virtco®Celebrating 30 years
← Back to Legal

Data Processing Agreement

D. Grant Crawley Limited T/A virtco®

DATA PROCESSING AGREEMENT (DPA)

1. Parties

This Data Processing Agreement (“DPA”) forms part of the agreement between:

  • The Customer (the Data Controller); and
  • D. Grant Crawley Limited T/A virtco®, registered in England and Wales (Company No. 2705666), with registered office at 26 Darent Road, Haydock, St Helens, Merseyside, WA11 0HH (the Data Processor).

2. Purpose and Scope

  • The Processor provides software development, hosting, and related services to the Customer.
  • In providing these services, the Processor may process personal data on behalf of the Customer.
  • This DPA sets out the rights and obligations of both parties regarding that processing.

3. Duration

This DPA will remain in force for as long as the Processor provides services that involve the processing of personal data on behalf of the Customer.

4. Roles and Responsibilities

  • The Customer (Controller) decides the purpose and means of processing personal data.
  • The Processor (virtco®) processes personal data only on documented instructions from the Customer, unless required to do so by law.

5. Categories of Data and Data Subjects

Depending on the services used, the Processor may process:

  • Personal data: names, contact details, login credentials, billing details, usage data.
  • Data subjects: Customer’s employees, contractors, clients, or end-users.
  • Special category data: only if agreed in writing and subject to additional safeguards.

6. Processor Obligations

The Processor shall:

  1. Process personal data only on the documented instructions of the Customer.
  2. Ensure that persons authorised to process personal data are subject to confidentiality obligations.
  3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
  4. Assist the Customer, where reasonable, in fulfilling their obligations regarding data subject rights (access, rectification, erasure, portability, restriction, objection).
  5. Notify the Customer without undue delay after becoming aware of a personal data breach.
  6. Provide reasonable information necessary to demonstrate compliance and allow audits by the Customer or an agreed third-party auditor (on reasonable notice, and subject to confidentiality).
  7. Delete or return all personal data to the Customer upon termination of services, unless required by law to retain it.

7. Sub-processors

  • The Processor may engage sub-processors (e.g. data centre operators, cloud service providers, payment processors).
  • A current list of sub-processors is available on request.
  • The Processor will impose the same data protection obligations on any sub-processor.
  • The Customer may object to the use of a new sub-processor on reasonable grounds relating to data protection.

8. International Transfers

  • Personal data will normally be stored and processed in the UK or EEA.
  • If data is transferred outside the UK/EEA, the Processor will ensure appropriate safeguards are in place (e.g. adequacy regulations, UK Addendum to EU Standard Contractual Clauses).

9. Customer Obligations

The Customer shall:

  1. Ensure it has a lawful basis for collecting and supplying personal data to the Processor.
  2. Provide clear instructions for processing.
  3. Ensure that any data subjects are informed of the processing through an appropriate privacy notice.

10. Liability

Each party’s liability under this DPA is subject to the liability provisions in the main agreement between the parties (e.g. the Terms of Service).

11. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of England and Wales. The parties agree to submit to the exclusive jurisdiction of the English courts.

Signed for and on behalf of:

The Customer (Controller)
Signature: ________________________
Name: ___________________________
Date: ____________________________

D. Grant Crawley Limited T/A virtco® (Processor)
Signature: ________________________
Name: ___________________________
Date: ____________________________

ANNEX: DATA PROCESSING DETAILS

This Annex forms part of the Data Processing Agreement (DPA) between D. Grant Crawley Limited T/A virtco® and the Customer.

1. Subject Matter of Processing

The Processor provides:

  • Software development services
  • Hosting services
  • Support services
  • Other: ___________________________

2. Duration of Processing

Processing will continue for the duration of the main agreement between the parties, unless otherwise specified.

3. Nature and Purpose of Processing

Personal data will be processed for the following purposes:

  • To provide, maintain and support the Customer’s software, hosting, or related services.
  • To manage billing, account access, and communications.
  • To monitor and improve service performance and security.

4. Types of Personal Data

The following types of personal data may be processed:

  • Identification data (name, job title, role)
  • Contact details (email, phone number, address)
  • Account data (username, login credentials, access logs)
  • Billing and payment data (excluding credit card numbers, which are handled by third-party processors)
  • Technical data (IP addresses, device details, usage statistics)

Special Category Data:

  • None expected
  • If applicable, specify: ___________________________

5. Categories of Data Subjects

  • Customer’s employees and contractors
  • Customer’s clients or end-users (if applicable)
  • Other authorised users as defined by the Customer

6. Retention Periods

  • Personal data will be retained for as long as necessary to provide the services and comply with legal obligations.
  • Upon termination of the services, data will be deleted or returned within 90 days, unless otherwise required by law.

7. Security Measures

The Processor applies appropriate technical and organisational measures, including (but not limited to):

  • Encryption of data in transit and at rest where appropriate
  • Firewalls and intrusion detection
  • Regular security patching and updates
  • Access controls and authentication measures
  • Regular backups and disaster recovery planning

8. Sub-processors

Current sub-processors may include:

  • Data centre and hosting providers (UK/EU based)
  • Cloud infrastructure providers (e.g. AWS, Azure, or similar)
  • Payment processors (e.g. Stripe, PayPal)
  • Domain registrars (e.g. Nominet, ICANN registrars)

An up-to-date list of sub-processors is available on request.

9. International Transfers

  • Data will normally be processed in the UK or EEA.
  • If transferred outside the UK/EEA, appropriate safeguards will be used (adequacy regulations or UK Addendum to EU Standard Contractual Clauses).

Signed for and on behalf of:

The Customer (Controller)
Signature: ________________________
Name: ___________________________
Date: ____________________________

D. Grant Crawley Limited T/A virtco® (Processor)
Signature: ________________________
Name: ___________________________
Date: ____________________________