Data processing agreement
The agreement
This Data Processing Agreement and its annexes (DPA) is incorporated into and forms part of the Agreement between NQC Limited (NQC) and the counterparty agreeing to these terms (Customer) and applies to the extent that NQC processes Personal Data on behalf of the Customer in the course of its performance of its obligations under the Agreement. By signing the Order Form, the Customer accepts the terms in this DPA.
1. Definitions
1.1 Capitalised terms used but not defined in the DPA have the meaning set out in the Agreement.
1.2 Addendum: the International Data Transfer Addendum to the European Commission’s SCCs for international data transfers, a completed copy of which comprises ANNEX B, or such alternative transfer agreements as may be approved by the ICO or European Commission from time to time.
1.3 Business Purposes: the services to be provided by NQC to the Customer as described in the Agreement.
1.4 Controller, Processor, Data Subject, Personal Data and Processing: have the meanings given to them in the Data Protection Legislation.
1.5 Customer Personal Data: has the meaning given to it in clause 2.1.1
1.6 Data Protection Legislation:
1.6.1 To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
1.6.2 To the extent the General Data Protection Regulation ((EU) 2016/679) applies, the law of the European Union or any member state of the European Union to which the Customer or NQC is subject, which relates to the protection of personal data.
1.6.3 To the extent the California Privacy Rights Act 2020 or any other US federal or state laws apply, the laws of the US, to which the Customer or NQC is subject, which relate to the protection of personal data.
1.7 EEA: the European Economic Area.
1.8 ICO: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
1.9 IDTA: the UK ICO’s International Data Transfer Agreement or such alternative transfer agreements as may be approved by the ICO from time to time.
1.10 Personal Data Breach: means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data.
1.11 Standard Contractual Clauses (SCCs): the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or such alternative clauses as may be approved by the European Commission from time to time.
1.12 Term: has the meaning given to it in clause 2.3.
1.13 UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
1.14 In the case of conflict or ambiguity between any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the relevant Annex will prevail.
2. Application of this DPA
2.1 This DPA will only apply to the extent all of the following conditions are met:
2.1.1 Company processes Personal Data that is made available by the Customer in connection with the Agreement (whether directly by the Customer or indirectly by a third party retained by and operating for the benefit of the Customer) (Customer Personal Data); and
2.1.2 Data Protection Legislation applies to the processing of such Customer Personal Data.
2.2 This DPA will only apply in relation to the services for which the Parties agreed to in the Order Form.
2.3 The DPA remains in effect from the date of the Agreement until, and automatically expires when, NQC deletes all Customer Personal Data (Term).
3. Personal data types and processing purposes
3.1 The Customer and NQC agree and acknowledge that for the purpose of the Data Protection Legislation:
3.1.1 the Customer is the controller and NQC is the processor with respect to Customer Personal Data.
3.1.2 the Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to NQC.
3.1.3 ANNEX A describes the subject matter, duration, nature and purpose of the processing and the Customer Personal Data categories and Data Subject types in respect of which NQC may process the Customer Personal Data to fulfil the Business Purposes.
3.1.4 (and shall ensure all Authorised
4. NQC's obligations
4.1 NQC will only process the Customer Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions. NQC will not process the Customer Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. NQC will promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.
4.2 NQC will maintain the confidentiality of the Customer Personal Data in accordance with the terms of the Agreement.
4.3 NQC will reasonably assist the Customer with meeting the Customer's compliance obligations under the Data Protection Legislation with respect to Customer Personal Data, taking into account the nature of NQC's processing and the information available to NQC, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the ICO or other relevant regulator under the Data Protection Legislation.
4.4 NQC will promptly notify the Customer of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting NQC's performance of this DPA or the Agreement.
4.5 NQC will ensure that all of its employees:
4.5.1 are informed of the confidential nature of the Customer Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Customer Personal Data; and
4.5.2 are aware of NQC's duties and their personal duties and obligations under the Data Protection Legislation and this DPA in relation to Customer Personal Data.
4.6 NQC will implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of Customer Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data, as set out in ANNEX C. NQC will implement such measures to ensure a level of security appropriate to the risk involved in relation to such Customer Personal Data, including as appropriate:
4.6.1 the pseudonymisation and encryption;
4.6.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
4.6.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
4.6.4 a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
5. Personal data breach
5.1 NQC will, without undue delay and in any event within seventy-two (72) hours notify the Customer if it becomes aware of:
5.1.1 the loss, unintended destruction or damage, corruption, or unusability of part or all of the Customer Personal Data. NQC will restore such Customer Personal Data at its own expense as soon as possible.
5.1.2 any accidental, unauthorised or unlawful processing of the Customer Personal Data; or
5.1.3 any Personal Data Breach.
5.2 Without undue delay following any accidental, unauthorised or unlawful Customer Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, NQC will reasonably cooperate with the Customer, in the Customer's handling of the matter.
5.3 NQC agrees that the Customer has the sole right to determine:
5.3.1 whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the ICO, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and
5.3.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
6. Data transfers outside the UK or EEA
6.1 The Customer agreed that NQC may access and Process Customer Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement.. Wherever Customer Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Legislation.
