retain personal data to the extent required by applicable law (e.g., HMRC record-keeping) — any retained data will remain subject to this DPA's confidentiality and security obligations.
9. Sub-processors
The Processor does not currently use sub-processors to deliver advisory Services. If the Processor proposes to engage a sub-processor, it will notify the Controller in advance and obtain written authorisation. The Processor will impose data protection obligations on any sub-processor that are no less protective than those in this DPA.
10. International transfers
The Processor will not transfer personal data outside the UK without the Controller's prior written consent. If a transfer is necessary, the parties will put in place an appropriate transfer mechanism (such as the UK International Data Transfer Agreement or standard contractual clauses).
11. Liability
Each party's liability under this DPA is subject to the limitation of liability provisions in the main engagement agreement (SOW or Terms of Engagement). Nothing in this DPA limits either party's liability for breaches that cannot be limited by law.
12. Governing law
This DPA is governed by the laws of England and Wales and forms part of the engagement agreement between the parties.
13. Execution
This DPA is incorporated by reference into the SOW or engagement letter between the Controller and Strontian Ltd. The Controller acknowledges and accepts this DPA by engaging Strontian Ltd for Services that involve the processing of personal data.
Contact
For questions or to request a countersigned copy of this DPA: info@strontian.ltd