This is some text inside of a div block.
SCHEDULE 1 - DATA PROCESSING AGREEMENT
Version 1.0 | Date: 1st January 2025

This Schedule 1 - Data Processing Agreement (DPA) applies where Knead That Dough Ltd processes personal data on behalf of the Client in connection with the Services. It is incorporated into the Agreement by reference from the Contract Details and the Website General Terms and Conditions.

1. Definitions

1.1 In this DPA, controller, processor, personal data, personal data breach, processing, data subject, sub-processor and supervisory authority have the meanings given to them in applicable Data Protection Laws.

1.2 Data Protection Laws means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 and any other applicable law relating to privacy or data protection.

1.3 Client Personal Data means personal data processed by the Supplier on behalf of the Client in connection with the Services.

2. Roles of the parties

2.1 The Parties agree that, unless expressly stated otherwise in the Contract Details, the Client is the controller and the Supplier is the processor in respect of Client Personal Data.

2.2 The Client determines the purposes and means of processing. The Supplier processes Client Personal Data only to provide the Services and in accordance with the Client's documented instructions.

2.3 The Client warrants that it has all necessary lawful bases, notices, consents, rights and permissions to provide Client Personal Data to the Supplier and to instruct the Supplier to process it.

3. Processing Details
Subject matter Provision of data extraction, data pipeline, lakehouse/storage, reporting, analytics, AI/Copilot, ERP development, automation, maintenance and related services.
Duration For the term of the Agreement and any period required for deletion, return, backup, legal, audit or dispute purposes.
Nature and purpose Accessing, extracting, replicating, ingesting, transmitting, storing, structuring, transforming, analysing, reporting, visualising, maintaining, supporting and returning Client Personal Data for the purposes of providing the Services.
Categories of data subjects Client employees, contractors, customers, suppliers, users, contacts, prospects and other individuals whose data is contained in the Client systems or datasets.
Categories of personal data Business contact details, account identifiers, transactional data, sales data, CRM data, operational data, finance data, employment or staffing data, usage data and any other personal data included in Client Data.
Special category data Not intended to be processed unless expressly agreed in writing and subject to appropriate safeguards.
Frequency Continuous, periodic or ad hoc depending on the Services and data refresh schedules.

4. Supplier processor obligations

4.1 The Supplier shall:
a) process Client Personal Data only on documented instructions from the Client, including as set out in the Agreement;
b) ensure that persons authorised to process Client Personal Data are subject to confidentiality obligations;
c) implement appropriate technical and organisational measures designed to protect Client Personal Data;
d) taking into account the nature of processing, assist the Client by appropriate technical and organisational measures, in so far as possible, in responding to data subject rights requests;
e) taking into account the nature of processing and information available to the Supplier, assist the Client with security, breach notification, data protection impact assessments and prior consultation obligations;
f) notify the Client without undue delay after becoming aware of a personal data breach affecting Client Personal Data;
g) at the Client's choice, delete or return Client Personal Data at the end of the Services, unless retention is required by law or permitted for backup, legal, audit, insurance or dispute purposes; and
h) make available reasonable information necessary to demonstrate compliance with this DPA.

5. Client instructions

5.1 The Agreement, Contract Details, Schedule 1, Statement of Work, written communications and reasonable operational instructions constitute the Client's documented instructions.

5.2 The Supplier shall promptly inform the Client if, in its opinion, an instruction infringes Data Protection Laws, unless prohibited by law from doing so.

5.3 The Supplier may suspend processing where continued processing would create a material legal, security or data protection risk.

6. Security measures

6.1 The Supplier shall maintain appropriate technical and organisational measures taking into account the nature, scope, context and purposes of processing and the risk to data subjects.

6.2 Such measures may include, where appropriate: access controls, role-based access, authentication, confidentiality obligations, encryption in transit, secure configuration, logging, restricted access, backup controls, vulnerability management, secure development practices, supplier due diligence and incident response processes.

6.3 The Client remains responsible for the security, configuration, user management, permissions, tenant administration, licences, devices and systems under its own control.

7. Sub-processors

7.1 The Client gives the Supplier general written authorisation to appoint sub-processors for hosting, infrastructure, cloud, software, support, development, security, communications and related services necessary to provide the Services.

7.2 The Supplier shall impose written data protection obligations on sub-processors that are materially equivalent to the obligations in this DPA.

7.3 The Supplier remains responsible to the Client for the performance of its sub-processors' data protection obligations to the extent required by Data Protection Laws.

7.4 The Supplier may update its sub-processors from time to time. The Client may object to a new sub-processor on reasonable data protection grounds by giving written notice within ten Business Days of being informed, where such notice is provided.

8. International transfers

8.1 The Supplier shall not transfer Client Personal Data outside the United Kingdom unless appropriate safeguards are in place in accordance with Data Protection Laws.

8.2 Appropriate safeguards may include an adequacy regulation, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.

9. Personal data breaches

9.1 The Supplier shall notify the Client without undue delay after becoming aware of a personal data breach affecting Client Personal Data.

9.2 The notification shall, where available, include a description of the breach, affected categories of data and data subjects, likely consequences, measures taken or proposed, and contact details for further information.

9.3 The Supplier shall provide reasonable assistance to the Client in relation to the breach, taking into account the nature of the processing and information available to the Supplier.

10. Data subject rights and assistance

10.1 The Supplier shall promptly notify the Client if it receives a request from a data subject relating to Client Personal Data, unless legally prohibited from doing so.

10.2 The Supplier shall not respond to such request except on the Client's documented instructions or as required by law.

11. Return and deletion

11.1 On termination or expiry of the Services, the Supplier shall, at the Client's choice and subject to payment of applicable fees, return or delete Client Personal Data unless retention is required by law or permitted for legitimate backup, archival, audit, insurance, legal or dispute purposes.

11.2 The Supplier is not required to disclose, transfer or provide access to Supplier code, scripts, connectors, data pipelines, tools, development environments, methodologies or Supplier Materials as part of return or deletion.

12. Audit and information

12.1 The Supplier shall make available reasonable information necessary to demonstrate compliance with this DPA.

12.2 Any audit shall be on reasonable written notice, during normal business hours, no more than once in any 12-month period unless required by a supervisory authority or following a confirmed personal data breach, and shall not unreasonably disrupt the Supplier's business or compromise security or confidentiality owed to other clients.

12.3 The Client shall bear its own audit costs and shall reimburse the Supplier's reasonable costs of supporting any audit unless the audit identifies a material breach by the Supplier.

13. Liability

13.1 Liability under this DPA is subject to the limitations and exclusions in the Agreement, except to the extent such liability cannot be limited or excluded by law.

14. Order of precedence

14.1 In the event of conflict between this DPA and the Website Terms, this DPA shall prevail only in respect of data processing matters. The Contract Details shall prevail in respect of commercial matters unless unlawful under Data Protection Laws.

Knead That Dough Ltd,
4a Oakhill Road, Shenley Church End,
Milton Keynes, MK5 6AE

About Us
About Us
How We Do It
How We Do It
Integrations
Integrations

© Knead That Dough 2024. All rights reserved.

Terms of use
Data Protection Agreement