6.2 To the extent that NQC Processes Personal Data outside the EEA, UK or an Approved Jurisdiction, then the parties shall be deemed to enter into the Standard Contractual Clauses, subject to any amendments contained in the Addendum, in which event the Customer shall be deemed as the Data Exporter and NQC shall be deemed as the Data Importer (as these terms are defined therein).
6.3 NQC may transfer Customer Personal Data of Data Subject of the EEA or UK outside the EEA or UK (Transfer), only subject to the following:
6.3.1 the Transfer is necessary for the purpose of NQC carrying out its obligations under the Agreement, or is required under applicable laws; and
6.3.2 the Transfer is done: (i) to a member state of the EEA, or other jurisdiction which is at the time of the Transfer approved as having adequate legal protections for data by the European Commission, or (ii) subject to appropriate safeguards (for example, through the use of the Standard Contractual Clauses, or other applicable frameworks), (iii) in accordance with any of the exceptions listed in the Data Protection Legislation (in which event, the Customer will inform NQC which exception applies to each Transfer and will assume complete and sole liability to ensure that the exception applies).
7. Subprocessors
7.1 NQC may only authorise a new third party (Subprocessor) to process Customer Personal Data if:
7.1.1 the Customer is provided with an opportunity to object to the appointment of each Subprocessor within seven (7) days after NQC provides notice of the proposed appointment; and
7.1.2 NQC enters into a written contract with the Subprocessor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures and meets the requirements of Data Protection Legislation.
7.2 Those Subprocessors approved as at the commencement of this DPA are as set out in ANNEX A.
7.3 If the Customer notifies NQC of a legitimate objection to the appointment of a new Subprocessor, the parties agree to discuss the concerns with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, NQC may appoint the Subprocessor and the Customer will have the right to terminate the Agreement on written notice to be provided within fourteen (14) days of the date of receiving confirmation that NQC intends to continue with the new appointment.
7.4 NQC will be responsible for any acts, errors or omissions by its Subprocessors, which may cause NQC to breach any of its obligations under this DPA.
8. Complaints, data subject requests, and third-party rights
8.1 NQC will provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
8.1.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
8.1.2 information or assessment notices served on the Customer by the ICO or other relevant regulator under the Data Protection Legislation.
8.2 NQC will notify the Customer promptly in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of Customer Personal Data or to either party's compliance with the Data Protection Legislation.
8.3 NQC will notify the Customer promptly if it receives a request from a Data Subject for access to their Customer Personal Data or to exercise any of their other rights under the Data Protection Legislation.
8.4 NQC will give the Customer its reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9. Termination
9.1 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations under the Agreement, the parties may agree to suspend the processing of Customer Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Customer Personal Data processing into compliance with the Data Protection Legislation within thirty (30) days, either party may terminate the Agreement with immediate effect on written notice to the other party.
10. Data return and destruction
10.1 On termination of the Agreement for any reason or expiry of its term, NQC will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this DPA in its possession or control.
10.2 If any law, regulation, or government or regulatory body requires NQC to retain any documents or materials or Customer Personal Data that NQC would otherwise be required to destroy, it will do so in accordance with the terms of this DPA.
11. Records
11.1 NQC will keep appropriate records of its processing activities as required by Data Protection Legislation. To the extent Data Protection Legislation requires NQC to collect and maintain records of certain information relating to the Customer, the Customer will supply such information to NQC and keep it accurate and up-to-date. NQC may make any such information available to competent regulators, including the ICO if required by Data Protection Legislation.
12. Audit
12.1 At least once a year, NQC will conduct audits of its Personal Data processing practices and the information technology and information security controls for facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.
12.1 On the Customer's written request, NQC will make the relevant audit reports available to the Customer for review. The Customer will treat such audit reports as NQC's confidential information under the Agreement.
ANNEX A: Personal data processing purposes and details
Subject matter of processing: performance of the core services pursuant to the Agreement.
Duration of Processing: the Term of this DPA.
Nature of Processing: Collection, recording, organisation or structuring, storage, retrieval and disclosure (with permission).
Personal Data Categories: Business contact information. The parties do not envisage the transfer of sensitive Personal Data.
Data Subject Types: Platform users.
Frequency of Transfer: Continuous.
Approved Subprocessors: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, D02 R296, Dublin 2, Ireland
ANNEX B: Security measures
1. Access Control: The company applies strict measures to ensure that access to systems and data is restricted only to authorised personnel. Access rights are granted on the principle of least privilege, meaning individuals are provided with only those permissions required for their role.
All personnel are authenticated prior to accessing systems using unique credentials, and multi-factor authentication (MFA) is required for administrative and privileged accounts. Access to sensitive systems and environments is further restricted through role-based access control (RBAC), ensuring segregation of duties and reducing the potential for unauthorised access.
