This Data Processing Agreement ("DPA") forms part of the Terms of Service between IronFell DPS Ltd and the Customer. It sets out the terms on which IronFell processes personal data on behalf of the Customer in its capacity as a data processor.
1. Definitions
In this DPA, the following terms have the meanings set out below. Terms not otherwise defined here have the meanings given to them in UK GDPR.
- "Controller" means the Customer, being the natural or legal person who determines the purposes and means of processing of Personal Data.
- "Processor" means IronFell DPS Ltd, who processes Personal Data on behalf of the Controller.
- "Personal Data" has the meaning given in UK GDPR Article 4(1).
- "Processing" has the meaning given in UK GDPR Article 4(2).
- "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
- "Sub-processor" means any processor engaged by IronFell to process Personal Data on behalf of the Controller.
- "UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018.
- "Applicable Data Protection Law" means UK GDPR, the DPA 2018, PECR, and any successor legislation.
2. Subject Matter and Details of Processing
| Subject matter | The provision of managed data protection, backup, and recovery services as described in the applicable Order. |
| Duration | For the term of the agreement between the parties plus any retention period required by applicable law or as agreed in writing. |
| Nature and purpose | Storage, replication, encryption, transfer, retrieval, and deletion of Customer Data for the purposes of providing backup and disaster recovery services. |
| Type of Personal Data | May include: names, contact details, employment information, financial data, or other Personal Data contained in workloads submitted by the Customer for backup. The exact categories are determined by the Customer. |
| Categories of Data Subjects | Employees, contractors, clients, or other individuals whose Personal Data is contained in Customer workloads. The exact categories are determined by the Customer. |
3. Processor Obligations
IronFell, as Processor, shall:
- Process Personal Data only on documented instructions from the Controller (including as set out in the Terms of Service and this DPA), unless required to do otherwise by applicable law, in which case IronFell shall (where permitted by law) inform the Controller prior to processing;
- Ensure that persons authorised to process Personal Data are under appropriate obligations of confidentiality;
- Implement and maintain appropriate technical and organisational security measures as required by Article 32 UK GDPR (see clause 5 below);
- Not engage Sub-processors without prior specific or general written authorisation from the Controller (clause 6 sets out our general authorisation mechanism);
- Taking into account the nature of processing, assist the Controller through appropriate technical and organisational measures in fulfilling its obligations to respond to Data Subject rights requests;
- Assist the Controller in ensuring compliance with its obligations under Articles 32–36 UK GDPR (security, breach notification, DPIAs, prior consultation) taking into account the nature of processing and information available to IronFell;
- At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires retention;
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor.
4. Controller Obligations
The Controller represents and warrants that:
- it has a lawful basis for processing the Personal Data and is entitled to instruct IronFell to process it;
- it has provided all necessary notices to and obtained all necessary consents from Data Subjects to the extent required by Applicable Data Protection Law;
- it is responsible for the accuracy, quality, and legality of Personal Data submitted to IronFell for processing.
5. Security Measures
IronFell shall implement and maintain technical and organisational measures appropriate to the risk to the security of Personal Data, including as appropriate:
- Pseudonymisation and encryption of Personal Data (AES-256 at rest; TLS 1.2+ in transit);
- Ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident (as supported by our backup and DR capabilities);
- Regular testing, assessing, and evaluating the effectiveness of technical and organisational measures;
- Role-based access control limiting access to Personal Data to authorised personnel only;
- Security awareness training for all staff with access to Personal Data.
6. Sub-processing
The Controller grants IronFell general written authorisation to engage Sub-processors. IronFell shall maintain a current list of Sub-processors and make it available to the Controller on request. IronFell shall notify the Controller of any intended addition or replacement of Sub-processors with at least 14 days' advance notice, giving the Controller opportunity to object.
IronFell shall impose equivalent data protection obligations on all Sub-processors by contract, including in particular appropriate technical and organisational security measures. IronFell remains fully liable to the Controller for the acts and omissions of Sub-processors.
Our current primary Sub-processors include:
- Amazon Web Services EMEA SARL — cloud infrastructure and storage (EU/UK regions)
- Stripe, Inc. — payment processing
- Vercel, Inc. — web hosting and delivery
7. International Transfers
IronFell shall not transfer Personal Data outside the United Kingdom or European Economic Area unless:
- the transfer is to a country deemed adequate by the relevant authority;
- appropriate safeguards are in place pursuant to UK GDPR Article 46, including a UK International Data Transfer Agreement (UK IDTA) or EU Standard Contractual Clauses (SCCs) with a UK Addendum; or
- a specific derogation under UK GDPR Article 49 applies.
Where IronFell relies on SCCs or a UK IDTA with a Sub-processor, it shall make the relevant transfer mechanism available to the Controller on request.
8. Personal Data Breach Notification
IronFell shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Data. The notification shall include, to the extent known at the time:
- a description of the nature of the breach including categories and approximate number of Data Subjects and Personal Data records affected;
- the name and contact details of the Data Protection point of contact;
- the likely consequences of the breach;
- measures taken or proposed to address the breach.
The Controller is responsible for making any required notifications to the ICO and affected Data Subjects under UK GDPR Articles 33 and 34.
9. Data Subject Rights
Where IronFell receives a request directly from a Data Subject exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, or objection), IronFell shall promptly refer the request to the Controller and shall not respond to the Data Subject directly unless authorised to do so. IronFell shall provide reasonable assistance to enable the Controller to fulfil such requests within the statutory timeframes.
10. Data Protection Impact Assessments
IronFell shall provide reasonable assistance to the Controller in relation to any Data Protection Impact Assessment (DPIA) required under UK GDPR Article 35, and in relation to any consultation with the ICO under Article 36, where such assessment or consultation relates to processing carried out by IronFell.
11. Audit Rights
IronFell shall, no more than once per calendar year and on reasonable notice (minimum 30 days) unless there are grounds to suspect non-compliance, permit the Controller or its authorised representative to conduct an audit of IronFell's data processing activities to verify compliance with this DPA. The parties shall agree the scope, timing, and duration of any audit. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance, in which case IronFell shall bear reasonable audit costs.
IronFell may satisfy audit requirements by providing up-to-date third-party audit reports, certifications, or other evidence of compliance where these adequately address the Controller's concerns.
12. Term and Termination
This DPA remains in effect for as long as IronFell processes Personal Data on behalf of the Controller. Upon expiry or termination of the underlying agreement, IronFell shall, at the Controller's election, securely delete or return all Personal Data within 30 days, and certify deletion in writing. Obligations under this DPA that by their nature should survive termination shall do so, including clauses relating to confidentiality and data deletion.
13. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
14. Contact
For queries regarding this DPA or to exercise your rights as a Controller, please contact us: