Our Data Processing Agreement (DPA)
Intellistart Limited (Trading as Intellistart)
This Data Processing Agreement (“Agreement”) forms part of the contractual relationship between:
Intellistart Limited (trading as Intellistart) (“Processor”)
and
the Client (“Controller”)
Together referred to as the “Parties”.
This DPA applies where Intellistart processes personal data on behalf of the Client in the provision of digital marketing, design, hosting and related services.
1. Purpose and Scope
This DPA governs the processing of personal data by Intellistart when providing digital services to the Controller, including but not limited to:
- Website design and development,
- Branding, design, and creative services,
- Search engine optimisation (SEO) and copywriting,
- Pay-per-click (PPC) advertising management and optimisation,
- Conversion tracking and analytics configuration,
- CRM access and onboarding (including systems such as HubSpot or equivalent),
- Email marketing assistance (where applicable and instructed by the Client),
- Website hosting and domain registration services,
- Technical setup and integration of third-party marketing platforms.
The Processor shall process personal data solely on documented instructions from the Controller.
2. Duration
This DPA applies from the commencement of services and continues for the duration of the underlying service agreement between the Parties.
Upon termination, the provisions relating to confidentiality, deletion, and retention shall continue to apply where relevant.
3. Roles of the Parties
For the purposes of UK GDPR:
- The Client is the Data Controller,
- Intellistart is the Data Processor.
The Processor shall not determine the purposes or means of processing personal data.
4. Nature of Processing
Processing activities may include:
- Viewing, accessing and using personal data within Client systems (including CRM platforms such as HubSpot),
- Configuring and managing advertising campaigns (e.g. Google Ads),
- Implementing tracking technologies (e.g. conversion tracking, cookies, tags),
- Processing pseudonymised identifiers for advertising optimisation (e.g. click IDs. conversion data),
- Assisting with email marketing setup and segmentation based on Client instructions,
- Technical configuration and administration of websites, hosting and domain systems, and integrations.
- Copywriting and content optimisation where personal data may be indirectly processed.
The Processor does not use personal data for its own independent purposes.
5. Categories of Data Subjects
Personal data may relate to:
- Customers and prospective customers of the Client,
- Website visitors and users,
- Marketing leads and CRM contacts,
- Employees or representatives of the Client (where applicable).
6. Categories of Personal Data
Depending on the services provided, this may include:
- Names,
- Email addresses,
- Telephone numbers,
- IP addresses and online identifiers,
- CRM interaction and enquiry data,
- Marketing and behavioural data,
- Advertising identifiers (including pseudonymised identifiers such as GCLIDs and cookies).
No special category data is intentionally processed unless explicitly agreed in writing.
7. Controller Instructions
The Processor shall process personal data only:
- on documented instructions from the Controller; and
- as necessary for the provision of the agreed services.
If an instruction appears to violate applicable data protection law, the Processor shall notify the Controller without undue delay.
8. Confidentiality
The Processor ensures that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.
9. Security of Processing
The Processor implements appropriate technical and organisational measures to protect personal data, including:
- Controlled access to systems and accounts,
- Use of secure cloud-based platforms,
- Password management and authentication controls,
- Restricted access on a need-to-know basis,
- Staff awareness of data protection obligations.
These measures are designed to ensure ongoing confidentiality, integrity, availability and resilience of processing systems.
10. Sub-processors
The Controller provides general authorisation for the Processor to engage third-party service providers necessary for service delivery, including:
- Hosting providers,
- CRM and marketing platforms (e.g. HubSpot or equivalent),
- Advertising platforms (e.g. Google Ads, Meta, Tik Tok),
- Analytics providers (e.g. Google Analytics),
- Website hosting and domain providers,
- Cloud infrastructure providers (e.g. Microsoft, AWS, or equivalent),
- Technical contractors supporting service delivery.
The Processor shall ensure that any sub-processors are subject to appropriate data protection obligations.
The Processor remains responsible for its sub-processors’ compliance with UK GDPR obligations relevant to the processing.
11. International transfers
Where personal data is transferred outside the UK, the Processor shall ensure appropriate safeguards are in place in accordance with UK GDPR, including adequacy regulations or appropriate transfer mechanisms such as the UK IDTA or International Data Transfer Addendum to EU SCCs.
12. Assistance with Data Subject Rights
Considering the nature of processing, the Processor shall assist the Controller, where reasonably possible, in fulfilling obligations relating to:
- Access requests,
- Rectification or erasure requests,
- Restriction or objection requests,
- Data portability requests.
Any requests received directly by the Processor will be forwarded to the Controller without undue delay.
13. Personal Data Breach
The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach affecting personal data processed under this DPA.
The Processor shall provide reasonable assistance to the Controller in relation to investigation, mitigation, and regulatory notification obligations.
14. Return and Deletion of Data
Upon termination of services, the Processor shall, at the choice of the Controller:
- delete personal data processed under this DPA; or
- return such data to the Controller
unless retention is required by applicable law.
15. Audit and Compliance
The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA and UK GDPR obligations.
Any audit or inspection shall be:
- reasonable in scope,
- subject to confidentiality obligations,
- conducted with reasonable notice.
16. Liability
Each Party shall be liable for its own breaches of applicable data protection law. Nothing in this DPA limits liability that cannot be excluded under UK law.
17. Governing Law
This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.
18. Acceptance
By continuing to engage Intellistart’s services, the Controller is deemed to accept the terms of this Data Processing Agreement.