Data Processing Agreement

Effective date: 2026-02-01·Last updated: 2026-02-01

Quick summary

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the Controller) and C-Carpenter Ltd (the Processor). It covers our processing of personal data on your behalf, under the GDPR, UK-GDPR and other equivalent laws.

1. Definitions

Terms in this DPA have the meaning given in the GDPR (Regulation 2016/679) and the UK GDPR. "Controller", "Processor", "Data Subject", "Personal Data" and "Processing" carry their meanings under those laws.

2. Subject Matter & Duration

We process personal data only to provide the Service to you, for the duration of your subscription, plus the retention periods set out in our Privacy Policy.

3. Nature, Purpose & Categories

  • Categories of data subjects: your end-clients, employees, contractors and other natural persons whose data you choose to upload.
  • Categories of personal data: contact details (name, email, phone), addresses, project information, billing details (excluding card numbers).
  • Purpose: providing quoting, invoicing and project-management functionality.

4. Processor Obligations

As Processor, we will:

  • Process personal data only on documented instructions from the Controller (your use of the Service constitutes such instructions).
  • Ensure that persons authorized to process the data are subject to confidentiality obligations.
  • Implement appropriate technical and organizational measures (Article 32 GDPR).
  • Assist you, taking into account the nature of processing, to respond to data subject requests and to comply with Articles 32–36 GDPR.
  • Notify you without undue delay (and in any case within 72 hours) after becoming aware of a personal data breach.
  • Delete or return all personal data at the end of the provision of the Service, unless retention is required by law.
  • Make available all information necessary to demonstrate compliance and allow audits where reasonably required.

5. Sub-processors

You authorize us to engage the sub-processors listed in our Privacy Policy. We will impose data-protection obligations on them substantially the same as those in this DPA and remain liable to you for their compliance.

6. International Data Transfers

Where personal data is transferred outside the EEA or the UK, we rely on the EU Standard Contractual Clauses (Module 2 / 3 as applicable) and the UK International Data Transfer Addendum, both of which are deemed incorporated into this DPA by reference.

7. Audits

Once per year and on reasonable written notice, you may request a summary of our security audits (e.g. SOC 2-equivalent self-assessment). For on-site audits, you agree to bear the reasonable costs and to coordinate to minimize disruption.

8. Governing law

This DPA is governed by the laws of United Kingdom. In case of conflict with the Terms of Service, the DPA prevails for data-protection matters.

Questions about this document? info@c-carpenter.org

Made with Emergent