Data Processing Addendum (DPA)

1. Parties and status

• Controller: The customer identified in the relevant order or statement of work.
• Processor: QueryQuill, acting on documented instructions from Controller.
• Where QueryQuill processes on behalf of another processor appointed by Controller, QueryQuill acts as Sub-processor.

2. Definitions

Capitalised terms have the meanings in the UK GDPR and Data Protection Act 2018. “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, and “Personal Data Breach” carry the meanings in the legislation.

3. Scope and instructions

• Processor will process Personal Data only: (a) to deliver the services; (b) on Controller’s documented instructions as set out in this DPA and the agreement; and (c) as required by law (Processor will inform Controller unless prohibited).
• Controller is responsible for the lawfulness of the instructions and for providing any required notices and obtaining any required consents.

4. Duration

This DPA applies for the term of the agreement and until deletion or return of Personal Data in accordance with section 12.

5. Categories of data and subjects

As further described in Annex I, typical data subjects include Controller’s prospects, customers, and staff. Typical data includes contact details, content inputs, site interaction data, and support communications. Special category data is not required nor expected; if provided by Controller, it must be expressly identified and agreed in writing.

6. Processor obligations

• Process Personal Data only as instructed.
• Ensure personnel are bound by confidentiality.
• Implement appropriate technical and organisational measures (see Annex II).
• Maintain records of processing as required by law.

7. Security

Processor will implement and maintain security measures appropriate to the risk, including the controls in Annex II, and will regularly review their effectiveness.

8. Sub-processors

• Controller authorises Processor to engage Sub-processors reasonably necessary to provide the services. Processor will impose data protection terms on Sub-processors no less protective than this DPA.
• Processor will provide notice of material changes to Sub-processors upon request and will work with Controller in good faith to address reasonable objections. If a reasonable objection cannot be resolved, Controller may suspend the affected service.

9. International transfers

• Where Personal Data is transferred outside the UK (or EEA, if applicable) to a country without an adequacy decision, Processor will ensure a valid transfer mechanism, such as UK IDTA or the UK Addendum to the EU SCCs.
• On request, Processor will identify the applicable transfer mechanism for relevant Sub-processors.

10. Assistance

• Processor will assist Controller, insofar as possible, with Data Subject requests, security, breach notifications, DPIAs, and consultations with supervisory authorities, taking into account the nature of processing and information available to Processor.

11. Personal Data Breach

• Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach relating to Controller’s Personal Data and will provide information reasonably available to assist Controller in meeting its obligations.

12. Return and deletion

• Upon termination or at Controller’s written request, Processor will delete or return Personal Data (at Controller’s choice) and delete existing copies, unless retention is required by law or permitted for evidence, audit, or dispute purposes. Backup data will be overwritten on standard cycles.

13. Audits

• On reasonable notice, Processor will make available information necessary to demonstrate compliance with this DPA and, where required, allow for audits by Controller or an independent auditor mandated by Controller, subject to confidentiality, scheduling, and time/materials charges for Processor’s support. Third-party certifications and reports may satisfy this obligation.

14. Confidentiality

All Personal Data and audit information are confidential. Each party will protect the other’s confidential information with at least the same care it uses to protect its own.

15. Liability

Each party’s liability is governed by the agreement. Nothing limits liability that cannot be limited by law, including for unlawful processing caused by a party’s breach of this DPA.

16. Order of precedence

If there is a conflict between this DPA and the agreement, this DPA controls to the extent of the conflict in relation to data protection.

17. Governing law and jurisdiction

This DPA is governed by English law. Disputes are subject to the courts identified in the agreement (failing which, the courts of England and Wales).

18. Contact

Data protection queries: [email protected]

Annex I – Details of Processing

A. Subject matter and purpose

Provision of content strategy, research, production, optimisation, analytics advisory, and related services, including handling leads and client contacts, coordinating projects, and supporting performance reporting.

B. Nature of processing

Collection, recording, organisation, structuring, storage, retrieval, consultation, use, transmission, and deletion as necessary to provide the services.

C. Duration

For the term of the agreement and until deletion/return per section 12.

D. Data subjects

• Controller’s staff and contractors involved in the services.
• Controller’s prospects and customers (business contacts).
• Website visitors where analytics or lead forms are enabled by Controller.

E. Categories of Personal Data

• Identity and contact data (name, job title, email, phone).
• Business account and project data (organisation, role, preferences).
• Content inputs and feedback relevant to deliverables.
• Technical/usage data (IP address, device, pages, timestamps) where analytics is enabled by Controller.

Special categories: Not required nor intended. Controller will not provide special category data without prior written agreement and safeguards.

F. Processing locations

UK and/or EEA where feasible. Limited transfers outside the UK/EEA may occur subject to section 9.

Annex II – Technical & Organisational Measures

• Access control: role-based access, least privilege, MFA on production systems and cloud services.
• Data in transit & at rest: TLS for data in transit; encryption at rest where supported by the hosting/service platform.
• Segregation: logical separation of client data; dedicated environments and project workspaces.
• Backups & recovery: scheduled backups for systems storing Personal Data; tested restoration procedures.
• Endpoint security: disk encryption, automatic lock, malware protection, and patching on company devices.
• Change management: version control for deliverables; documented release processes for templates/scripts.
• Supplier due diligence: vetting of Sub-processors for security posture and data protection commitments.
• Logging & monitoring: activity logs for administrative access; alerting on anomalous events where supported.
• Incident response: defined procedures for detection, assessment, containment, notification, and remediation.
• Training & confidentiality: regular staff training; NDAs and contractual confidentiality obligations.

Annex III – Sub-processors

We engage third-party providers to support hosting, communications, analytics, project management, and file storage. We impose contractual terms equivalent to this DPA. To request our current Sub-processor list (including processing purposes, locations, and transfer mechanisms), contact [email protected]. We will notify you in advance of material changes and will work with you in good faith to address reasonable objections.