Book a Consultation
Book a Consultation

Data Processing Agreement

Last Updated: 12/12/2025
Between:
DAP Compass Consulting (“Processor”)
and
The Client (“Controller”)

This Data Processing Agreement forms part of any service agreement between the Controller and Processor and governs how personal data is processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

  • Controller: The party that determines the purpose and means of processing personal data.

  • Processor: The party that processes personal data on behalf of the Controller.

  • Personal Data: Any information relating to an identifiable individual.

  • Processing: Any operation performed on personal data, automated or not.

2. Purpose of Processing

The Processor will process personal data only to deliver consulting and related services as instructed by the Controller and outlined in the service agreement between the parties.

The Processor will not process personal data for any other purpose.

3. Processor Obligations

The Processor agrees to:

  1. Process personal data only on documented instructions from the Controller.

  2. Ensure that individuals handling personal data are subject to confidentiality obligations.

  3. Implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration.

  4. Not engage another sub-processor without prior written consent from the Controller.

  5. Assist the Controller in meeting GDPR obligations relating to:

    • data subject rights

    • data breaches

    • data impact assessments

  6. Notify the Controller without undue delay if a personal data breach is discovered.

  7. Delete or return all personal data at the end of the contract unless retention is required by law.

  8. Make available all information necessary to demonstrate compliance with this DPA.

4. Controller Obligations

The Controller agrees to:

  1. Ensure it has a lawful basis for providing personal data to the Processor.

  2. Provide clear, lawful instructions for processing activities.

  3. Maintain compliance with applicable data protection laws.

  4. Ensure personal data shared with the Processor is relevant, necessary, and accurate.

5. Sub-Processors

The Processor may use sub-processors (such as email providers, hosting platforms, or cloud services) provided that:

  1. They are bound by data protection obligations equivalent to this DPA.

  2. The Controller is informed and may object where appropriate.

Current sub-processors may include:

  • Website hosting providers

  • Email communication platforms

  • Cloud storage providers

A full list can be provided upon request.

6. International Transfers

The Processor will not transfer personal data outside the UK without ensuring adequate safeguards are in place, such as standard contractual clauses or an adequacy decision.

7. Data Security

The Processor will implement appropriate security measures, which may include:

  • Access controls

  • Encryption where appropriate

  • Secure storage systems

  • Regular updates and monitoring of systems

More detailed security measures can be provided if required.

8. Data Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay and provide relevant information to support compliance with reporting obligations.

9. Term and Termination

This DPA remains in force for the duration of services provided. Upon termination:

  • All personal data will be returned to the Controller or securely deleted, unless legal retention is required.

10. Contact Information

For any questions relating to this DPA, please contact:

info@dapcompass.com

© 2025 DAP Compass. All rights reserved.