Data processing agreement

Parties

This agreement is between the client (the data controller) and Jack Main, sole trader, trading as Zyntho (the data processor). It is signed before any client data is processed.

Definitions

Terms such as personal data, processing, controller, processor, and data subject carry the meanings given in UK GDPR and the Data Protection Act 2018.

Processing purpose

Zyntho processes personal data only to build, operate, and maintain the automations contracted by the client, and only on documented instructions from the client.

Categories of data

The categories of data and data subjects are defined per engagement in the scoping document and listed in an appendix to this agreement.

Security measures

Zyntho applies appropriate technical and organisational measures including access control, encryption in transit and at rest, audit logging, and least-privilege provisioning.

Sub-processors

A current list of sub-processors is maintained and made available on request. Clients are notified of additions with the opportunity to object.

International transfers

Data residency is the UK by default. No transfers outside the UK occur without the client's explicit consent and an appropriate transfer mechanism.

Term

This agreement runs for the duration of the services and any agreed retention period thereafter.

Termination

On termination, Zyntho returns or deletes personal data at the client's choice, and confirms deletion in writing, save where retention is required by law.