Data Processing Agreement

Version: 1.0 — March 2026

DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") forms part of the Lab Agreement between Design Me a Solution Lab ("Processor") and the Client ("Controller") and governs the processing of personal data during the consulting engagement.

1. DEFINITIONS

• "Personal Data" — any information relating to an identified or identifiable natural person, as defined by UK GDPR Article 4(1).
• "Processing" — any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
• "Sub-processor" — any third party engaged by the Processor to process personal data on behalf of the Controller.
• "Data Subjects" — the individuals whose personal data is processed under this agreement.
• "Supervisory Authority" — the Information Commissioner's Office (ICO) in the UK, or the relevant authority in the Controller's jurisdiction.

2. SCOPE & PURPOSE OF PROCESSING

The Processor shall process personal data only to the extent necessary to deliver the consulting services described in the Build Spec, including:

• Analysing the Controller's business data to design AI-powered solutions.
• Configuring and testing AI workflows that may involve the Controller's customer or operational data.
• Building, training, or fine-tuning AI models using data provided by the Controller.
• Generating documentation, reports, and deliverables that reference the Controller's data.

3. CATEGORIES OF DATA & DATA SUBJECTS

The specific categories of personal data and data subjects will be defined in the Build Spec. Common categories include:

• Data Subjects: The Controller's customers, employees, suppliers, or end users.
• Data Categories: Names, email addresses, transaction records, usage data, CRM records, and other business operational data as specified.
• Special Categories: The Processor will not process special category data (health, biometric, racial/ethnic, political, religious, genetic, sexual orientation, or trade union data) unless explicitly agreed in writing and subject to additional safeguards.

4. PROCESSOR OBLIGATIONS

The Processor shall:

• Process personal data only on the Controller's documented instructions, unless required by law.
• Ensure that persons authorised to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 6).
• Not engage another processor (sub-processor) without prior written authorisation from the Controller.
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection, restriction).
• Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, impact assessments, prior consultation).
• Delete or return all personal data to the Controller at the end of the engagement, and delete existing copies unless retention is required by law.
• Make available all information necessary to demonstrate compliance and allow audits.

5. CONTROLLER OBLIGATIONS

The Controller shall:

• Ensure there is a lawful basis for processing the personal data shared with the Processor.
• Provide data processing instructions in writing via the Build Spec or email.
• Ensure data subjects have been informed about the processing and their rights.
• Carry out a Data Protection Impact Assessment (DPIA) where required before sharing data.
• Not provide more personal data than is necessary for the agreed purpose.

6. SECURITY MEASURES

The Processor implements and maintains the following technical and organisational measures:

• Encryption: All data in transit is encrypted using TLS 1.2+ and data at rest uses AES-256 encryption where supported by the hosting platform.
• Access Control: Role-based access limited to the Processor (sole trader). No employees or contractors access client data without the Controller's written consent.
• Platform Security: AI platform environments used for building are enterprise-grade with SOC 2 Type II compliance, data isolation, and audit logging.
• Device Security: Development devices use full-disk encryption, strong authentication, and automatic locking.
• Data Minimisation: Only the minimum data necessary for the agreed purpose is processed. Sample/test data is used wherever possible.
• Secure Deletion: On engagement completion, all client data is permanently deleted from development environments, cloud storage, and local devices within 30 days.

7. SUB-PROCESSORS

The Processor currently uses the following sub-processors:

The Controller is deemed to have given general written authorisation for the sub-processors listed above. The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.

8. INTERNATIONAL TRANSFERS

Where personal data is transferred outside the UK or EEA, the Processor ensures:

• Transfers are made to countries with an adequacy decision, or
• Standard Contractual Clauses (SCCs) approved by the ICO/EU Commission are in place, or
• Other appropriate safeguards under UK GDPR Article 46 apply.

The Processor will inform the Controller of the specific transfer mechanism used for each sub-processor upon request.

9. DATA BREACH NOTIFICATION

In the event of a personal data breach:

• The Processor will notify the Controller without undue delay and in any event within 24 hours of becoming aware of the breach.
• The notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
• The Processor will cooperate fully with the Controller and the Supervisory Authority in investigating and remediating the breach.

10. DATA PROTECTION IMPACT ASSESSMENTS

The Processor will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) where required, particularly for:

• AI systems that process personal data at scale.
• Automated decision-making with legal or significant effects.
• Processing of sensitive or high-risk data categories.

11. AUDIT RIGHTS

The Controller has the right to audit the Processor's compliance with this DPA. Audits shall:

• Be conducted with reasonable prior notice (minimum 14 days).
• Be limited to once per calendar year unless a breach has occurred.
• Be conducted during normal business hours.
• Not unreasonably disrupt the Processor's operations.

12. DURATION & TERMINATION

This DPA shall remain in effect for the duration of the consulting engagement plus 30 days. Upon termination:

• The Processor will return all personal data to the Controller in a commonly used electronic format, or
• Securely delete all personal data and certify deletion in writing.

The Controller may specify their preference. If no instruction is given, the Processor will securely delete all data within 30 days of engagement completion.

13. LIABILITY

Each party shall be liable for damage caused by processing that infringes the applicable data protection legislation. The Processor shall be liable only for damage caused by processing that does not comply with the Controller's lawful instructions or this DPA.

14. GOVERNING LAW

This DPA is governed by the laws of England and Wales. Disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to any rights of the Controller to lodge complaints with a Supervisory Authority.

15. CONTACT

For DPA-related queries or to execute this agreement:

Email: [email protected]
Subject Line: "Data Processing Agreement"