1. Purpose
This Data Processing Agreement ("DPA") governs the processing of personal data by Veritscale when providing services to clients. It sets out the rights and obligations of both parties with respect to the processing of personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), and other applicable data protection legislation.
This DPA forms part of the service agreement between Veritscale and the client and shall apply to all processing activities carried out by Veritscale on behalf of the client.
2. Definitions
- Controller: The client determining the purposes and means of processing personal data.
- Processor: Veritscale, processing personal data on behalf of the Controller.
- Data Subject: An identified or identifiable natural person whose personal data is processed.
- Personal Data: Any information relating to a Data Subject as defined under applicable data protection law.
- Processing: Any operation performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
3. Scope of Processing
Veritscale shall process personal data solely for the purpose of delivering contracted services to the client. The nature, scope, and duration of processing shall be as specified in the applicable service agreement.
Categories of personal data that may be processed include:
- Employee records (names, contact details, employment information)
- Financial records (invoices, payroll data, transaction details)
- Accounting information (ledger entries, tax records, financial statements)
- Customer records (client contact information, correspondence)
- Business contact information (supplier and partner details)
The categories of Data Subjects may include the client's employees, customers, suppliers, contractors, and business contacts.
4. Processor Obligations
Veritscale, as Processor, shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by applicable law
- Ensure that all personnel authorised to process personal data are subject to appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage
- Assist the Controller in fulfilling its obligations under GDPR and UK GDPR, including responding to Data Subject requests, conducting data protection impact assessments, and consulting with supervisory authorities where required
- Notify the Controller of any personal data breach without undue delay after becoming aware of the breach
- At the Controller's choice, delete or return all personal data upon termination of the service agreement, unless retention is required by applicable law
- Make available to the Controller all information necessary to demonstrate compliance with GDPR obligations and allow for audits and inspections
5. Controller Obligations
The Controller shall:
- Ensure that the processing of personal data is lawful and that appropriate legal bases exist for all processing activities
- Provide clear, documented instructions to Veritscale regarding the processing of personal data
- Ensure that Data Subjects have been informed of the processing in accordance with applicable data protection law
- Notify Veritscale promptly of any changes to processing instructions or of any circumstances that may affect the processing
6. Security Measures
Veritscale maintains robust technical and organisational safeguards to protect personal data, including:
- Role-based access controls and least-privilege access principles
- Strong password policies and multi-factor authentication where appropriate
- Secure cloud infrastructure with industry-standard encryption
- Employee confidentiality agreements and data protection training
- Continuous security monitoring and incident response procedures
- Regular data backup and disaster recovery procedures
- Physical security controls for office premises
- Periodic security assessments and vulnerability testing
Veritscale shall regularly review and update its security measures to ensure ongoing effectiveness in light of evolving threats and technological developments.
7. Sub-processors
Veritscale may engage trusted sub-processors to assist in the delivery of services. Current categories of sub-processors include:
- Cloud hosting providers — secure data storage and computing infrastructure
- Email service providers — business communication platforms
- CRM systems — client relationship management
- IT support providers — technical maintenance and support
- Collaboration tools — project management and workflow platforms
All sub-processors are required to maintain equivalent data protection obligations through written agreements. Veritscale shall remain liable for the acts and omissions of its sub-processors.
The Controller shall be notified of any intended changes to sub-processors, and shall have the right to object to such changes on reasonable grounds.
8. International Data Transfers
Where personal data is transferred internationally — including transfers outside the United Kingdom or European Economic Area — Veritscale shall implement appropriate safeguards consistent with GDPR and UK GDPR requirements. These safeguards may include:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) or UK Addendum
- Binding Corporate Rules where applicable
- Adequacy decisions by relevant authorities
- Supplementary measures as recommended by supervisory authorities
Veritscale shall conduct transfer impact assessments where required to evaluate the level of protection afforded to personal data in the receiving country.
9. Data Breach Notification
In the event of a personal data breach affecting client information, Veritscale shall:
- Notify the affected Controller without undue delay, and in any event within 48 hours after becoming aware of the breach
- Provide the Controller with sufficient information to enable the Controller to fulfil its obligations to notify the relevant supervisory authority and affected Data Subjects where required
- Cooperate with the Controller in investigating and mitigating the breach
- Document the breach, including its effects and the remedial actions taken
10. Data Subject Rights
Veritscale shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.
Where Veritscale receives a request directly from a Data Subject, it shall promptly redirect the request to the Controller unless otherwise instructed.
11. Data Deletion and Return
Upon termination of the service agreement, Veritscale shall, at the Controller's written election:
- Return all personal data to the Controller in a commonly used, machine-readable format
- Securely delete all personal data and confirm deletion in writing
Veritscale may retain personal data only where required by applicable law and shall inform the Controller of any such retention requirements. Retained data shall continue to be protected in accordance with this DPA.
12. Audit Rights
Veritscale shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA. The Controller (or its authorised auditor) may conduct audits and inspections upon reasonable notice, during business hours, and subject to appropriate confidentiality obligations.
13. Duration and Termination
This DPA shall remain in effect for the duration of the service agreement between Veritscale and the Controller. Upon termination or expiry of the service agreement, the provisions of this DPA relating to confidentiality, data deletion, and ongoing obligations shall continue to apply.
14. Governing Law
This DPA shall be governed by and interpreted in accordance with the laws applicable to the underlying service agreement. Where no governing law is specified, this DPA shall be governed by the laws of England and Wales.
15. Contact
For questions regarding this Data Processing Agreement or data protection matters: