Data processing agreement

1. Definitions

Terms not defined here carry the meaning given in UK GDPR or EU GDPR as the case may be. The "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the EU General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003, and any subordinate or amending legislation.

2. Subject matter and duration

The subject matter is the processing carried out by the processor on the documented instructions of the controller in connection with the services described in the underlying statement of work or engagement letter. The duration is the term of that underlying contract plus any retention period mandated by law.

3. Nature and purpose of processing

The processing is the organisation, retrieval, consultation, use, disclosure by transmission, alignment, restriction, erasure, and destruction of personal data carried out for the delivery of marketing, search engine optimisation, content production, briefing dissemination, scheduling, and reporting services to the controller. No processing is carried out for any purpose other than the documented instructions of the controller and the obligations imposed by law.

4. Categories of data subject and personal data

Categories of data subject are the controller's customers, prospects, suppliers, employees, contractors, and website visitors. Categories of personal data are identification data, contact data, employment data, technical data, transaction data, marketing preferences, and any further categories listed in Schedule 1 of the underlying contract. No special categories of personal data within the meaning of Article 9 UK GDPR are processed unless explicitly agreed in writing in advance.

5. Obligations of the processor

• To process personal data only on the documented instructions of the controller, including with regard to transfers of personal data to a third country, unless required by law to do so.
• To ensure that persons authorised to process the personal data have committed themselves to confidentiality.
• To take all measures required pursuant to Article 32 UK GDPR, including the encryption of personal data in transit and at rest, the pseudonymisation of personal data where appropriate, the maintenance of confidentiality, integrity, availability, and resilience of processing systems, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing, and evaluating the effectiveness of the technical and organisational measures.
• To assist the controller, by appropriate technical and organisational measures, in the fulfilment of its obligation to respond to requests for the exercise of the data subject's rights.
• To assist the controller in ensuring compliance with Articles 32 to 36 UK GDPR taking into account the nature of processing and the information available to the processor.
• At the choice of the controller, to delete or return all personal data to the controller after the end of the provision of services relating to processing, and to delete existing copies unless retention is required by law.
• To make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 UK GDPR and to allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
• To notify the controller without undue delay and in any event within twenty-four hours of becoming aware of a personal data breach.

6. Sub-processors

The controller grants a general written authorisation for the processor to engage sub-processors. The processor maintains a current list of sub-processors at tamazia.co.uk/legal/sub-processors. The processor will inform the controller of any intended changes to that list with no less than thirty days' notice, giving the controller the opportunity to object to such changes. Where the controller objects on reasonable grounds, the parties will negotiate in good faith. Where the processor engages a sub-processor it imposes the same data protection obligations as set out in this agreement.

7. International transfers

Where personal data is transferred from the United Kingdom or the European Economic Area to a third country that is not the subject of an adequacy decision, the parties have entered into the United Kingdom International Data Transfer Addendum and the EU Standard Contractual Clauses (Module 2 controller-to-processor or Module 3 processor-to-processor as applicable) which form part of this agreement. Supplementary technical and organisational measures are documented in Schedule 2.

8. Liability and indemnity

The liability of each party arising out of or in connection with this agreement is governed by the underlying contract. Nothing in this agreement excludes or limits any liability that cannot be excluded or limited by law, including liability for death or personal injury caused by negligence, fraud, or fraudulent misrepresentation.

9. Schedule 1 · categories of personal data

The categories of personal data processed under this agreement are listed at /legal/data-protection/ Section "Categories of personal data processed". Where the underlying contract specifies further categories, those categories are added to this schedule by reference and form part of this agreement.

10. Schedule 2 · technical and organisational measures

The processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit (TLS 1.2 minimum) and at rest (Cloudflare Workers KV at-rest encryption).
• HMAC-SHA256 verification on all inbound webhooks (Cal.com booking lifecycle).
• Bot mitigation (Cloudflare Turnstile, honeypot fields, time-trap windows of 2 seconds minimum and 30 minutes maximum).
• Email validator chain (ZeroBounce, Hunter, NeverBounce) with optional reject mode for invalid or disposable addresses.
• Per-IP rate limiting at Cloudflare WAF for form receivers (5 requests per minute) and admin endpoint (30 requests per minute).
• Truncation of source IP addresses (final octet redacted) before persistence.
• Cloudflare Access policy on /admin/* paths (zero-trust enrolment).
• Two-step HMAC-signed token verification for data subject rights endpoints (/api/dsar, /api/erase, /api/portability) with a 7-day token TTL.
• Audit logging of every data subject erasure request, retained for seven years to evidence compliance with Article 17.
• Automated 24-month TTL on all KV form submission records.
• Cloudflare Web Application Firewall managed rulesets at default sensitivity, plus 5 custom rules covering scraper user-agents, geographic enforcement on /admin/*, method enforcement on receivers, and List-Unsubscribe POST allowlist.
• HTTP Strict-Transport-Security with max-age 63,072,000 seconds (2 years), includeSubDomains, and the preload directive submitted to the Chromium HSTS preload list.
• A Content Security Policy that constrains script-src, style-src, img-src, connect-src, frame-src, and object-src; reports to /api/csp-report.
• Network Error Logging at 5 per cent sample rate; reports to /api/nel-report.
• Quarterly key rotation for ADMIN_SECRET, CAL_WEBHOOK_SECRET, and Resend API key.
• Annual rotation for DKIM signing keys.
• Cloudflare Pages deployment via wrangler with patch-dist 90-gate post-build verification, including JSON-LD validity, image dimension presence (CLS-safe), CSP enforcement, and presence of all compliance pages.

11. Execution

This agreement is executed by countersignature in writing or by electronic signature through a recognised provider (DocuSign, Adobe Sign, or HelloSign), or by click-through acceptance via a unique signing link issued by Tamazia to the controller's authorised representative. The agreement enters into force on the later of the date of signature by the last party to sign or the start date of the underlying contract.

12. Governing law and jurisdiction

This agreement and any dispute or claim arising out of or in connection with it or its subject matter is governed by and construed in accordance with the law of England and Wales for engagements with United Kingdom and European Economic Area clients, and the law of India for engagements with Indian clients. The parties irrevocably agree that the courts of England and Wales (or, as the case may be, of the relevant Indian state) have exclusive jurisdiction to settle any such dispute or claim.