0%
Explore Stannnell Limited
info@stannnell.co.uk
Follow
Facebook Follow
Instagram

DATA PROCESSING AGREEMENT (DPA)

HomeDATA PROCESSING AGREEMENT (DPA)

Between Stannnell Ltd and Client
Last updated: 06/12/2025

This Data Processing Agreement (“DPA”) forms part of any contract or service agreement (“Main Agreement”) between:

1. Parties

Data Processor:

Stannnell Ltd
Registered Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Company Number: {{numero}}
Email: privacy@stannnell.co.uk

Data Controller:

The client purchasing services from Stannnell Ltd (“Client”).
Details as specified in the Main Agreement.

2. Definitions

This DPA uses definitions from:

  • UK GDPR
  • Data Protection Act 2018
  • EU GDPR (if applicable)

Key terms:

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data.
  • Controller: The entity that determines the purposes of processing.
  • Processor: The entity that processes data on behalf of the Controller.
  • Subprocessor: Third party engaged by the Processor to process data.

3. Subject Matter of the Processing

Stannnell Ltd processes personal data solely for the purpose of delivering services specified in the Main Agreement, which may include:

  • Digital marketing services
  • Cyber security and IT protection
  • Corporate event management
  • Brand strategy and creative direction
  • Analytics, reporting and optimisation
  • Customer communication

No personal data will be processed for purposes outside the agreed scope.

4. Duration

Processing begins when the Client engages Stannnell Ltd and continues until termination of the Main Agreement.

Upon termination, data will be deleted or returned as per Section 11.

5. Types of Personal Data Processed

Depending on the services, this may include:

  • Name and surname
  • Email address
  • Phone number
  • Company details
  • IP address and device information
  • User behaviour and analytics data
  • Event attendee information
  • Marketing preferences
  • Any data provided by the Client

Special Category Data is not intentionally processed unless explicitly agreed.

6. Obligations of Stannnell Ltd (Processor)

Stannnell Ltd agrees to:

✔ Process personal data only on documented instructions from the Client

✔ Ensure all personnel are under confidentiality obligations

✔ Implement appropriate technical and organisational security measures

(including ISO 27001–aligned frameworks, Cyber Essentials certification, encryption, MFA, access control)

✔ Assist the Client in fulfilling its obligations under GDPR

including:

  • Data Subject Access Requests
  • Data breach notifications
  • Impact assessments

✔ Maintain records of processing activities

✔ Notify the Client of any data breach without undue delay

✔ Not engage subprocessors without prior authorisation

7. Subprocessors

Stannnell Ltd may use third-party subprocessors such as:

  • Cloud hosting providers
  • CRM systems
  • Analytics platforms
  • Cyber security monitoring tools
  • Email and marketing platforms

A full list can be provided upon request.

Stannnell ensures subprocessors comply with the same obligations as in this DPA.

8. International Data Transfers

If personal data is transferred outside the UK/EEA, Stannnell Ltd will ensure:

  • Adequacy decisions apply
  • Standard Contractual Clauses (SCCs) are in place
  • Appropriate security measures (encryption, pseudonymisation) are applied

9. Data Subject Rights

Stannnell Ltd will assist the Client in responding to requests from data subjects, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

Requests should be forwarded to privacy@stannnell.co.uk.

10. Security Measures

Stannnell Ltd maintains strong technical and organisational controls, including:

  • Encryption in transit and at rest
  • Multi-factor authentication (MFA)
  • Access control based on roles
  • Regular vulnerability scanning
  • Network segmentation
  • Cyber Essentials certification
  • ISO 27001–aligned processes
  • Secure backups
  • Incident response procedures

A detailed security policy is available on request.

11. Data Deletion or Return

Upon termination of services:

  • All personal data will be deleted, unless retention is required by law
  • Alternatively, data may be returned to the Client in a structured format

Backups will be deleted according to industry best practices.

12. Audits

The Client may request audits or security documentation.
Stannnell Ltd will provide reasonable access to compliance information, subject to confidentiality agreements.

13. Liability

Both parties remain liable under the Main Agreement.
Stannnell Ltd is not responsible for damages caused by the Client’s instructions or misuse of data.

14. Governing Law

This DPA is governed by the laws of England and Wales.
Any disputes shall be resolved in UK courts.

15. Acceptance

By using Stannnell Ltd’s services, the Client agrees to this Data Processing Agreement.