Data Processing Agreement
This Data Processing Agreement forms part of the Agreement between Northern Tech Hub Ltd (“Supplier”, “we”, “us”) and the Client (“you”). Capitalised terms that are not defined here have the meaning given to them in the Terms and Conditions.
It sets out the terms on which we process Client Personal Data on your behalf when providing the Services. You are the controller of that data; we are the processor, acting on your instructions.
The parties
| Supplier (processor) | Northern Tech Hub Ltd, Ground Floor, Radley House, Richardshaw Road, Leeds, LS28 6LE. Company number 16428857. Contact: notices@northerntechhub.com |
| Client (controller) | As named in the applicable Order Form. |
Processing details are set out in Schedule 1. Approved sub-processors are set out in Schedule 2.
Background
This Data Processing Agreement is supplemental to the Terms and Conditions and the applicable Order Form. We provide the Services to you and may need to process Client Personal Data to do so. This document sets out the terms on which we will process that data in line with Data Protection Laws.
1. Definitions and interpretation
1.1 In this Data Processing Agreement, unless the context requires otherwise:
- Client Personal Data: the personal data within the Client Data (as defined in the Terms and Conditions) that we process on your behalf under this Data Processing Agreement, as described in Schedule 1 and any applicable Order Form.
- Data Protection Laws: has the meaning given in the Terms and Conditions and, for the purposes of this Data Processing Agreement, also includes the EU GDPR (Regulation (EU) 2016/679) where it applies to any processing or transfer, in each case as amended, updated or replaced, together with any binding guidance or codes of practice issued by a DP Regulator.
- DP Regulator: a competent supervisory authority under Data Protection Laws (in the UK, the Information Commissioner’s Office).
- Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data.
- Standard Contractual Clauses: the ICO’s International Data Transfer Agreement (IDTA), the ICO’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, and/or the European Commission’s Standard Contractual Clauses for transfers of personal data to third countries under Regulation (EU) 2016/679, or such alternative clauses as may be approved from time to time.
- Sub-Processor: any processor we engage (or that is engaged by another Sub-Processor) to process Client Personal Data on your behalf.
1.2 The terms “controller”, “processor”, “data subject”, “personal data”, “processing” and “appropriate technical and organisational measures” have the meanings given in Data Protection Laws.
1.3 Headings do not affect interpretation. References to legislation include amendments and replacements. “Including” is not limiting.
1.4 If there is any conflict or ambiguity:
- (a) between the body of this Data Processing Agreement and a Schedule, the body prevails;
- (b) between this Data Processing Agreement and the rest of the Agreement, the order of precedence in clause 17 of the Terms and Conditions applies; and
- (c) between this Data Processing Agreement and any executed Standard Contractual Clauses, the Standard Contractual Clauses prevail.
2. Roles and relationship
2.1 You are the controller of Client Personal Data and we are the processor.
2.2 Each of us must comply with our own obligations under Data Protection Laws. This Data Processing Agreement does not relieve either of us of those obligations.
2.3 You warrant that:
- our expected use of Client Personal Data for the purposes in Schedule 1, and as you instruct us from time to time, will comply with Data Protection Laws;
- you remain responsible for providing any required notices to data subjects and obtaining any required consents; and
- you have all necessary authority to transfer Client Personal Data to us for the duration and purposes of this Data Processing Agreement.
3. Our processing obligations
3.1 Your instructions. We will process Client Personal Data only on your documented instructions (your use of the Services being your instruction to process), unless we are required to do otherwise by law. Where the law requires it, we will tell you before processing unless the law prevents us.
3.2 Unlawful instructions. We will tell you if, in our reasonable opinion, an instruction infringes Data Protection Laws.
3.3 Acting on your instructions. We will promptly comply with any reasonable written instruction from you to amend, transfer, delete or otherwise process Client Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.4 Security. We will implement appropriate technical and organisational measures to protect Client Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage. Where appropriate, these include:
- pseudonymisation and encryption;
- ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore availability and access to Client Personal Data in a timely manner after an incident; and
- a process for regularly testing and evaluating the effectiveness of those measures.
3.5 Our people. We will ensure that everyone we authorise to process Client Personal Data:
- is bound by appropriate confidentiality obligations (contractual or statutory);
- is informed of the confidential nature of the data;
- receives appropriate data protection training; and
- is aware of their duties under Data Protection Laws and this Data Processing Agreement.
3.6 Data subject requests. To the extent the law allows, we will:
- notify you promptly, and in any event within five (5) Business Days, of any request or communication received directly from a data subject or a DP Regulator relating to Client Personal Data; and
- not respond to such requests except on your documented instructions or as required by law.
3.7 Government and law enforcement requests. To the extent the law allows, we will promptly notify you of any legally binding request from a government authority or law enforcement agency for access to Client Personal Data, and will not disclose it unless legally compelled to do so.
3.8 Assistance. Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to support your compliance with Data Protection Laws in relation to: (a) security and breach notification; (b) data protection impact assessments and prior consultations with DP Regulators where your use of the Services is likely to result in a high risk to data subjects; and (c) data subject rights requests. Where assistance materially exceeds the scope of the Services, we may charge at our reasonable standard rates, unless the assistance is needed because of our breach.
3.9 Records. We will maintain records of the processing we carry out on your behalf as required by Article 30(2) of the UK GDPR, including our contact details and (where applicable) those of our data protection officer, the categories of processing carried out for you, details of any third-country transfers and safeguards, and a general description of our technical and organisational security measures.
3.10 AI Tools. Consistent with clause 9.3 of the Terms and Conditions, we will not use Client Personal Data to train, or input Client Personal Data into, any AI Tools.
3.11 Cost-prohibitive instructions. Where a change to your instructions would cause us material additional cost to comply, we will: (a) promptly tell you, with full details; (b) pause the affected processing (other than secure storage) until we receive revised instructions; and (c) where the change affects pricing or the commercial relationship, agree any changes with you in writing.
4. Personal data breaches
4.1 We will notify you without undue delay of becoming aware of a Personal Data Breach affecting Client Personal Data.
4.2 The notification will include, to the extent available at the time (and supplemented as more information emerges):
- the nature of the breach, including the categories of Client Personal Data affected and the approximate number of data subjects and records concerned;
- the likely consequences of the breach;
- the measures taken or proposed to address it, including any to mitigate its adverse effects; and
- any further information you reasonably require to meet your obligations under Data Protection Laws.
4.3 Immediately after a Personal Data Breach, we will co-ordinate with you to investigate, and will reasonably co-operate with how you handle it — including preserving evidence and providing the information you need to comply with your notification obligations to DP Regulators and affected data subjects.
4.4 Subject to any obligation we have under applicable law, you have the sole right to decide: (a) whether to notify any data subjects, DP Regulators, law enforcement agencies or others, and the contents and method of any notice; and (b) whether to offer any remedy to affected data subjects, and its nature and extent.
5. Sub-processors
5.1 General authorisation. You give general authorisation for us to appoint Sub-Processors to process Client Personal Data for the purpose of delivering the Services.
5.2 Flow-down terms. We will engage Sub-Processors under written terms that impose data protection obligations no less onerous than those in this Data Processing Agreement and as required by Data Protection Laws.
5.3 Responsibility. We remain fully responsible for the acts and omissions of our Sub-Processors as if they were our own.
5.4 Changes and objections. We will tell you by email of any intended addition or replacement of a Sub-Processor, giving you a reasonable opportunity to object. You may object on reasonable grounds relating to data protection or security within fifteen (15) days of notice. We will work in good faith to resolve any objection. If we cannot resolve it within a further fifteen (15) days:
- (a) where your objection is based on a demonstrable actual or likely breach of Data Protection Laws, we will not appoint the proposed Sub-Processor for Client Personal Data; or
- (b) where it cannot be so demonstrated and we reasonably determine the Sub-Processor is necessary for continued provision of the Services, you may terminate the affected Order Form on thirty (30) days’ written notice, and we will refund any prepaid Fees for the unexpired portion of the Subscription Term on a pro-rata basis.
5.5 Approved Sub-Processors. Our current Sub-Processors are set out in Schedule 2 and may be updated in accordance with clause 5.4. We will keep an up-to-date list, which we may publish on our website or trust centre.
6. International transfers
6.1 We will transfer Client Personal Data outside the UK and/or EEA only where necessary to provide the Services and only in line with Data Protection Laws. You acknowledge that our approved Sub-Processors may process Client Personal Data in the locations set out in Schedule 2, which may be outside the UK and/or EEA.
6.2 Where international transfers happen, we will ensure appropriate safeguards are in place under Data Protection Laws, which may include (as applicable): the UK International Data Transfer Agreement and/or UK Addendum to the EU SCCs; the EU Standard Contractual Clauses; and/or an adequacy decision or regulation, together with supplementary measures where required.
6.3 Transfer impact assessments. Where Data Protection Laws or regulatory guidance require it, we will carry out a transfer impact assessment to evaluate whether the recipient country provides adequate protection, and will implement supplementary measures where the assessment identifies a risk that the safeguards in clause 6.2 may not be effective.
6.4 You will reasonably co-operate with any transfer documentation needed to enable lawful transfers, including executing relevant standard clauses where necessary.
6.5 If a transfer requires Standard Contractual Clauses, we will both complete the relevant details, execute the applicable clauses promptly, and take any other steps needed to legitimise the transfer.
7. Liability
7.1 Neither of us excludes or limits liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot lawfully be excluded or limited.
7.2 Subject to clause 7.1, each party’s aggregate liability under or in connection with this Data Processing Agreement is subject to, and counts towards (and is not in addition to), the liability cap in clause 12.4 of the Terms and Conditions.
8. Audit
8.1 We will keep appropriate records of the processing we carry out on your behalf, as required by Data Protection Laws and clause 3.9.
8.2 On written request, we will make available the information reasonably necessary to demonstrate our compliance with this Data Processing Agreement.
8.3 Audit right. You (or an independent auditor you appoint, subject to reasonable confidentiality obligations) may audit our compliance no more than once a year, on at least thirty (30) days’ written notice, during normal business hours, and in a way that minimises disruption and does not compromise security or other clients’ confidentiality.
8.4 Breach exception. Where there is an actual or reasonably suspected Personal Data Breach affecting Client Personal Data, you may request one additional audit limited to matters relevant to that breach.
8.5 Method and costs. We may satisfy an audit request by providing reasonable evidence — such as security certifications (for example Cyber Essentials, ISO 27001), independent audit reports (for example SOC 2), completed security questionnaires, and/or documented policies — before any on-site inspection is required. You bear your own audit costs. We may charge reasonable costs for supporting audits beyond the standard evidence package, except where the audit is required because of our breach.
9. Termination and data return
9.1 This Data Processing Agreement runs for the duration of the processing described in Schedule 1 and terminates automatically when the Agreement terminates or expires.
9.2 On termination or expiry of the Services, and at your written direction given no later than ten (10) days after termination, we will return or delete (so far as technically possible) Client Personal Data and any copies within thirty (30) days of receiving that direction. If we receive no direction within the ten (10) day period, we will delete Client Personal Data within sixty (60) days of termination, unless:
- (a) we agree a different period with you in an Order Form; or
- (b) we are required by law to retain certain data, in which case we will protect it, restrict access to only what the legal obligation requires, and tell you what we have retained and why.
9.3 Client Personal Data is treated as deleted when we can no longer use it for any processing purpose and it is not reasonably retrievable from live systems. Routine backups kept solely for disaster recovery will be overwritten in line with our standard backup retention schedules.
9.4 Any provision that by its nature should survive termination in order to protect Client Personal Data remains in force.
10. Indemnity
10.1 We will indemnify you for direct losses, claims, damages, liabilities, fines (to the extent permitted by law), penalties, costs and expenses (including reasonable legal fees) arising out of or in connection with our breach of this Data Processing Agreement, subject to clause 7.
10.2 You will indemnify us for direct losses, claims, damages, liabilities, fines (to the extent permitted by law), penalties, costs and expenses (including reasonable legal fees) arising out of or in connection with: (a) your breach of this Data Processing Agreement or Data Protection Laws, including any failure to obtain required consents or provide required notices; (b) any processing instruction you give that infringes Data Protection Laws; or (c) any claim by a data subject arising from your breach of your controller obligations, subject to clause 7.
