Data Processing Agreement (DPA)

DATA PROCESSING AGREEMENT (DPA)

Between:

Client (“Data Controller”)

and

Core Digital Solutions (“Data Processor”), trading as a sole trader in the United Kingdom.

Effective Date: Upon acceptance of services

Last Updated: March 2025

1. Definitions

“Data Protection Laws”

Means UK GDPR, the Data Protection Act 2018, PECR, and all applicable privacy legislation.

“Client Data”

Means any personal data you provide to Core Digital Solutions for processing.

“Sub-Processor”

A third-party service provider engaged by the Processor to process Client Data.

“Services”

Includes CRM configuration, lead management, call tracking, missed-call text back, messaging, automation setup, appointment scheduling, performance reporting and any digital operations support provided by Core Digital Solutions.

2. Roles & Responsibilities

2.1 Client as Data Controller

The Client determines the purposes and means of processing personal data.

2.2 Core Digital Solutions as Data Processor

Core Digital Solutions processes Client Data solely:

On the Client’s documented instructions

For the purposes of delivering agreed services

In accordance with this DPA and applicable laws

Core Digital Solutions does not sell, trade, or use Client Data for its own purposes.

3. Description of Processing

3.1 Nature & Purpose

Processing includes:

Collecting and storing leads

Centralising conversations (SMS, WhatsApp, Facebook, Instagram, email)

Tracking calls and missed calls

Running automation workflows

Managing appointments

Sending reminders, notifications, and follow-ups

Providing weekly performance summaries

Dashboard visibility and support services

3.2 Categories of Personal Data

Core Digital Solutions processes the following data on your behalf:

✔ Names

✔ Email addresses

✔ Phone numbers

✔ Messaging and conversation history

✔ Calls and call metadata (recordings where enabled)

✔ Appointment and booking data

✔ Website form submissions

✔ Social inbox messages

✔ Customer notes

✔ Customer activity history

✔ Files (e.g., images/PDFs submitted via forms)

3.3 Data Subjects

Your leads

Your customers

Prospects submitting forms

Website visitors who use chat/contact tools

Any person whose data you enter into the CRM

4. Processor Obligations

Core Digital Solutions agrees to:

4.1 Process Only on Documented Instruction

No client data is processed except as required to provide the agreed services.

4.2 Confidentiality

All personnel handling data are subject to confidentiality obligations.

4.3 Security Measures

Core Digital Solutions maintains appropriate organisational and technical safeguards including:

Secure login credentials & multi-factor authentication

Role-based access controls

Device security controls

Encrypted communication channels

Regular system monitoring and access auditing

4.4 Assistance to Controller

Core Digital Solutions will support the Client in:

Responding to data subject requests

Handling access, rectification, deletion, or objection requests

Conducting impact assessments

Meeting any regulatory obligations

4.5 Data Breach Notification

In the event of a suspected or confirmed breach, Core Digital Solutions will:

Notify the Client without undue delay

Provide details of the nature, scope, and impact

Assist in mitigation and required notifications

5. Client (Controller) Responsibilities

The Client is responsible for:

Ensuring lawful collection of personal data

Maintaining an appropriate privacy policy

Providing accurate instructions to Core Digital Solutions

Managing communication preferences and consent

Ensuring data entered into the system complies with all laws

Core Digital Solutions is not responsible for illegal or non-compliant data supplied by the Client.

6. Sub-Processors

Core Digital Solutions uses reputable and GDPR-compliant sub-processors essential to delivering services.

6.1 Sub-Processor Controls

Core Digital Solutions ensures all sub-processors:

Meet appropriate security standards

Process data only within required scope

Offer GDPR-aligned contractual terms

6.2 Changes to Sub-Processors

The Client will be notified before adding or replacing sub-processors.

7. International Data Transfers

Where data is transferred outside the UK/EU, Core Digital Solutions ensures:

Valid UK GDPR transfer mechanisms

Use of SCCs (Standard Contractual Clauses) where applicable

Sub-processor compliance with data protection requirements

GHL, Twilio, and Airtable all utilise SCCs and industry-standard protections.

8. Retention & Deletion

Core Digital Solutions will:

Retain Client Data only for as long as required for service delivery

Delete or return all Client Data upon written request or contract termination

Remove data from active systems after 30 days unless Client instructs otherwise

Backups held by sub-processors may persist for a limited technical retention period.

9. Audits & Compliance Requests

Upon reasonable request, Core Digital Solutions will:

Provide documentation demonstrating compliance

Cooperate with audits or inspections required by law

Support impact assessments (DPIA) if applicable

10. Liability

Core Digital Solutions is not liable for:

Client misuse, misconfiguration, or illegal data processing

Issues arising from third-party systems outside its control

Consequences of inaccurate or unlawfully supplied data

Processor liability is limited to the scope of processing performed directly by Core Digital Solutions.

11. Term & Termination

This DPA remains in effect as long as Core Digital Solutions processes Client Data.

Upon termination:

Data will be deleted or returned as instructed

Any continuing obligations under law will remain in effect

12. Governing Law

This DPA is governed by the laws of the United Kingdom.