Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms & Conditions between SectorBoard (the “Processor”, “we”, “us”) and the customer organisation that has accepted the Terms (the “Controller”, “you”). It governs our processing of personal data contained in your Customer Data on your behalf, and is designed to meet Article 28 of the UK GDPR. It takes effect when you accept the Terms or first use the Service, whichever is earlier.

Where a signed or named copy of this DPA is generated, the Controller is populated automatically from the Company Namecaptured during sign-up, or, where no company name was provided, from the signing user’s First and Last name. This published web version uses the generic term “Controller”.

1. Roles & scope

You are the controller and we are the processor of the personal data within your Customer Data. We process that personal data only to provide the Service and only on your documented instructions (including as set out in the Terms, this DPA and your configuration of the Service). If we are required by law to process otherwise, we will inform you unless legally prohibited. For the avoidance of doubt, we are an independent controller of your account, organisation and billing data, which is governed by the Privacy Policy, not this DPA.

2. Details of processing (UK GDPR Art 28(3))

• Subject matter: provision of the SectorBoard read-only KPI analytics Service.
• Duration: for the term of the Subscription, plus the retention periods in the Privacy Policy.
• Nature & purpose: reading data from your Connected Applications; computing, storing and displaying KPIs; generating optional AI narratives.
• Types of personal data: as determined by you via the connectors you enable — may include identifiers and contact, transactional or employment data of your customers and staff contained in the data we read.
• Categories of data subjects: as determined by you — typically your customers, staff and contacts.
• Special category data: not intended; you must not configure connectors so as to send special category data unless separately agreed.

3. Our obligations

We will:

1. process personal data only on your documented instructions;
2. ensure persons authorised to process are bound by confidentiality;
3. implement appropriate technical and organisational security measures (section 5);
4. respect the conditions in sections 6–7 for engaging sub-processors;
5. assist you, taking into account the nature of processing, to respond to data-subject requests;
6. assist you with your obligations on security, breach notification, data protection impact assessments and prior consultation (Art 32–36);
7. at your choice, delete or return personal data at the end of the provision of services, and delete existing copies unless law requires storage; and
8. make available information necessary to demonstrate compliance and allow for and contribute to audits (section 8).

4. Your obligations

You confirm that you have a lawful basis and any necessary notices/consents to provide the personal data to us and to instruct the processing, and that your instructions will not put us in breach of data-protection law.

5. Security

We maintain appropriate technical and organisational measures, including: encryption of credentials at rest (AES-256-GCM) and data in transit (TLS 1.2+); row-level isolation between Organisations; access controls and least-privilege administration; an activity/audit log; and secret-scanning in our deployment pipeline. A current description is on our Security & Trust page.

6. Sub-processors

You provide general authorisation for us to engage the sub-processors listed in our Sub-processor List. We impose data-protection obligations on each sub-processor equivalent to those in this DPA and remain liable for their performance. We will give reasonable prior notice of any new or replacement sub-processor (via the sub-processor page and/or email), and you may object on reasonable data-protection grounds; if we cannot resolve your objection, you may terminate the affected part of the Service.

7. International transfers

Where we or our sub-processors transfer personal data outside the UK/EEA, we ensure an appropriate safeguard is in place — an adequacy decision, or the UK International Data Transfer Agreement / Addendum to the EU SCCs — as described in the Sub-processor List and Privacy Policy.

8. Audits

We will make available information reasonably necessary to demonstrate compliance with Art 28 and, on reasonable prior notice and no more than once per year (or following a personal-data breach), allow you (or an independent auditor you appoint, bound by confidentiality) to verify compliance, subject to reasonable security and confidentiality controls and not unreasonably disrupting our operations. We may satisfy audit requests by providing relevant third-party certifications or reports where available.

9. Personal data breach

We will notify you without undue delay after becoming aware of a personal-data breach affecting your Customer Data, and provide information reasonably available to help you meet your own notification obligations.

10. Data-subject requests

If we receive a request from a data subject relating to your Customer Data, we will, where legally permitted, refer them to you and assist you in responding, taking into account the nature of the processing.

11. Return & deletion

On termination, we will delete or (at your choice) return your Customer Data in accordance with the retention periods in the Privacy Policy, unless retention is required by law.

12. Liability & precedence

The liability provisions of the Terms apply to this DPA. If there is a conflict between this DPA and the Terms on the processing of personal data, this DPA prevails.

Data-protection contact

[email protected]