Adoptech Data Processing Agreement
Last updated: 1 May 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Client”) and Adoptech Ltd, registered at 71-75 Shelton Street, London, WC2H 9JQ (“Adoptech”, “we” or “us”). It applies whenever Adoptech processes personal data on your behalf in connection with the services we provide to you.
By accepting our End User Licence Agreement or Master Services Agreement (as applicable), you also agree to the terms of this DPA. If you are entering into this DPA on behalf of a company or other legal entity, you confirm that you have authority to bind that entity.
1. What the words in this DPA mean
The following terms are used throughout this DPA:
| Data Protection Legislation | The UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any related UK law or regulation (including any statutory modification or re-enactment of them). |
| Data Controller | Has the meaning given in the Data Protection Legislation — broadly, the party that decides why and how personal data is processed. |
| Data Processor | Has the meaning given in the Data Protection Legislation — broadly, a party that processes personal data on behalf of a Data Controller. |
| Data Subject | Has the meaning given in the Data Protection Legislation — the individual whose personal data is being processed. |
| Personal Data | Has the meaning given in the Data Protection Legislation — any information relating to an identified or identifiable living individual. |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. |
| Process / Processing | Has the meaning given in the Data Protection Legislation — any operation performed on Personal Data, including collection, storage, use, disclosure or deletion. |
| Services | The services Adoptech provides to you under the End User Licence Agreement or Master Services Agreement, as applicable. |
| User Data | Any information, materials or data: (a) uploaded, stored or created in or using the Adoptech platform by you, your users, or by us on your instructions; and/or (b) provided to us by or on behalf of you or your users. |
| Subprocessor | Any third party appointed by Adoptech to process Personal Data on your behalf in connection with the Services. |
| UK GDPR | The retained EU law version of the General Data Protection Regulation (EU) 2016/679, as it forms part of the law of England and Wales by virtue of the European Union (Withdrawal) Act 2018. |
2. Our roles
Where User Data that you submit to us constitutes Personal Data, the parties agree that:
- you (and/or your users) are the Data Controller – you decide what Personal Data is collected and why; and
- Adoptech is the Data Processor – we process that Personal Data on your behalf, only as instructed by you.
This DPA sets out the subject matter, duration, nature and purpose of our processing, the types of Personal Data involved, and the rights and obligations of both parties, as required by Article 28 UK GDPR.
3. What we process and why
3.1 Subject matter and duration
We process Personal Data for as long as you use the Services. When your agreement with us ends, we will retain Personal Data only as set out in section 7 (Data return and deletion) below.
3.2 Nature and purpose
We process Personal Data only as necessary to provide the Services to you. This may include:
- collecting, recording and organising data;
- storing and retrieving data;
- altering, combining or erasing data; and
- disclosing data to permitted third parties as set out in this DPA.
3.3 Types of Personal Data
The Personal Data we process is determined and controlled by you. It may include, but is not limited to:
- names and personal contact details;
- professional contact details;
- IP addresses and cookie data;
- login credentials; and
- traffic data including web logs.
3.4 Categories of Data Subjects
The Data Subjects whose Personal Data we process may include, but are not limited to:
- your customers;
- your employees;
- your business partners; and
- your suppliers.
4. What we will do
In acting as your Data Processor, we will:
4.1 Only act on your instructions
We will only process Personal Data on your documented written instructions, which include this DPA and our agreement with you. If we are required by applicable law to process Personal Data in a way that goes beyond your instructions, we will tell you before doing so (unless the law prevents us from telling you).
4.2 Keep Personal Data secure
We will put in place appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage or disclosure. In deciding what measures are appropriate, we will take into account:
- the nature and sensitivity of the Personal Data;
- the likely harm if a breach occurred;
- the state of available technology; and
- the cost of implementing the measures.
4.3 Keep Personal Data confidential
We will make sure that everyone at Adoptech who accesses or processes Personal Data is under a contractual duty of confidentiality.
4.4 International transfers
We will not transfer Personal Data outside the UK without first ensuring that appropriate safeguards are in place in accordance with the Data Protection Legislation, for example, by using standard contractual clauses approved by the UK Information Commissioner’s Office, or by transferring to a country that benefits from an adequacy decision or adequacy regulation under UK law. We maintain an up-to-date list of the countries to which we transfer data in our Subprocessor list (see section 5.3).
4.5 Help you respond to Data Subject requests
We will assist you (at your cost) in responding to requests from Data Subjects exercising their rights under the Data Protection Legislation, for example, requests for access, rectification, erasure or portability.
4.6 Help you meet your compliance obligations
We will assist you (at your cost) in carrying out data protection impact assessments, breach notifications, and consultations with the Information Commissioner or other supervisory authorities, where these relate to Personal Data we process on your behalf.
