ApexDigital Solutions logo

Data Processing Addendum (Template)

Last updated: September 2025

This template Data Processing Addendum ("DPA") supplements the agreement between ApexDigital Solutions (the "Processor") and the client (the "Controller"). It applies where the Processor processes personal data on behalf of the Controller in connection with the Services. This DPA is provided as a reference and may be tailored in an executed Statement of Work or Master Services Agreement.

1) Roles and Scope

The Controller determines the purposes and means of processing. The Processor processes personal data only on documented instructions from the Controller.

2) Nature and Purpose

Processing may include collection, storage, access, transmission, and deletion as necessary to deliver consulting and training Services.

3) Duration

For the term of the Agreement and until return or deletion of personal data as described below.

4) Categories of Data and Data Subjects

Data subjects may include client personnel and end users. Personal data may include contact details, account identifiers, and usage data as determined by the Controller.

5) Processor Obligations

  • Process personal data only on documented instructions from the Controller;
  • Ensure personnel are bound by confidentiality;
  • Implement appropriate technical and organisational measures (see Annex 2);
  • Assist the Controller with data subject requests and incident notifications;
  • Delete or return personal data at the end of the engagement;
  • Make available information to demonstrate compliance and allow audits as agreed.

6) Sub‑processors

Processor may engage sub‑processors to support delivery (e.g., cloud hosting, email). Processor remains responsible for sub‑processor obligations and will ensure appropriate data protection commitments are in place. A current list of material sub‑processors is available on request.

7) International Transfers

Where personal data is transferred outside the UK/EEA, the parties will implement appropriate safeguards (e.g., SCCs) as required by law.

8) Security

Processor maintains measures appropriate to the risk, including access controls, encryption in transit, vulnerability management, and logging/monitoring, proportionate to the Services.

9) Personal Data Breach

Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Controller data and provide information reasonably required for Controller’s obligations.

10) Data Subject Requests

Where feasible, Processor will assist Controller by appropriate technical and organisational measures, taking into account the nature of processing.

11) Return and Deletion

Upon termination, Processor will delete or return personal data as directed by Controller, unless retention is required by law.

12) Audit

Upon reasonable notice, Controller may perform audits as agreed in the Agreement. Processor may satisfy audit obligations by providing third‑party reports where appropriate.

Annex 1: Details of Processing

As described in the applicable order, statement of work, or written instructions.

Annex 2: Security Measures

  • Access control and least privilege; MFA for administrative access;
  • Encryption in transit; encryption at rest where supported;
  • Change management and CI/CD with code reviews;
  • Vulnerability management and dependency scanning;
  • Logging/monitoring and incident response procedures;
  • Employee security awareness and confidentiality obligations.
Book a call

We use cookies

We use essential cookies to make this site work, and optional analytics cookies to improve your experience.

Learn more in our Privacy Notice and Cookies Policy.