Data Processing Agreement

Effective Date: 31 March 2025

Last Updated: 31 March 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service and any other agreement ("Agreement") between the Client ("Controller") and Steelzz Development ("Processor") regarding the processing of personal data.

This DPA ensures that both parties comply with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

  • "Controller" means the party that determines the purposes and means of processing personal data.
  • "Processor" means Steelzz Development, which processes personal data on behalf of the Controller.
  • "Data Subject" means an identifiable natural person whose personal data is being processed.
  • "Personal Data" means any information relating to an identified or identifiable Data Subject.
  • "Processing" means any operation performed on personal data, whether automated or manual.

2. Subject Matter of Processing

Steelzz Development may process personal data strictly for the purpose of delivering web development and associated services to the Client as outlined in the main service agreement.

3. Duration of Processing

Processing shall continue for the duration of the Agreement unless otherwise instructed in writing by the Controller.

4. Nature and Purpose of Processing

The nature of processing may include:

  • Collection
  • Storage
  • Access
  • Transmission
  • Deletion

The purpose of processing includes:

  • Website and application functionality
  • Contact form handling
  • CRM integrations
  • Email notifications
  • Analytical insights
  • Project documentation

5. Categories of Data Subjects

  • Website visitors
  • End users
  • Clients and customers of the Controller
  • Leads and form submitters

6. Types of Personal Data

  • Names
  • Email addresses
  • Phone numbers
  • IP addresses
  • Browser and device data
  • Business details and preferences

Steelzz will not knowingly process any sensitive personal data (e.g., health data, political beliefs, biometric data) unless specifically agreed in writing.

7. Obligations of the Processor

Steelzz Development agrees to:

  • Process personal data only on documented instructions from the Controller
  • Ensure staff are subject to confidentiality agreements
  • Implement appropriate technical and organisational security measures
  • Assist the Controller in meeting data subject rights requests
  • Notify the Controller without undue delay in the event of a data breach
  • Maintain a record of all data processing activities

8. Obligations of the Controller

The Controller agrees to:

  • Ensure a lawful basis exists for all data processing
  • Provide accurate, lawful instructions
  • Ensure that all required data subject notices are issued
  • Maintain proper records of processing activities where required by law

9. Subprocessors

Steelzz may engage approved third-party subprocessors (e.g., hosting platforms, email services, analytics providers) to fulfill specific functions. A current list of subprocessors can be provided upon request.

Steelzz will ensure all subprocessors:

  • Are subject to equivalent data protection obligations
  • Are GDPR-compliant
  • Enter into binding contracts ensuring data security

10. International Data Transfers

If any personal data is transferred outside the UK or EEA, Steelzz will ensure such transfers:

  • Are made to countries with adequate protection standards, or
  • Are subject to standard contractual clauses (SCCs) or appropriate safeguards

11. Security Measures

Steelzz employs appropriate security measures including but not limited to:

  • SSL encryption
  • Access restrictions
  • Encrypted backups
  • Two-factor authentication
  • Secure data disposal protocols

12. Breach Notification

In the event of a personal data breach, Steelzz shall:

  • Notify the Controller without undue delay (within 48 hours of discovery)
  • Provide sufficient information to support compliance and mitigation
  • Cooperate fully with any investigation or reporting obligations

13. Data Subject Rights

Steelzz shall assist the Controller in fulfilling obligations related to data subject rights under UK GDPR, including:

  • Access
  • Rectification
  • Erasure
  • Portability
  • Objection
  • Restriction of processing

14. Return or Deletion of Data

Upon termination of services, Steelzz shall:

  • At the Controller's request, delete or return all personal data processed on behalf of the Controller
  • Delete existing copies unless required by law to retain them

15. Audits and Inspections

The Controller has the right to audit Steelzz's data protection practices:

  • Audits must be requested in writing
  • Steelzz will provide relevant information to demonstrate compliance
  • Audits must not disrupt ongoing operations and may be subject to reasonable confidentiality terms

16. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes shall be resolved in the courts of Sheffield, United Kingdom.

17. Contact

For any questions or concerns regarding this DPA, please contact:

Steelzz Development

📧 contact@steelzz.com

📍 Sheffield, United Kingdom

By continuing to use Steelzz Development's services, the Controller acknowledges and agrees to the terms of this Data Processing Agreement.