Data processing agreement.

We include a DPA with every engagement contract. This page summarises the standard terms — full DPA template available on request to your DPO/legal team via dpa@digitalmarketingagencyfor.com.

Overview

The DPA defines our processor obligations under GDPR Art. 28, UK GDPR, and equivalent regimes. It covers scope, purpose limitation, sub-processor handling, security, breach notification, and audit rights.

SCCs + UK Addendum

For EU → non-EU transfers and UK → non-UK transfers, we use Standard Contractual Clauses (Module 2) + UK Addendum. Pre-signed copies are integrated into the DPA. Transfer Impact Assessments on file.

Sub-processors

Sub-processor list at /legal/sub-processors/. We notify 30 days in advance of any change. Controller objection rights preserved per Art. 28(2).

Security measures

Encryption at rest + in transit (TLS 1.2+). Role-based access. SSO + 2FA on all employee accounts. Annual security review. Penetration test results available under NDA.

Breach notification

72-hour notification to affected controllers per GDPR Art. 33. Incident-response runbook shared with controllers on request.

Audit rights

Reasonable audit rights (annual or upon material breach), at controller cost. Pre-existing audit reports (SOC 2 Type II of upstream vendors) accepted in lieu where appropriate.

Global · USD billing · GDPR + CCPA + DPDP + LGPD compliant by default · DPA available on request

This page reflects current practice. Material changes are posted here and reflected in the effective date above.