Data Processing Agreement

When PeopleAMP delivers services — building software, AI agents, RAG systems, or automations — we often process personal data on behalf of our clients. Under UK GDPR and EU GDPR, that makes the client the data controller and PeopleAMP the data processor. Article 28 of both regulations requires a written contract governing that relationship.

This page is that contract. It is incorporated by reference into every Statement of Work under which we process personal data, and supersedes any conflicting terms unless explicitly overridden in a signed amendment. Clients may also execute it as a standalone document on request — email legal@peopleamp.io.

• We process personal data only on your documented instructions.
• We use a small, named set of sub-processors and keep the list current at Annex III.
• We implement appropriate technical and organisational security measures (Annex II).
• We notify you without undue delay on becoming aware of a personal-data breach.
• We return or delete your data at the end of the engagement.

This Data Processing Agreement (the “DPA”) applies to any Processing of Personal Data carried out by PeopleAMP Tech Ltd, a private limited company registered in England and Wales, company number 14934358 (“Processor” or “PeopleAMP”) on behalf of a client (“Controller” or “Client”) in the course of performing services under a Statement of Work (the “Engagement”).

The DPA is incorporated by reference into each Engagement. In the event of conflict, the order of precedence is: (a) any signed amendment explicitly varying this DPA; (b) the relevant Statement of Work; (c) this DPA; (d) our Terms of Service.

Capitalised terms used in this DPA have the meanings given in the UK GDPR and the EU GDPR. In particular, “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, “Sub-processor” and “Personal Data Breach” have the meanings given in Articles 4 and 33 of the GDPR. “Applicable Data Protection Law” means the UK GDPR, the EU GDPR, the UK Data Protection Act 2018, and any other data-protection or privacy law applicable to the Processing.

The subject matter, duration, nature and purpose of the Processing, together with the categories of Personal Data and Data Subjects, are set out in Annex I. Processing continues for the duration of the Engagement and, where applicable, during any post-termination period agreed in writing for transition or migration assistance.

PeopleAMP will Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do otherwise by Applicable Data Protection Law. If PeopleAMP is required to Process Personal Data for a legal reason that would otherwise breach the Controller's instructions, PeopleAMP will inform the Controller of that legal requirement before Processing, unless prohibited by law.

The Controller's instructions are set out in the Engagement, this DPA and any subsequent written instructions (including instructions delivered by email to privacy@peopleamp.io). PeopleAMP will promptly inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

PeopleAMP will:

• ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• provide reasonable training to personnel involved in Processing Personal Data under an Engagement;
• take all measures required under Article 32 of the GDPR (see Section 07 and Annex II);
• respect the conditions in Article 28(2) and (4) of the GDPR for engaging Sub-processors (see Section 08);
• assist the Controller, insofar as possible, in fulfilling its obligations to respond to Data Subject requests (Section 10);
• assist the Controller in ensuring compliance with Articles 32–36 of the GDPR, taking into account the nature of Processing and the information available to PeopleAMP (Sections 11 and 12);
• at the choice of the Controller, delete or return all Personal Data at the end of the Engagement (Section 13);
• make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits (Section 14).

PeopleAMP has implemented and will maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II. Measures include encryption in transit, encryption at rest where supported by the underlying platform, the principle of least privilege, multi-factor authentication on business-critical systems, logging of access to sensitive systems, regular review of sub-processor security postures, and a documented incident-response procedure.

The Controller remains responsible for configuring any systems under its direct control (including its own identity provider, its own cloud accounts and any credentials it shares with PeopleAMP) to an appropriate security standard.

The Controller grants PeopleAMP a general authorisation to engage Sub-processors, subject to the following conditions:

• the Sub-processors listed in Annex III are authorised from the effective date of the Engagement;
• PeopleAMP will inform the Controller of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance by updating Annex III (or by email to a nominated Controller contact) and giving the Controller the opportunity to object on reasonable data-protection grounds;
• if the Controller reasonably objects and the parties cannot agree on a resolution within a further thirty (30) days, the Controller may terminate the affected Engagement without penalty, provided any fees for work already performed are paid;
• PeopleAMP will impose on each Sub-processor data-protection obligations no less protective than those set out in this DPA by way of a written contract; and
• PeopleAMP remains fully liable to the Controller for the performance of each Sub-processor's obligations under Applicable Data Protection Law.

Where Processing under an Engagement involves a transfer of Personal Data outside the United Kingdom or the European Economic Area, PeopleAMP will ensure that such transfer is subject to appropriate safeguards, including:

• the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
• the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914);
• certification under the EU–US Data Privacy Framework, the UK Extension to that Framework, or the Swiss–US Data Privacy Framework, where the recipient is certified; or
• any other mechanism recognised under Applicable Data Protection Law as providing an adequate level of protection.

Upon request, PeopleAMP will provide the Controller with a copy of the relevant transfer mechanism, redacted as necessary to protect commercial confidentiality and the rights of third parties.

PeopleAMP will, taking into account the nature of the Processing and insofar as possible, assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligation to respond to requests by Data Subjects to exercise their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability and objection).

Where PeopleAMP receives a request from a Data Subject directly, it will refer the Data Subject to the Controller without further action, and will promptly inform the Controller of the request.

