UK GDPR Article 28 requirement: This Data Processing Agreement (“DPA”) governs all processing of personal data by Techfident Limited (“Processor”) on behalf of its clients (“Controller”). It forms part of the service agreement between the parties and is required by law where the Company processes personal data in the course of providing managed IT services, helpdesk support, Microsoft 365 management, or infrastructure services.
1. Definitions
In this DPA, terms defined in the UK GDPR and Data Protection Act 2018 have the same meanings. In addition:
- “Controller” means the client who determines the purposes and means of processing personal data.
- “Processor” means Techfident Limited, which processes personal data on behalf of the Controller.
- “Processing” has the meaning given in UK GDPR Art. 4(2).
- “Personal Data Breach” has the meaning given in UK GDPR Art. 4(12).
- “Sub-processor” means any third party engaged by the Processor to carry out processing activities on the Controller’s behalf.
2. Subject Matter & Nature of Processing
The Processor shall process personal data on behalf of the Controller solely in connection with the provision of IT services as detailed in the applicable service agreement, statement of work, or managed services contract. The nature of processing may include:
- Storage and backup of data on managed servers or cloud infrastructure
- Access to systems and data for the purposes of technical support and helpdesk services
- Configuration and management of Microsoft 365 tenants, including access to user accounts and email
- Network monitoring and security management
- Installation and maintenance of software on customer devices
3. Types of Personal Data & Data Subjects
The personal data processed may include:
- Identity data: names, usernames, employee IDs
- Contact data: email addresses, telephone numbers
- Device data: IP addresses, hardware identifiers, usage logs
- Authentication data: account credentials (encrypted)
- Communications data: email content accessed only where necessary for support
Data subjects may include the Controller’s employees, contractors, clients and other third parties whose data is stored on Controller systems.
4. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by applicable law (in which case the Processor shall notify the Controller before processing unless prohibited by law)
- Ensure that all persons authorised to process the personal data are subject to appropriate confidentiality obligations
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: pseudonymisation and encryption; ensuring ongoing confidentiality, integrity, availability and resilience; ability to restore availability following an incident; regular testing and evaluation of security measures
- Assist the Controller in responding to requests from data subjects exercising their rights under UK GDPR, to the extent reasonably practicable given the nature of the processing
- Notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data Breach affecting Controller data
- Assist the Controller in ensuring compliance with UK GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation) taking into account the nature of processing and information available to the Processor
- At the Controller’s election, delete or return all personal data to the Controller upon termination of services, and delete existing copies unless applicable law requires retention
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or its designated auditor, subject to reasonable notice and appropriate confidentiality terms
5. Sub-processors
The Controller grants general authorisation to the Processor to engage sub-processors. Current approved sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Corporation | Microsoft 365, Azure cloud services | UK/EEA (UK Data Boundary) |
| Cloudflare, Inc. | Website security, CDN and DNS | UK/EEA |
| Selected managed service tools | Remote monitoring and management | UK |
The Processor shall notify the Controller of any intended changes to sub-processors at least 14 days in advance. Where the Controller objects on reasonable data protection grounds, the parties shall seek to resolve the issue in good faith. The Processor shall impose data protection obligations on sub-processors equivalent to those in this DPA.
6. International Transfers
The Processor shall not transfer personal data outside the UK without the Controller’s prior written consent, and then only subject to appropriate safeguards as permitted under UK GDPR Chapter V (UK Adequacy Regulations, International Data Transfer Agreement, or Addendum to SCCs).
7. Term
This DPA remains in force for the duration of the service agreement and continues to apply to any personal data retained by the Processor following termination until that data is returned, deleted or anonymised in accordance with Clause 4.
8. Governing Law
This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the English courts.
9. Contact
For all data protection queries relating to this DPA: hello@techfident.co.uk · Techfident Limited, Studio 10 New Mead Barn, Wickham Hall, Hadham Road, Bishops Stortford, Hertfordshire CM23 1JG
Questions about this policy?
Contact our Data Protection team at hello@techfident.co.uk or in writing to:
Techfident Limited, Studio 10 New Mead Barn, Wickham Hall, Hadham Road, Bishops Stortford, Hertfordshire CM23 1JG