My Profile
Sign Out
Tickets
Knowledge Base
Login
Articles in this section
Category / Section
  2. Security & Policies

Data Processing Agreement

Published:
Updated:

This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions available at actionlinks.io/terms (the “Terms”), between Action Links Ltd (“Processor”) and the client organisation (“Controller”), and applies where the Processor processes Personal Data on behalf of the Controller in the course of providing the Action Links service (“Service”). By using the Service and accepting the Terms and Conditions, the Controller is deemed to have accepted the DPA.

Definitions

  • Data Protection Laws: All applicable laws relating to the processing of Personal Data and privacy, including the UK General Data Protection Regulation (“UK GDPR”), the EU GDPR (where applicable), and the Data Protection Act 2018.

  • Personal Data, Data Subject, Processing, Controller, and Processor: As defined in applicable Data Protection Laws.

  • Subprocessor: Any third party engaged by the Processor to process Personal Data on its behalf.

Subject Matter and Duration

  • The Processor will process Personal Data solely for the purpose of providing the Service as described in the Terms and Conditions.

  • This DPA remains in effect for the duration of the Terms and Conditions and applies for as long as the Processor retains any Personal Data on behalf of the Controller.

Nature and Purpose of Processing

  • The Processor provides a software platform through which the Controller may configure and display Links and execute backend operations via third-party integrations.

  • Personal Data may be processed solely to fulfil these operations, including retrieving or transmitting information from or to integrated systems.

  • The Processor does not store customer Personal Data processed during these operations, except where required to store integration tokens or access credentials.

  • Personal Data remains the confidential information of the Controller.

Type of Personal Data and Categories of Data Subjects

  • Types of Personal Data: Typically includes names, email addresses, identifiers, and other fields drawn from the Controller’s integrated systems.

  • Data Subjects: Individuals whose data is stored in the Controller’s integrated systems.

Processor Obligations

The Processor shall:

  • Process Personal Data only when instructed to do so by the Controller (including as set out in this DPA and the Terms and Conditions), unless required to do so by law.

  • Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality.

  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

  • Assist the Controller in responding to Data Subject requests under Data Protection Laws.

  • Assist the Controller with security, breach notifications, and data protection impact assessments where reasonably required.

  • At the Controller’s choice, delete or return all Personal Data at the end of the provision of the Services, unless required by law to retain it.

  • Make available information necessary to demonstrate compliance and allow for audits, subject to reasonable notice and confidentiality.

Subprocessing

  • The Processor uses Subprocessors to provide aspects of the Service (e.g. infrastructure, authentication, monitoring).

  • A list of current Subprocessors is available on request.

  • The Processor shall enter into a written agreement with each Subprocessor containing obligations equivalent to those in this DPA.

  • The Processor shall inform the Controller of any intended changes to Subprocessors and allow the Controller to object on reasonable grounds related to data protection.

International Transfers

  • The Processor stores and processes Personal Data in the United Kingdom and the European Economic Area (EEA).

  • Any transfers outside these territories will be subject to appropriate safeguards under Data Protection Laws, such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, as applicable.

Security

  • The Processor applies encryption (e.g. AES-256) to all stored integration tokens and separates encryption keys from stored data.

  • The Processor implements access controls, auditing, and regular security reviews to ensure system integrity.

Breach Notification

  • The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

  • Such notification shall include, where possible, a description of the nature of the breach, likely consequences, and measures taken or proposed to address it.

Deletion of Data

  • Upon termination of the Controller’s account, Personal Data will be retained for a grace period of thirty (30) days unless earlier deletion is requested.

  • After that period, all Personal Data held by the Processor (excluding credentials or logs required for legal or operational purposes) will be deleted from live systems.

Miscellaneous

  • This DPA is governed by and construed in accordance with the laws of England and Wales.
Access denied
Access denied