Data Processing Agreement
Version: 1.0 — April 2026
This DPA forms part of the service agreement between Terra Connect Ltd and the Client and complies with UK GDPR Article 28.
1. Definitions
In this Data Processing Agreement (“DPA”):
- “Controller” means the Client, who determines the purposes and means of processing personal data
- “Processor” means Terra Connect Ltd, who processes personal data on behalf of the Controller
- “Personal Data” has the meaning given in the UK GDPR
- “Processing” has the meaning given in the UK GDPR
- “Data Subject” means any identified or identifiable natural person whose personal data is processed
- “Sub-processor” means any third party engaged by the Processor to carry out processing activities on behalf of the Controller
- “UK GDPR” means the General Data Protection Regulation as retained in UK law under the Data Protection Act 2018
2. Scope & Nature of Processing
Terra Connect Ltd will process personal data on behalf of the Client solely:
- As necessary to provide the services described in the service agreement or statement of work
- In accordance with the Controller’s documented instructions
- In compliance with this DPA and applicable data protection law
The subject matter, nature, purpose, and duration of processing, as well as the types of personal data and categories of data subjects, are set out in Schedule 1 below.
3. Processor Obligations
Terra Connect Ltd, acting as Processor, shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by UK law
- Ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organisational security measures as required by UK GDPR Article 32
- Not engage sub-processors without the Controller’s prior written authorisation (general or specific)
- Assist the Controller in responding to data subject requests within the timeframes required by UK GDPR (generally one calendar month)
- Assist the Controller in meeting its obligations under UK GDPR Articles 32–36 (security, breach notification, DPIAs)
- Delete or return all personal data to the Controller at the end of the service provision, at the Controller’s election
- Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits
4. Controller Instructions
The Controller shall ensure that its instructions to the Processor are lawful and comply with applicable data protection legislation. Where the Processor considers that an instruction infringes UK GDPR or other applicable data protection law, it shall immediately inform the Controller. The Processor shall not be required to follow instructions that are unlawful.
5. Security Measures
Taking into account the state of the art, costs, and the nature, scope, context, and purposes of processing, the Processor implements the following technical and organisational measures:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest where applicable
- Access control: Role-based access controls; only authorised personnel can access client data
- Pseudonymisation: Applied where appropriate to reduce risk
- Confidentiality: All staff and contractors are bound by confidentiality agreements
- Availability & resilience: Regular backups and disaster recovery procedures
- Testing: Regular security assessments and vulnerability testing
- Incident response: Documented breach response procedure with ICO notification within 72 hours
6. Sub-processors
The Controller grants general written authorisation for the Processor to engage sub-processors. A current list of sub-processors is available at terraconnect.co.uk/subprocessor-list.
The Processor shall:
- Impose data protection obligations equivalent to those in this DPA on any sub-processor by way of a written contract
- Notify the Controller of any intended changes to sub-processors (additions or replacements) with at least 14 days’ notice
- Remain fully liable to the Controller for the performance of the sub-processor’s obligations
7. Data Subject Rights
The Processor shall promptly notify the Controller if it receives a request from a data subject exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection). The Processor shall not respond directly to such requests unless instructed to do so by the Controller, and shall provide all reasonable assistance to enable the Controller to respond within the required timeframe.
8. Data Breach Notification
The Processor shall notify the Controller of any personal data breach without undue delay and, where feasible, within 24 hours of becoming aware of the breach. The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of data subjects concerned
- The categories and approximate number of personal data records concerned
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9. International Transfers
The Processor shall not transfer personal data outside the UK without ensuring an adequate level of protection is in place, including Standard Contractual Clauses (UK IDTA), adequacy regulations, or other appropriate safeguards under UK GDPR Chapter V.
10. Data Return & Deletion
Upon termination or expiry of the service agreement, the Processor shall, at the Controller’s election:
- Return all personal data to the Controller in a commonly used, machine-readable format; or
- Securely delete or destroy all personal data and certify in writing that this has been done
The Processor may retain personal data to the extent required by UK law, and shall protect such retained data from further processing except as required by law.
11. Audit Rights
The Controller has the right to audit the Processor’s compliance with this DPA upon reasonable notice (minimum 14 days). Audits shall be conducted at the Controller’s expense, no more than once per year, during normal business hours, and with minimum disruption to the Processor’s business. The Processor may satisfy audit obligations by providing relevant third-party audit reports (e.g. ISO 27001 certification).
12. Governing Law
This DPA is governed by the laws of England and Wales and shall be construed in accordance with them.
Schedule 1 — Processing Details
| Subject Matter | Delivery of web development, mobile application development, AI automation, and related digital services |
| Nature of Processing | Collection, storage, retrieval, consultation, use, disclosure, erasure, and destruction of personal data as necessary to deliver the agreed services |
| Purpose | Building, testing, and deploying digital products and services on behalf of the Controller |
| Duration | For the term of the service agreement plus any applicable legal retention period |
| Types of Personal Data | As specified in the service agreement; typically may include contact details, usage data, and other data provided by the Controller |
| Categories of Data Subjects | The Controller’s customers, employees, or end-users as specified in the service agreement |
Request This DPA
To receive a signed copy of this Data Processing Agreement for your records, or to discuss its terms, please contact us:
Data Protection Contact: privacy@terraconnect.co.uk
Company: Terra Connect Ltd (Company No. 12492304)
Address: 57 Tonbridge Drive, Basildon, SS15 6ND, United Kingdom