Data Processing Agreement

Last updated: [Date]

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Little Bits Software Limited ("Processor", "we", "us") and the Customer ("Controller", "you") who subscribes to DMS.

This DPA sets out how we process personal data on your behalf when you use DMS. It applies wherever we act as your data processor under UK data protection law.

1. Definitions

Terms used in this DPA have the same meaning as in the UK GDPR and the Data Protection Act 2018:

Personal data — any information relating to an identified or identifiable individual.
Processing — anything done with personal data, including collecting, storing, using, and deleting it.
Data subject — the individual whose personal data is being processed.
Controller — you (the Customer), who determines the purposes and means of processing.
Processor — us (Little Bits Software Limited), who processes personal data on your behalf.
Sub-processor — a third party we engage to process personal data on your behalf.

2. Scope and roles

When you use DMS, you may upload or collect personal data about your Users and other individuals. In this context:

You are the Controller. You decide what personal data is collected through DMS, why it's collected, and how it's used.
We are the Processor. We process that data on your behalf, strictly according to your instructions, to provide the Services.

This DPA does not apply to personal data where we are the controller (such as your account details and billing information) — that's covered by our Privacy Notice.

3. Your obligations

As the Controller, you're responsible for:

Making sure you have a lawful basis for processing personal data through DMS.
Providing appropriate privacy notices to your Users and data subjects.
Ensuring the personal data you upload to DMS is accurate and up to date.
Not uploading special category data (such as health data, biometric data, or data revealing racial or ethnic origin) unless you've agreed specific arrangements with us in writing.
Responding to data subject requests, with our reasonable assistance where needed.

4. Our obligations

As the Processor, we will:

Only process personal data on your documented instructions. If we're ever required to process data for another reason (e.g., by law), we'll tell you beforehand unless prohibited from doing so.
Make sure anyone with access to personal data is bound by confidentiality obligations.
Implement appropriate technical and organisational security measures (see Section 6).
Only engage sub-processors with your prior knowledge and subject to equivalent data protection obligations (see Section 7).
Assist you in responding to data subject requests and fulfilling your obligations under UK GDPR.
Delete or return all personal data at the end of the contract, at your choice (see Section 10).
Make available information necessary to demonstrate our compliance with this DPA.

5. Details of processing

Detail	Description
Subject matter	Provision of the DMS platform.
Duration	For the term of your subscription, plus any retention period set out below.
Nature and purpose	Hosting, storing, backing up, and making available personal data you upload to DMS.
Types of personal data	Names, contact details, job titles, organisational roles, activity data, feedback responses, and any other personal data you choose to upload.
Categories of data subjects	Your Users, employees, contractors, and other individuals whose data you upload to DMS.

6. Security measures

We implement appropriate technical and organisational measures to protect personal data, including:

Encryption — data is encrypted in transit (TLS 1.2+) and at rest.
Access controls — role-based access, multi-factor authentication for administrative access, and principle of least privilege.
Infrastructure security — hosted on ISO 27001-certified cloud providers (AWS, GCP) with network-level protections via Cloudflare.
Backups — regular automated backups stored in geographically separate locations.
Monitoring — logging and monitoring of access to personal data.
Incident response — documented procedures for identifying, containing, and resolving security incidents.

We regularly review and update these measures to reflect current risks and best practices.

7. Sub-processors

We use the following sub-processors to provide DMS:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud hosting and storage	Germany (EU)
Google Cloud Platform (GCP)	Cloud hosting and infrastructure	Germany (EU)
Cloudflare	Network security and performance	Germany (EU)

Changes to sub-processors

We'll give you at least 14 days' notice before adding or replacing a sub-processor. This notice will be provided by email or through the platform.

If you have a reasonable objection to a new sub-processor, let us know within that notice period. We'll work with you to find a solution. If we can't resolve your concern, you may terminate your subscription without penalty.

All sub-processors are bound by written agreements that impose data protection obligations equivalent to those in this DPA.

8. International transfers

Our sub-processors currently store data in Germany (within the EEA). The UK has recognised the EEA as providing adequate protection for personal data under UK adequacy regulations.

If any transfer of personal data outside the UK or EEA becomes necessary, we will:

Inform you before the transfer takes place.
Ensure appropriate safeguards are in place (such as UK International Data Transfer Agreements or Standard Contractual Clauses).
Only proceed if the transfer complies with UK data protection law.

9. Data breaches

If we become aware of a personal data breach affecting data we process on your behalf, we will:

Notify you without undue delay and in any event within 72 hours of becoming aware of the breach.
Provide you with sufficient detail to enable you to meet your own notification obligations to the ICO and affected individuals.
Co-operate with you and take reasonable steps to contain and remediate the breach.

Our notification will include (to the extent known):

The nature of the breach and the categories of data affected.
The approximate number of data subjects and records involved.
The likely consequences of the breach.
The measures taken or proposed to address the breach.

10. Data return and deletion

When your subscription ends:

You'll have 30 days to export your data from DMS.
After that period, we'll delete all personal data from our active systems within 30 days.
Backup copies will be purged in line with our standard backup rotation cycle (typically within 90 days).

If you'd prefer us to return your data in a structured, commonly used format before deletion, let us know and we'll arrange that.

11. Audits

You have the right to verify our compliance with this DPA. We'll support this by:

Responding to reasonable written audit questionnaires.
Making relevant compliance documentation available on request.
Allowing on-site audits with reasonable advance notice (at least 30 days), during business hours, and subject to confidentiality obligations. Costs of on-site audits are borne by you.

Where possible, we'll address audit requests through documentation and questionnaires before an on-site visit becomes necessary.

12. Liability

Liability under this DPA is subject to the limitations set out in our Terms of Service.

13. Duration and termination

This DPA takes effect when you start using DMS and remains in force for as long as we process personal data on your behalf. It survives termination of your subscription to the extent necessary for us to complete data return or deletion.

Contact

For any questions about this DPA, or to exercise your rights, contact us at:

Email: [email protected]

1. Definitions​

2. Scope and roles​

3. Your obligations​

4. Our obligations​

5. Details of processing​

6. Security measures​

7. Sub-processors​

Changes to sub-processors​

8. International transfers​

9. Data breaches​

10. Data return and deletion​

11. Audits​

12. Liability​

13. Duration and termination​

Contact​