PeopleAMP will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include, to the extent known at the time:

• the nature of the breach, including categories and approximate number of Data Subjects and records concerned;
• the name and contact details of a point of contact at PeopleAMP;
• the likely consequences of the breach; and
• the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay. PeopleAMP will cooperate with the Controller and provide reasonable assistance in relation to the Controller's obligations under Articles 33 and 34 of the GDPR.

PeopleAMP will provide the Controller with reasonable assistance with any data protection impact assessments the Controller is required to carry out under Article 35 of the GDPR, and with any prior consultations with supervisory authorities under Article 36, in each case solely in relation to Processing carried out by PeopleAMP under an Engagement and taking into account the information available to PeopleAMP.

At the Controller's choice, notified in writing within thirty (30) days of the end of the Engagement, PeopleAMP will return all Personal Data to the Controller, or delete it from its own systems and those of its Sub-processors, and delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data. In the absence of an instruction, PeopleAMP will delete the Personal Data.

Deletion applies to production systems; residual copies may remain in routine back-ups for the period required by our back-up retention schedule (see Annex II). Those back-ups will continue to be protected to the standards in Annex II and will be deleted in the normal course of back-up rotation.

PeopleAMP will make available to the Controller, on reasonable written request and no more than once in any twelve-month period (other than where Applicable Data Protection Law requires otherwise, following a Personal Data Breach or as required by a supervisory authority), information reasonably necessary to demonstrate compliance with this DPA. Such information may include completed industry-standard security questionnaires, summaries of penetration-test reports, copies of relevant certifications (where held), and written responses to reasonable follow-up questions.

Where the Controller reasonably considers that such information is insufficient, the parties will agree in good faith on the scope and timing of an on-site audit, to be conducted by the Controller or a mutually acceptable independent auditor bound by confidentiality, at the Controller's cost and on no less than thirty (30) days' prior written notice, during normal business hours and subject to reasonable restrictions to protect confidentiality and the security of other clients' data.

Each party's liability arising out of or related to this DPA is subject to the exclusions, exceptions and caps on liability set out in the Terms of Service and the relevant Statement of Work, including the caps on total aggregate liability.

Nothing in this DPA limits either party's liability to Data Subjects, supervisory authorities, or any third party to the extent that such liability cannot be limited under Applicable Data Protection Law.

This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales in respect of any dispute arising out of or in connection with this DPA, subject to the escalation process set out in the Terms of Service.

Parties

Controller: the Client, as identified in the relevant Statement of Work.

Processor: PeopleAMP Tech Ltd, a private limited company registered in England and Wales, company number 14934358, B32 3SB, United Kingdom.

Nature and purpose of the Processing

Design, development, deployment, operation, support and decommissioning of custom software, SaaS products, mobile applications, AI agents, voice agents, retrieval-augmented generation pipelines, n8n workflows and related automations commissioned by the Controller, together with any associated advisory, training and strategy services.

Categories of Data Subject

• the Controller's personnel, contractors and advisers;
• the Controller's customers, end-users, prospects and website visitors, to the extent their data is present in the systems under scope;
• any other Data Subjects whose Personal Data is present in data supplied by the Controller for the purposes of the Engagement.

Categories of Personal Data

• identification and contact data (name, email, phone, address);
• employment and professional data (job title, company, role);
• account, authentication and authorisation data;
• transaction and usage data within the systems under scope;
• communications content voluntarily shared with the systems (messages, prompts, transcripts);
• any other categories of Personal Data explicitly agreed in the relevant Statement of Work.

Special categories of Personal Data (Article 9 GDPR) are Processed only where expressly agreed in a Statement of Work and with appropriate additional safeguards.

Duration

For the duration of the Engagement and any post-termination transition period agreed in writing, followed by return or deletion as described in Section 13.

Access control

• Single Sign-On with multi-factor authentication on every business-critical account.
• Principle of least privilege: access to systems and data is granted on a need-to-know basis and reviewed periodically.
• Privileged access is time-bound where feasible and logged for audit.

Encryption

• TLS 1.2+ for all data in transit.
• At-rest encryption for data held in managed services that support it (database, object storage, backup).
• Secrets and credentials are held in managed secret stores, never in source control.

Network and application security

• Hardened cloud baselines, security groups and restrictive network policies on deployed infrastructure.
• Dependency-vulnerability scanning and static analysis on code we produce.
• Change management via pull-request review before production deployment.

Endpoint and personnel security

• Full-disk encryption on personnel endpoints.
• Endpoint management with remote-wipe capability on loss or theft.
• Confidentiality commitments with all personnel and sub-contractors.
• Onboarding includes information-security and data-protection training.

Logging and monitoring

• Application and infrastructure logging with retention aligned to risk.
• Alerting on anomalous access patterns on systems holding Personal Data.

Backups, continuity and resilience

• Automated, encrypted backups for production data we host.
• Documented restoration procedures; periodic restore tests on representative systems.
• Incident-response runbooks reviewed at least annually.

Sub-processor management

Named Sub-processors are listed at Annex III. Each is bound by contract to data-protection obligations no less protective than those set out in this DPA.

Breach management

Documented incident-response procedure covering detection, containment, eradication, recovery, communication and lessons learned. Personal Data Breaches are notified to the Controller in accordance with Section 11.

The following Sub-processors are authorised to Process Personal Data on behalf of the Controller. This list is updated as our supply chain changes and the updated version supersedes prior versions.

Changes to this list are notified in accordance with Section 08.

See also: Privacy Policy · Terms of Service.