GafferlyGafferly
← Back to home

Data Processing Agreement

Last updated: 8 June 2026

This Data Processing Agreement (“DPA”) is provided as a template and is pending final legal review. It forms part of the Terms of Service where Gafferly processes personal data on your behalf. If you need a countersigned copy, email privacy@gafferly.com.

1. Parties and roles

This DPA is between you (the “Customer”, the controller) and SEO Engico Ltd, company number 16387749, which operates Gafferly (“Gafferly”, “we”, the processor). It applies where we process personal data relating to your own customers, staff and contacts (“Customer Personal Data”) on your behalf in providing the Service. For your account and billing data we act as an independent controller, as described in our Privacy Policy.

2. Processing on your instructions

We will process Customer Personal Data only on your documented instructions, which are: (a) to provide and support the Service as set out in the Terms; and (b) as described in Annex A. We will tell you if, in our opinion, an instruction infringes UK data protection law, and we will not process the data for our own purposes.

3. Confidentiality

We ensure that people authorised to process Customer Personal Data are bound by confidentiality and are trained to handle it appropriately.

4. Security

We implement appropriate technical and organisational measures to protect Customer Personal Data, taking account of the state of the art and the risks of processing. These are summarised in Annex B and include encryption in transit, access controls, strict tenant isolation between customers, and hashing of credentials.

5. Sub-processors

You give general authorisation for us to engage the sub-processors listed at gafferly.com/sub-processors. We impose data protection obligations on each sub-processor equivalent to those in this DPA, and we remain responsible for their performance. We will give reasonable prior notice of any new sub-processor (by updating that page) so you can object on reasonable data-protection grounds.

6. Assisting you

Taking account of the nature of the processing, we will assist you with appropriate technical and organisational measures to: (a) respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability and objection); and (b) meet your obligations on security, breach notification, data protection impact assessments and prior consultation. Self-service tools in the Service (including data export) help you meet these obligations directly.

7. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide reasonable information to help you meet your own notification duties to the ICO and affected individuals.

8. Return or deletion

On termination of the Service, and at your choice, we will delete or return Customer Personal Data and delete existing copies, unless UK law requires us to keep it (for example, retention of certain financial records). Our standard retention periods are described in our Privacy Policy.

9. Audits and information

We will make available information reasonably necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality and frequency limits.

10. International transfers

We will not transfer Customer Personal Data outside the UK except in line with our Privacy Policy and using a lawful transfer mechanism (UK adequacy regulations, or the UK International Data Transfer Agreement / the UK Addendum to the EU Standard Contractual Clauses), together with a transfer risk assessment.

11. Liability and precedence

Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms. If there is a conflict between this DPA and the Terms on the processing of Customer Personal Data, this DPA prevails.

Annex A – Details of processing

  • Subject matter: provision of the Gafferly field service management service.
  • Duration: for as long as you use the Service, plus any retention period required by law.
  • Nature and purpose: storing and processing your customer, job, quote, invoice and communications records so you can run your business.
  • Types of personal data: names, postal addresses, email addresses, phone numbers, property and job details, photographs taken on site, signatures, and payment-related information.
  • Categories of data subjects: your customers and their contacts, and your own staff and engineers.

Annex B – Security measures

  • Encryption of data in transit (HTTPS/TLS).
  • Application-level encryption of stored third-party provider credentials.
  • Strict tenant isolation so each firm can only access its own data.
  • Hashed passwords and role-based access controls.
  • Security headers, signed payment and messaging webhooks, and access logging of changes.
  • Use of reputable hosting and infrastructure sub-processors (see sub-processors).