Data Processing Agreement
Effective date: 2026-02-01·Last updated: 2026-02-01
Table of Contents
Quick summary
1. Definitions
Terms in this DPA have the meaning given in the GDPR (Regulation 2016/679) and the UK GDPR. "Controller", "Processor", "Data Subject", "Personal Data" and "Processing" carry their meanings under those laws.
2. Subject Matter & Duration
We process personal data only to provide the Service to you, for the duration of your subscription, plus the retention periods set out in our Privacy Policy.
3. Nature, Purpose & Categories
- Categories of data subjects: your end-clients, employees, contractors and other natural persons whose data you choose to upload.
- Categories of personal data: contact details (name, email, phone), addresses, project information, billing details (excluding card numbers).
- Purpose: providing quoting, invoicing and project-management functionality.
4. Processor Obligations
As Processor, we will:
- Process personal data only on documented instructions from the Controller (your use of the Service constitutes such instructions).
- Ensure that persons authorized to process the data are subject to confidentiality obligations.
- Implement appropriate technical and organizational measures (Article 32 GDPR).
- Assist you, taking into account the nature of processing, to respond to data subject requests and to comply with Articles 32–36 GDPR.
- Notify you without undue delay (and in any case within 72 hours) after becoming aware of a personal data breach.
- Delete or return all personal data at the end of the provision of the Service, unless retention is required by law.
- Make available all information necessary to demonstrate compliance and allow audits where reasonably required.
5. Sub-processors
You authorize us to engage the sub-processors listed in our Privacy Policy. We will impose data-protection obligations on them substantially the same as those in this DPA and remain liable to you for their compliance.
6. International Data Transfers
Where personal data is transferred outside the EEA or the UK, we rely on the EU Standard Contractual Clauses (Module 2 / 3 as applicable) and the UK International Data Transfer Addendum, both of which are deemed incorporated into this DPA by reference.
7. Audits
Once per year and on reasonable written notice, you may request a summary of our security audits (e.g. SOC 2-equivalent self-assessment). For on-site audits, you agree to bear the reasonable costs and to coordinate to minimize disruption.
8. Governing law
This DPA is governed by the laws of United Kingdom. In case of conflict with the Terms of Service, the DPA prevails for data-protection matters.
Questions about this document? info@c-carpenter.org