GDPR

This Data Processing Agreement (“DPA”) is entered into between:
technologE Ltd (14695531), of 3000 Aviator Way, Manchester Business Park, Manchester M22 5TG (“Processor”); and The customer identified in the relevant Order Form (“Controller”).
 

Together the “Parties”.
1. Purpose and Scope
1.1 This DPA forms part of the Agreement between the Parties and applies where the Processor processes Personal Data on behalf of the Controller in connection with the provision of the Services. 1.2 The Parties acknowledge that the Controller is the data controller and the Processor is the data processor for the purposes of the UK GDPR and the Data Protection Act 2018.
 

2. Duration
2.1 This DPA shall commence on the Master Terms Effective Date. It shall apply to each Service from its respective Service Effective Date (as set out in the relevant Order Form) and shall continue until all processing of Personal Data by the Processor on behalf of the Controller has ceased.
 

3. Subject Matter, Nature and Purpose of Processing
3.1 The Processor shall process Personal Data solely for the purpose of delivering the Services under the Agreement, including customer support, billing, account management, connectivity, cloud, SaaS, IT support, consultancy, and related services.
 

4. Categories of Data Subjects
The Personal Data may relate to the following categories of data subjects: (a) the Controller’s employees, workers, agents, and contractors; (b) the Controller’s customers, suppliers, and business contacts (where relevant to the Services); (c) authorised end-users of the Services.
 

5. Types of Personal Data
The Personal Data may include:
Names, job titles and contact details (phone, email, address);
Authentication credentials (usernames, IDs);
Usage, call, connectivity and billing records;
Device and technical identifiers (IP address, IMEI, SIM number, etc.);
Any other personal data uploaded or provided by the Controller in using the Services.

​

6. Processor Obligations
The Processor shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure persons authorised to process Personal Data are subject to confidentiality obligations; (c) implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction or damage; (d) notify the Controller without undue delay and, in any event, within forty-eight (48) hours after becoming aware of a Personal Data Breach; (e) assist the Controller, at the Controller’s cost, in responding to data subject requests. Where requests are manifestly unfounded, excessive or repetitive, the Processor may charge a reasonable fee for assistance or decline to act, provided it notifies the Controller with reasons; (f) assist the Controller in carrying out data protection impact assessments and consultations with regulators where relevant; (g) make available all information necessary to demonstrate compliance and allow for audits in accordance with clause 10; (h) not process Personal Data for its own purposes or for any third party.
 

7. Sub-Processing
7.1 The Controller authorises the Processor to appoint sub-processors to deliver the Services. 7.2 The Processor shall ensure any sub-processor is bound by written terms imposing data protection obligations equivalent to those set out in this DPA. 7.3 The current list of authorised sub-processors is set out in Appendix 2. 7.4 The Processor shall notify the Controller of any intended addition or replacement of sub-processors by posting the updated list on its website or by written notice. The Controller may object on reasonable grounds within thirty (30) days of notification.
 

8. International Transfers
8.1 The Processor shall not transfer Personal Data outside the UK (or permit it to be accessed from outside the UK) unless: (a) the transfer is to a country deemed adequate by the UK Government; or (b) appropriate safeguards are implemented (such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or other lawful mechanism). 8.2 The Controller acknowledges that certain sub-processors (including Microsoft Azure and Microsoft 365) may host or replicate data in data centres located outside the UK, subject to such safeguards.
 

9. Return and Deletion
9.1 On termination or expiry of the Agreement, the Processor shall, at the Controller’s option, return or securely delete all Personal Data (unless Applicable Law requires retention).

​

10. Audit Rights
10.1 The Controller may, on giving reasonable notice, audit the Processor’s compliance with this DPA once in any twelve (12) month period (save where a breach is suspected). 10.2 The Controller shall bear the costs of any audit, except where such audit identifies a material breach of this DPA by the Processor, in which case the Processor shall bear its own costs. 10.3 The Processor shall cooperate with such audits and provide relevant information, subject to reasonable confidentiality and security restrictions.
 

11. Liability
11.1 Each Party’s liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except that nothing limits liability that cannot lawfully be excluded under Applicable Law.
 

12. Governing Law
12.1 This DPA is governed by the laws of England and Wales, and the Parties submit to the exclusive jurisdiction of the courts of England and Wales.

​

Appendix 1 – Details of Processing
Subject matter: Provision of Services under the Agreement.
Duration: Term of the Agreement plus any retention required by law.
Nature and purpose: Provision of mobile, connectivity, SaaS, IT support, cloud, consultancy and related services.
Categories of data subjects: Employees, contractors, end-users, customers, suppliers, business contacts.
Types of personal data: Contact details, identifiers, billing/usage data, technical data, communications data.

​

Appendix 2 – Authorised Sub-Processors
The following sub-processors are authorised as at the Effective Date:
EE Limited / BT Group plc – mobile network and connectivity.
Microsoft Ireland Operations Ltd – Microsoft 365, Teams, Azure and SaaS.
Datto Holding Corp – backup and disaster recovery services.
 

Appendix 3 – Security Measures
The Processor shall implement appropriate technical and organisational measures, taking into account industry standards and best practice, including:
Access controls, authentication and least privilege;
Encryption of data at rest and in transit;
Network monitoring, firewalls and intrusion prevention;
Regular vulnerability scanning and patch management;
Business continuity and disaster recovery plans;
Staff training in data protection and security;
Progress towards certification under ISO/IEC 27001 and related frameworks.