10.3 Each party’s liability under this clause 10 is subject to the cap in clause 7.2.
11. General
11.1 Costs. Each party bears its own legal and other costs of preparing and performing this Data Processing Agreement.
11.2 Survival. Clauses 1, 6, 7, 8, 9, 10 and 11, and any clauses needed to interpret them, survive termination.
11.3 Relationship. We are independent contractors. Nothing here creates a partnership, agency or employment relationship.
11.4 Third-party rights. No third party has rights under the Contracts (Rights of Third Parties) Act 1999 to enforce this Data Processing Agreement.
11.5 Assignment. Neither party may assign or transfer this Data Processing Agreement without the other’s prior written consent, except that we may assign it to a successor in connection with a merger, acquisition or sale of all or substantially all of our assets.
11.6 Entire agreement. This Data Processing Agreement, together with the rest of the Agreement, contains the whole agreement on its subject matter and supersedes any prior understandings. Nothing in this clause limits liability for fraud.
11.7 Variation. No variation is valid unless in writing and signed by authorised signatories of both parties, except that we may update Schedule 2 (Sub-Processors) in accordance with clause 5.4.
11.8 Severability. If any provision is invalid or unenforceable, it will be modified to the minimum extent necessary to make it enforceable, and the rest continues in effect.
11.9 Waiver. A failure or delay in exercising a right is not a waiver of that or any other right.
11.10 Notices. Notices must be in writing and sent to the address or email in the Order Form or as set out here. UK letters are deemed delivered three (3) Business Days after posting. Emails are deemed delivered the same day, or the next Business Day if sent after 5 pm or on a non-business day at the recipient’s location.
11.11 Counterparts. This Data Processing Agreement may be signed in counterparts and by electronic signature.
11.12 Governing law and jurisdiction. This Data Processing Agreement is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.
Acceptance. By signing the Order Form, the parties agree to this Data Processing Agreement with effect from the Effective Date of the Order Form.
Schedule 1 — Processing details
| Purpose of processing | For us to provide the Services to you under the applicable Order Form. |
| Scope and nature of processing | We may process Client Personal Data to the extent necessary to deliver the Services — including accessing, collecting, recording, organising, structuring, storing, retrieving, using, disclosing (only as permitted), aligning or combining, restricting, erasing and destroying it — primarily in digital form within the systems used to deliver the Services. |
| Categories of data subject | Your employees, consultants and contractors and, where applicable, your customers, end users, suppliers and other individuals whose personal data is submitted to the Services by or on your behalf. |
| Categories of personal data | As determined by you and the Services, and may include: names and business contact details (e.g. email address, telephone number, job title); user identifiers (e.g. usernames, IDs); IP addresses and device or technical identifiers; system audit logs, access logs and security or event logs; and any additional categories specified in the Order Form. |
| Special categories of personal data | Not applicable. The Services are not intended to process special category or criminal offence data. If such data is required for a specific use case, it must be documented in the Order Form and subject to additional safeguards agreed in writing. |
| Duration of processing | The Subscription Term, plus any return or deletion period under clause 9. |
| Data protection contact | notices@northerntechhub.com (for the attention of “Data Protection”). |
Schedule 2 — Approved sub-processors
The following Sub-Processors are authorised to process Client Personal Data in connection with the Services. We may update this list in accordance with clause 5.4, and may also maintain an up-to-date version on our website or trust centre.
| Sub-Processor | Purpose | Processing location(s) |
| Microsoft Azure (Microsoft Corporation) | Cloud hosting and platform infrastructure | UK South &
Switzerland North (EU) |
| OneReach.ai | AI orchestration and agentic workflow services | EU |
| Featurebase | Product feedback and feature-request management | EU |
| Stripe | Payment processing | US |
| Xero | Accounting and invoicing | EU |
| Atlassian | Issue tracking, project management and support | EU |
Northern Tech Hub Ltd
Registered address: Ground Floor, Radley House, Richardshaw Road, Leeds, LS28 6LE
Company Number: 16428857
Contact: notices@northerntechhub.com