Version: 1.0
Last Updated: 03 July 2026
This Data Processing Agreement ("DPA") is entered into by and between FaultFixers Technologies Limited, a company incorporated in England and Wales ("Processor"), and the customer entity agreeing to these terms ("Controller").
This DPA is governed by and supplements the Services Agreement between the parties and applies whenever FaultFixers processes Personal Data on behalf of the Controller.
In the event of any conflict between this DPA and the Services Agreement regarding the Processing of Personal Data, this DPA shall prevail to the extent of that conflict.
1. Definitions
"Applicable Data Protection Laws" means the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, the EU General Data Protection Regulation 2016/679 ("EU GDPR") where applicable, and any other applicable data protection or privacy legislation.
"Controller","Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Special Category Data" and "Sub-processor" shall have the meanings given to them under Applicable Data Protection Laws.
Capitalised terms not otherwise defined in this DPA have the meaning given within the Services Agreement.
2. Scope and Roles
This DPA applies whenever FaultFixers Processes Personal Data as Processor on behalf of the Controller in connection with the Services provided under the Services Agreement.
The Controller acts as the Controller of Personal Data.
FaultFixers acts solely as the Processor of Personal Data.
Nothing within this DPA transfers ownership of Customer Data. All Customer Data, including all Personal Data Processed under this DPA, shall remain the property of the Controller.
The details of the Processing carried out under this DPA are set out in Schedule 1 (Details of Processing).
3. Compliance with Applicable Data Protection Laws
Processor shall:
• comply with Applicable Data Protection Laws;
• Process Personal Data only as permitted under this DPA and the Services Agreement;
• maintain appropriate technical and organisational measures designed to protect Personal Data;
• comply with its obligations as a Processor under Article 28 UK GDPR.
Processor maintains supporting information regarding its privacy, security and compliance arrangements within the FaultFixers Trust Centre.
Where Processor publishes security documentation, technical and organisational measures, Sub-processor information or other privacy documentation within the FaultFixers Trust Centre, such documentation forms part of this DPA as amended from time to time, provided any changes do not materially reduce the level of protection afforded to Personal Data.
4. Processor Obligations
Processor agrees to:
• Process Personal Data only on documented instructions from the Controller;
• ensure that all persons authorised to Process Personal Data are subject to appropriate contractual confidentiality obligations;
• ensure that personnel receive appropriate privacy and information security awareness training;
• implement and maintain appropriate technical and organisational measures to protect Personal Data;
• maintain records of Processing activities where required by Article 30 UK GDPR;
• provide reasonable assistance to enable the Controller to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws;
• provide reasonable assistance to enable the Controller to comply with its obligations relating to security, Personal Data Breaches, Data Protection Impact Assessments and prior consultation with supervisory authorities where required by Applicable Data Protection Laws.
The Services Agreement, together with the Controller's use of the Services, constitute the Controller's documented instructions for the purposes of this DPA. If Processor believes that any instruction received from the Controller infringes Applicable Data Protection Laws, Processor shall inform the Controller without undue delay unless prohibited from doing so by law.
5. Security and Risk Management
Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by the Processing of Personal Data.
These measures are described in Schedule 2 (Technical and Organisational Measures) and include measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.
Processor maintains recognised information security controls, including Cyber Essentials Plus Certification, and may satisfy reasonable compliance requests through the provision of current security certifications, audit reports or equivalent independent assurance where appropriate.
Processor may update or replace its technical and organisational measures from time to time provided such changes do not materially reduce the overall level of protection afforded to Personal Data.
6. Sub-processing
Processor has the Controller's general authorisation to engage Sub-processors in connection with the provision of the Services.
Processor shall ensure that each Sub-processor is subject to written contractual obligations providing a level of protection for Personal Data that is substantially equivalent to those contained within this DPA.
Processor remains fully responsible for the performance of its Sub-processors and for ensuring their compliance with applicable data protection obligations.
Processor shall provide atleast
14 days' prior notice before adding or replacing a Sub-processor by updating the Sub-processor list available within the FaultFixers Trust Centre.
The Controller may object to the appointment of a new Sub-processor only on reasonable and objective grounds relating to data protection. The parties shall work together in good faith to resolve the objection. Where no reasonable resolution can be reached, either party may terminate only the affected Service component upon written notice.
The current list of authorised Sub-processors is available at:
https://www.faultfixers.com/faultfixers-trust-center 7. Data Retention and Disposal
Processor shall retain Personal Data only for the periods specified within the Services Agreement or as otherwise instructed by the Controller, unless a longer retention period is required by applicable law.
Upon expiry or termination of the Services Agreement, Processor shall, at the Controller's written instruction, securely return or delete Personal Data in accordance with the Services Agreement, unless applicable law requires continued retention.
Where applicable law requires continued retention, Processor shall continue to protect such Personal Data in accordance with this DPA and shall Process it only to the extent required by law.