Access rights are reviewed on a regular basis and revoked promptly when a user no longer requires them, for example, upon a role change or termination of employment. Audit logs of access activity are maintained and monitored to detect any anomalies or unauthorised attempts.
2. System and Data Security: Customer services and platforms are hosted from within the Google Cloud Platform (GCP), which provides robust physical, environmental, and logical security controls. Data centres are purpose-built with extensive protective measures, including perimeter fencing, biometric access, 24/7 staffed security, and CCTV monitoring.
Within GCP, systems are deployed with a defence-in-depth approach, utilising hardened virtual machines, secure configurations, and automated patch management. Application-level controls enforce strict RBAC policies, ensuring users only interact with data objects for which they have been explicitly granted permission.
The company enforces inactivity timeouts, session management controls, and ensures that all users of the platform must be authenticated before any access is permitted. These measures collectively ensure that only authenticated and authorised users can interact with data and system resources.
3. Network and Transmission Security:
The company employs multiple layers of network security to protect against external and internal threats. Firewalls, intrusion detection and prevention systems (IDPS), and network segmentation are used to prevent unauthorised access and to isolate sensitive workloads.
All data transmitted over the network is encrypted using secure cryptographic protocols. The company mandates HTTPS with TLS (minimum v1.2) for all inbound and outbound connections. Legacy HTTP requests are automatically redirected to secure endpoints.
A Web Application Firewall (WAF), aligned to the OWASP Core Rule Set, provides real-time monitoring, filtering, and blocking of malicious traffic, ensuring ongoing protection against evolving web-based threats.
4. Data Encryption: To safeguard confidentiality, integrity, and compliance, encryption is applied to data both in transit and at rest. Data in transit is encrypted using TLS protocols. Data-at-rest is encrypted using strong algorithms with a minimum of AES-256.
GCP’s native Key Management Service (KMS) ensures that encryption keys are managed securely, with strict access controls, auditing, and lifecycle management. Transparent Data Encryption (TDE) is enabled on databases, ensuring that data files and backups are encrypted automatically.
This layered approach ensures that data remains protected even in the event of unauthorised access to the underlying infrastructure.
5. Backups and Business Continuity: The company maintains a documented backup and disaster recovery strategy to safeguard against accidental loss or corruption of data. Automated backups are performed regularly, with data stored securely in geographically distributed GCP regions.
Backups are encrypted both in transit and at rest, and restoration procedures are tested periodically to verify data integrity and recovery capability. This ensures that in the event of system failure or other disruption, services can be restored promptly with minimal impact.
The company also maintains a business continuity plan (BCP) which includes disaster recovery, this is reviewed and tested regularly to ensure preparedness for a range of adverse scenarios.
6. Vulnerability Management and Monitoring: The company conducts continuous monitoring of systems and networks to identify and address vulnerabilities. Automated vulnerability scanning tools are employed, complemented by a structured patch management process to remediate identified issues in a timely manner.
Independent penetration testing is performed on a regular basis by qualified third parties, with remediation activities tracked through to completion. Security event logs are collected centrally and monitored for anomalies, enabling proactive detection and response to potential threats.
This approach ensures that vulnerabilities are addressed before they can be exploited and that risks are managed proactively.
7. Change Management: The company operates a formal change management process governing all changes to systems, applications, and infrastructure. All proposed changes are reviewed for security, stability, and potential impact prior to implementation.
Changes must be formally approved, documented, and tested in controlled environments before being deployed to production. This structured approach reduces the risk of errors, outages, or security gaps, while ensuring auditability and accountability for all changes made.
8. Incident Response: An incident response plan is maintained to ensure that data breaches and other security incidents are managed effectively. The plan defines clear roles, responsibilities, and escalation paths, and is subject to regular review and testing.
In the event of a security incident, the company will investigate promptly, contain and remediate the issue, and take steps to prevent recurrence. All incidents are logged, with post-incident reviews conducted to identify lessons learned.
Where required, notifications to clients and regulators will be made in accordance with applicable data protection laws and within mandated timescales.
9. Risk Management: The company conducts periodic risk assessments to identify emerging threats and vulnerabilities, ensuring that security measures remain appropriate and effective. Risk assessments are formally documented and reviewed, with results feeding into security strategy and investment decisions.
This proactive approach ensures ongoing alignment with industry best practice and regulatory expectations.
10. Training and Awareness: All employees and contractors undergo regular training on information security, data protection principles, and their responsibilities when handling personal data. Training is refreshed periodically and tailored to reflect role-specific requirements and emerging risks.
Awareness campaigns and targeted communications are also used to reinforce good security practices and to maintain a culture of accountability and vigilance across the organisation.
11. Physical Security: The company’s office is protected by layered physical security measures, including secure entry systems, access controls, and CCTV monitoring. Visitors are required to sign in, be accompanied at all times, and adhere to visitor management procedures.
Cloud infrastructure is hosted within GCP data centres, which employ extensive physical protections including biometric access, perimeter controls, and continuous security monitoring by trained personnel.
ANNEX C: Addendum
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
A. Part 1: Tables
B. Table 1: Parties