Data Processing Addendum

Last updated: 2025-11-19

1. Parties

This Data Processing Agreement (“DPA”) is between:

• The Company (“Processor”)
• The Customer (“Controller”)

This DPA forms part of the Terms of Service.

2. Purpose

The Processor will process personal data on behalf of the Controller for:

• Website hosting
• Bookings and scheduling
• Staff and client management
• File storage

3. Data Categories

Controller may store:

• Names
• Email addresses
• Phone numbers
• Addresses
• Uploaded images/files

No special category data is intended to be processed.

4. Processing Location

Primary processing:

• eu-west-1 (Ireland)
• eu-west-2 (London)

Supporting processing:

• us-east-1 (Virginia) (AWS services)
• CloudFront global edge network

5. Subprocessors

Processor may use subprocessors listed in the Subprocessor Disclosure.

6. International Transfers

Where data is transferred outside the UK/EU, Processor relies on:

• Standard Contractual Clauses (SCCs)
• UK GDPR Addendum

7. Security Measures

Processor implements:

• Encryption
• Access controls
• Network isolation
• Monitoring and logging
• Backup and recovery

Details in our Security & Data Protection page.

8. Controller Obligations

Controller must:

• Obtain consent for personal data collected
• Comply with applicable laws
• Ensure lawful basis for processing
• Respond to data subjects’ rights

9. Processor Obligations

Processor will:

• Only process data on documented instructions
• Ensure confidentiality
• Notify Controller of breaches
• Assist with Data Subject Rights
• Assist with DPIAs
• Delete or return data on termination

10. Data Breach

Processor will notify Controller without undue delay of breaches involving personal data.

11. Termination

Upon termination:

• Data is deleted within 90 days
• Backups expire automatically within their lifecycle

Contact

privacy@kimshiltd.com