Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

Your privacy matters to us. JFDI is committed to protecting your personal data and being transparent about how we collect, use, and safeguard it.

Data Processing Addendum (DPA)

Last updated: 30/06/2025

This Data Processing Addendum (“DPA”) forms part of the service agreement (“Agreement”) between JFDI Consulting Ltd, a company registered in the UK with its principal place of business at 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF (“Processor”) and the Client (“Controller”).

This DPA is entered into in compliance with applicable Data Protection Laws, including the UK General Data Protection Regulation (UK GDPR) and the EU GDPR where applicable.

1. Definitions

  • Controller: The natural or legal person who determines the purposes and means of processing Personal Data.
  • Processor: The party that processes Personal Data on behalf of the Controller.
  • Data Protection Laws: All laws and regulations applicable to the processing of Personal Data, including the UK GDPR and EU GDPR.
  • Personal Data: Any information relating to an identified or identifiable individual.
  • Sub-Processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Subject Matter and Duration

This DPA governs the Processor’s processing of Personal Data on behalf of the Controller as necessary to provide the services outlined in the Agreement. The DPA shall remain in effect for the duration of the Agreement.

3. Nature and Purpose of Processing

JFDI Consulting Ltd may process Personal Data to deliver services including but not limited to:

  • Digital transformation and systems integration
  • Automation and workflow design
  • Development and configuration of software platforms
  • Hosting and support services

Processing is performed only as necessary to fulfil service obligations or as instructed by the Controller.

4. Categories of Data Subjects and Data Types

Client staff, users — Names, emails, job titles, login data

End-users or clients — Metadata, usage logs, form submissions

System users — IP addresses, technical identifiers

No special category data (e.g. health, biometric) is intended to be processed unless specifically agreed.

5. Processor Obligations

JFDI Consulting Ltd agrees to:

  • Process Personal Data only on written instructions from the Controller
  • Ensure staff are bound by confidentiality
  • Implement appropriate technical and organisational measures to protect Personal Data
  • Assist the Controller in meeting obligations related to data subjects’ rights, breach notifications, and data protection impact assessments
  • Delete or return Personal Data at the end of the engagement upon request

6. Sub-Processors

The Controller authorises the use of the following sub-processors, subject to appropriate data protection safeguards:

Google LLC — Cloud storage, analytics, reCAPTCHA. Location: EEA/US (SCCs)

Live Chat Tool (e.g., Tawk.to or equivalent) — Customer support. Location: EEA/US (SCCs)

Hosting Provider (e.g., SiteGround, WP Engine) — Site hosting. Location: UK/EU

Controller will be notified of any intended additions or replacements at least 10 business days in advance.

7. Data Subject Rights

Processor shall promptly notify the Controller if it receives a request from a data subject and will not respond directly unless authorised. The Processor shall assist the Controller in responding to such requests.

8. International Transfers

If any processing takes place outside the UK or EEA, JFDI Consulting ensures that:

  • The transfer is covered by Standard Contractual Clauses (SCCs) or
  • Another adequate safeguard under Data Protection Law is in place

9. Security Measures

Processor will maintain appropriate safeguards including, but not limited to:

  • Encryption of data in transit (HTTPS, TLS)
  • Access controls and authentication
  • Regular software updates and WordPress security practices
  • Backups and disaster recovery protocols

10. Audit Rights

Upon reasonable notice, the Controller may audit JFDI Consulting Ltd’s data processing operations to verify compliance. Processor agrees to cooperate with such audits and provide relevant documentation.

11. Breach Notification

Processor will notify the Controller without undue delay upon becoming aware of a Personal Data breach. The notice will include:

  • Nature and scope of the breach
  • Affected data types and data subjects
  • Measures taken or proposed to address the breach

12. Termination

Upon termination of services, JFDI Consulting Ltd shall:

  • Return all Personal Data to the Controller; or
  • Delete all Personal Data unless retention is required by law

13. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales.

14. Contact

JFDI Consulting Ltd Email: [email protected] Website: https://jfdi.info

Signed by the parties as an addendum to the main Service Agreement.