Data Processing Agreement (DPA)

Last updated: 25 October 2025

1. Purpose

This Data Processing Agreement ("DPA") forms part of the contract between the Client ("Controller") and Nought Digital Ltd ("Processor") and governs the processing of personal data in accordance with the UK GDPR and the Data Protection Act 2018.

2. Scope of Processing

Nought Digital processes personal data solely for the purpose of delivering the agreed services — such as AI system development, hosting, or technical support — and only under the documented instructions of the Controller.

3. Data Types

4. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access control, monitoring, and regular review of hosting providers’ compliance certifications.

5. Sub-Processors

Nought Digital may engage third-party sub-processors (such as Supabase, Mailgun, or Vercel) strictly for technical functionality. All sub-processors are vetted for GDPR compliance and bound by equivalent data protection obligations.

6. International Transfers

Where personal data is transferred outside the UK, we ensure adequate safeguards via approved Standard Contractual Clauses or equivalent protection mechanisms.

7. Data Breach Notification

In the event of a personal data breach, Nought Digital will notify the Controller without undue delay and provide sufficient information to support regulatory or client reporting duties.

8. Data Subject Requests

Nought Digital will assist the Controller, where possible, in responding to data subject requests for access, correction, or deletion.

9. Termination & Data Return

Upon termination of services, Nought Digital will delete or return all client data within 30 days unless legal obligations require retention.

10. Governing Law

This DPA is governed by the laws of England and Wales.