4.7 Notify you of a Personal Data Breach
If we become aware of a Personal Data Breach affecting your data, we will notify you without undue delay of becoming aware. Our notification will include, to the extent we know it at the time:
- a description of the nature of the breach;
- the categories and approximate number of Data Subjects affected;
- the categories and approximate number of Personal Data records affected;
- the likely consequences of the breach; and
- the measures we have taken or propose to take to address it.
4.8 Keep records and allow audits
We will maintain complete and accurate records to demonstrate our compliance with this DPA. We will allow you (or your appointed auditor) to audit our data processing activities on reasonable prior written notice of not less than 30 days, subject to:
- audits being limited to once per calendar year (unless a Personal Data Breach has occurred);
- the auditor signing a confidentiality undertaking before accessing any of our systems or records; and
- the reasonable costs of supporting an audit being met by you.
We will also promptly tell you if, in our opinion, any instruction you give us would breach the Data Protection Legislation.
4.9 Make information available to demonstrate compliance
We will make available to you all information reasonably necessary to demonstrate our compliance with the obligations set out in this DPA and in Article 28 of the UK GDPR. This obligation is in addition to, and separate from, the audit right set out in clause 4.8.
5. Subprocessors
5.1 Your general authorisation
By accepting this DPA, you give us general written authorisation (as required by Article 28(2) UK GDPR) to appoint Subprocessors to help us deliver the Services.
5.2 Our obligations when appointing Subprocessors
When we appoint a Subprocessor, we will:
- put in place a written contract with the Subprocessor that imposes data protection obligations equivalent to those in this DPA;
- carry out appropriate due diligence before appointment; and
- remain fully liable to you for the Subprocessor’s compliance with its data protection obligations.
5.3 Our Subprocessor list
We maintain a current list of our Subprocessors at https://adoptech.co.uk/subprocessors/. We will update this list and notify you before making any changes to our Subprocessors that could affect the protection of your Personal Data, giving you at least 10 days’ notice. If you have not raised an objection in writing within that period, you will be taken to have approved the change.
6. Your responsibilities
In your role as Data Controller, you agree that you will:
- only give us lawful instructions in respect of the processing of Personal Data;
- obtain and maintain all necessary permissions, consents and authorisations needed for us to process Personal Data in accordance with your instructions and this DPA;
- ensure that the Personal Data you submit to us is accurate and lawfully obtained;
- notify us promptly in writing when the agreement between us ends, with instructions regarding the return or deletion of Personal Data (see section 7 below); and
- comply with the Data Protection Legislation in your own use of the Services, including giving all required notices to, and obtaining all required consents from, Data Subjects. You will indemnify and hold us harmless against any costs, losses or regulatory fines we suffer as a result of your failure to do so.
7. Data return and deletion
When our agreement ends (for any reason), or at your earlier written request:
- we will make all User Data available to you for export or migration for a period of 90 days from the effective date of termination;
- at your written direction, we will either return Personal Data to you or securely delete it, unless we are required by applicable law to retain it; and
- after the 90-day period has elapsed, we are entitled to permanently and securely delete all remaining User Data.
We will confirm in writing once deletion has been completed, if you ask us to.
8. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set out in the End User Licence Agreement or Master Services Agreement (as applicable) between us, except that nothing in this DPA limits or excludes either party’s liability for:
- breach of the Data Protection Legislation;
- death or personal injury caused by negligence;
- fraud or fraudulent misrepresentation; or
- any other liability that cannot be excluded or limited by English law.
9. General
9.1 Changes to this DPA
We may update this DPA from time to time to reflect changes in the law, our services, or our processing activities. We will post the updated version at this URL and update the ‘Last updated’ date at the top. Where changes are material, we will give you at least 30 days’ notice by email before the changes take effect. Your continued use of the Services after that date will constitute acceptance of the updated DPA.
9.2 Conflict
If there is any conflict between this DPA and our End User Licence Agreement or Master Services Agreement, this DPA takes precedence in respect of data protection matters.
9.3 Entire agreement on data processing
This DPA, together with our privacy policy at https://adoptech.co.uk/privacy-policy/, sets out the entire agreement between us in relation to the processing of Personal Data under the Services.
9.4 Governing law
This DPA is governed by the laws of England and Wales. Both parties agree to the exclusive jurisdiction of the courts of England and Wales for any disputes arising from it.
9.5 Severance
If any part of this DPA is found to be unenforceable, the remaining parts will continue in full force and effect.
9.6 Third party rights
No one other than the parties to this DPA has any right to enforce any of its terms.
Questions about this DPA? Contact us at [email protected] or write to us at 71-75 Shelton Street, London, WC2H 9JQ.