8. International Transfers
Where Personal Data is transferred outside the United Kingdom or the European Economic Area, Processor shall ensure that such transfers are carried out in accordance with Applicable Data Protection Laws.
Where required, Processor shall implement appropriate safeguards under Chapter V UK GDPR, including the UK International Data Transfer Agreement, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or other lawful transfer mechanisms recognised under Applicable Data Protection Laws.
Processor shall ensure that Personal Data transferred internationally receives a level of protection that is essentially equivalent to that required under Applicable Data Protection Laws.
9. Data Subject Requests
Taking into account the nature of the Processing, Processor shall provide reasonable assistance to enable the Controller to respond to requests made by Data Subjects exercising their rights under Applicable Data Protection Laws.
The Controller remains responsible for:
• verifying the identity of requesters;
• determining the lawful basis for responding to any request;
• determining whether any exemption applies; and
• providing the substantive response to the Data Subject.
Where Processor receives a request directly from a Data Subject relating to Personal Data Processed on behalf of the Controller, Processor shall promptly notify the Controller and shall not respond directly unless legally required to do so.
Where this DPA requires Processor assistance or response, such assistance shall be provided within a reasonable time frame, taking into account the nature of the request, the available information, available resources and contractual obligations.
10. Personal Data Breaches
Processor shall notify the Controller without undue delay after becoming aware of a confirmed Personal Data Breach affecting Personal Data Processed under this DPA.
The initial notification maybe preliminary and supplemented as further information becomes available.
Where reasonably available, the notification shall include:
• the nature of the Personal Data Breach;
• the categories and approximate number of affected Data Subjects;
• the categories and approximate volume of Personal Data affected;
• the likely consequences of the Personal Data Breach;
• the measures taken or proposed to address the Personal Data Breach; and
• the name and contact details of the Processor's contact for further information.
Processor shall provide reasonable assistance to enable the Controller to comply with its obligations under Articles 33 and 34 UK GDPR.
11. Audit Rights
Controller may request reasonable documentation to verify Processor's compliance with this DPA.
Such requests shall be limited to once in any twelve (12) month period, unless:
• required by Applicable Data Protection Laws;
• reasonably required following a confirmed Personal Data Breach affecting Controller Personal Data; or
• otherwise agreed in writing by the parties.
Processor shall maintain records of its Processing activities and make relevant information available upon written request to the extent reasonably necessary to demonstrate compliance with Article 28 and Article 30 UK GDPR.
Processor may satisfy reasonable audit or compliance requests through the provision of existing security certifications, independent audit reports, security documentation or other evidence of compliance maintained in the ordinary course of business.
Physical or on-site audits may only be conducted where reasonably necessary, during normal business hours, upon not less than thirty (30) days' prior written notice, subject to appropriate confidentiality obligations and provided such audits do not unreasonably interfere with Processor's business operations or compromise the security or confidentiality of other customers.
Processor shall not be required to create bespoke documentation, reports or evidence solely to satisfy an audit request.
Unless otherwise required by law, the Controller shall bear its own costs associated with any audit and shall reimburse Processor for any reasonable costs incurred in facilitating such audit.
12. Termination and Return of Personal Data
Upon expiry or termination of the Services Agreement, Processor shall, at the Controller's written instruction, return or securely delete Personal Data in accordance with the Services Agreement, unless Applicable Data Protection Laws require continued retention.
Where no instruction is received from the Controller, Processor may securely delete Personal Data following expiry of any applicable retention period specified within the Services Agreement.
Where Personal Data is retained to comply with legal obligations, Processor shall continue to protect such Personal Data in accordance with this DPA and shall Process it only for the purposes required by applicable law.
13. Limitation of Liability
The liability of each party arising under or in connection with this DPA shall be subject to the limitations and exclusions of liability contained within the Services Agreement. Nothing within this DPA excludes or limits liability where such exclusion or limitation is prohibited by Applicable Data Protection Laws or any other applicable law.
14. Miscellaneous
Processor shall cooperate with the Information Commissioner's Office or any other competent supervisory authority where required by Applicable Data Protection Laws in relation to the Processing of Personal Data under this DPA.
Except where legally required, Processor shall not respond directly to any supervisory authority, Data Subject or third party in relation to Personal Data Processed on behalf of the Controller without first notifying the Controller.
Nothing within this DPA requires Processor to provide configuration, integration, consultancy or customisation services except where expressly agreed within the Services Agreement.
This DPA shall be governed by and construed in accordance with the laws of England and Wales.
The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.
This DPA may be executed electronically and in any number of counterparts, each of which shall constitute an original, but all of which together shall constitute one agreement.
Execution
Signed for and on behalf of FaultFixers Technologies Limited

Name: Thomas O’Neill
Title: Director
Date: 29 June 2026