Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the Master Service Agreement and applies where we process personal data on your behalf as a processor under the UK GDPR and the Data Protection Act 2018.

1. Parties

Trading name: Code‑Flux
Legal entity: Dominic Harding trading as ("t/a") Code‑Flux
Service address: 6th Floor - 37 Lombard Street - London - EC3V 9BQ
Email: info@code-flux.co.uk
Website: https://www.code-flux.co.uk

Client: The customer identified in the relevant SOW ("Controller") unless the parties otherwise agree in writing.

2. Definitions

  • Data Protection Laws means the UK GDPR, the Data Protection Act 2018, and any replacement or supplemental laws.
  • Personal Data, Processing, Controller, Processor have the meanings given in the UK GDPR.

3. Processor Obligations

  • We will process Personal Data only on documented instructions from you, including with regard to transfers to a third country, unless required by law.
  • We will ensure that persons authorised to process Personal Data are under a duty of confidentiality.
  • We will implement appropriate technical and organisational measures to protect Personal Data (see Annex 2).
  • We will not engage another processor without meeting the sub‑processor requirements in section 6.
  • We will assist you, taking into account the nature of processing, with appropriate measures to respond to data subject requests.
  • We will assist you with compliance obligations relating to security, breach notification, impact assessments, and consultations where reasonably required.
  • At your choice, we will delete or return Personal Data at the end of the services, unless we are legally required to retain it.
  • We will make available information necessary to demonstrate compliance and allow for audits as described in section 9.

4. Controller Obligations

  • You warrant that you have a lawful basis to provide Personal Data to us and that your instructions comply with Data Protection Laws.
  • You are responsible for the accuracy, quality, and legality of Personal Data and the means by which you obtained it.
  • You remain responsible for determining whether the services meet your compliance requirements (especially where you operate in regulated sectors).

5. Security Measures

We apply security measures appropriate to the risk, which may include:

  • Access controls, strong authentication, and least‑privilege permissions
  • Encrypted connections (HTTPS/TLS) wherever feasible
  • Device and account security, patching, and anti‑malware practices
  • Secure hosting configurations and monitoring where available
  • Separation of client workspaces/accounts where practical
  • Regular backups where included in the SOW (or where supported by third‑party providers)

Exact measures vary by service and are further described in Annex 2.

6. Sub‑processors

  • You provide a general authorisation for us to appoint sub‑processors to deliver the services.
  • We will impose data protection obligations on sub‑processors that are no less protective than this DPA.
  • Where we add or replace a sub‑processor, we will provide reasonable notice where practicable. If you have reasonable grounds to object, you must notify us promptly and we will work in good faith to resolve the objection.

Our services may use third‑party infrastructure such as hosting, analytics, email delivery, payment processing, and productivity tools. Specific sub‑processors (where applicable) are listed in Annex 3 and/or the SOW.

7. International Transfers

Where Personal Data is transferred outside the UK, we will ensure appropriate safeguards are in place, such as adequacy regulations or the UK International Data Transfer Agreement (IDTA), or other lawful transfer mechanisms.

8. Personal Data Breaches

  • We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
  • We will provide information reasonably required for you to meet your breach reporting obligations, taking into account the information available to us.

9. Audits

  • You may audit our compliance with this DPA no more than once per 12 months (unless required due to a confirmed breach), on reasonable notice, during business hours, and subject to confidentiality.
  • Where a third‑party platform hosts the data, audit rights may be limited to information made available by that platform (e.g., SOC reports or compliance statements).
  • You must bear your own audit costs and reimburse our reasonable time costs at our standard rates where an audit requires material assistance.

10. Liability

Liability under this DPA is subject to the limitation of liability provisions in the MSA and any applicable SOW, except where prohibited by law.

11. Term

This DPA remains in effect for as long as we process Personal Data on your behalf under the services.

Annex 1 — Details of Processing

  • Subject matter: Provision of digital services (e.g., websites, SEO, systems/automation, analytics configuration, support).
  • Duration: For the term of the relevant SOW and any retention period described in the SOW or required by law.
  • Nature & purpose: To perform contracted services, provide support, and maintain/secure deliverables.
  • Types of Personal Data: Names, contact details, communications, website/analytics identifiers, customer review content, and other data you upload or provide for the services.
  • Categories of data subjects: Your staff, customers, website visitors, prospects, and other individuals whose data you provide.

Annex 2 — Technical & Organisational Measures

  • Role‑based access controls and credential management
  • Secure file handling and controlled sharing
  • HTTPS/TLS and security headers where appropriate
  • Incident handling processes and breach notification workflow
  • Supplier due diligence where practical (reviewing security/compliance statements)

Annex 3 — Sub‑processors

Where applicable to the services you purchase, we may use third‑party providers for hosting, analytics, email delivery, payments, or AI tooling. Your SOW will specify any named sub‑processors required for your engagement. You may request our current list by contacting info@code-flux.co.uk.

Last updated: 11 January 2026.