DPA.
This Data Processing Agreement forms part of any engagement between Goliath Web Services LTD ("Processor," "we") and the Client ("Controller," "you") under which we process personal data on your behalf.
This DPA applies when your project involves processing personal data of your end users, customers, or third parties; when you are subject to UK GDPR, EU GDPR, or equivalent data protection law; and when your engagement requires us to handle personal data beyond what's already covered in our Privacy Policy.
Definitions
Terms used in this DPA have the meaning given to them in UK GDPR and the UK Data Protection Act 2018. Key terms:
- Personal data: any information relating to an identified or identifiable natural person
- Processing: any operation performed on personal data (collection, storage, modification, transmission, deletion)
- Controller: the entity that determines the purposes and means of processing (you)
- Processor: the entity that processes data on behalf of the Controller (us)
- Sub-processor: a third party engaged by us to process data on the Controller's behalf
Scope of processing
We process personal data only:
- For the purposes documented in the SOW for your engagement
- In accordance with your written instructions
- For the duration of the engagement, plus a wind-down period not exceeding 30 days
We do not process personal data for our own purposes, do not sell or share it with third parties (except documented sub-processors), and do not use it for product improvement, AI training, or analytics beyond what's necessary to deliver the engagement.
Types of data and data subjects
Specific types of personal data processed depend on your engagement. Typically includes:
- Names, email addresses, contact details of your end users
- Authentication credentials (when implementing auth)
- Submission data (when implementing forms)
- Behavioural data (when implementing analytics, with your direction)
Categories of data subjects:
- Your customers, leads, or users
- Your employees or contractors (when relevant to the project)
- Other individuals identified in the SOW
We do not process special category data (health, religion, biometric, etc.) unless explicitly specified in the SOW with appropriate additional safeguards.
Our obligations
We commit to:
- Process personal data only on your documented instructions
- Ensure that any personnel authorised to process the data are bound by confidentiality
- Implement appropriate technical and organisational measures to ensure security (see below)
- Engage sub-processors only with your prior written consent (general consent for our current sub-processor list, specific consent for any addition)
- Assist you in fulfilling your obligations to respond to data subject requests
- Notify you without undue delay (and in any case within 48 hours) of any personal data breach affecting your data
- Delete or return personal data at the end of the engagement, at your choice
- Make available all information necessary to demonstrate compliance with this DPA
Security measures
We implement the following measures to protect personal data:
- TLS 1.3 encryption in transit
- AES-256 encryption at rest (Supabase, R2, Fastmail)
- Principle of least privilege for access (1Password Business with role-based access)
- Multi-factor authentication on all service provider accounts
- Regular automated backups (daily, retained 30 days)
- Documented incident response procedure
- Secrets never committed to version control
- Annual security review
These measures are subject to ongoing review and may be enhanced as the threat landscape evolves.
Sub-processors
Current sub-processors used in delivering engagements:
| Sub-processor | Service | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting, DNS, CDN | Global (EU edge) |
| Supabase, Inc. | Database hosting | EU (Frankfurt) |
| Sanity, Inc. | Content management | EU (Amsterdam) |
| Vercel, Inc. | Application hosting (when applicable) | Global |
| Stripe Payments UK, Ltd | Payment processing | UK |
| Resend, Inc. | Transactional email | US |
| Clerk, Inc. | Authentication (when applicable) | US, EU regional |
We will notify you of any intended addition or replacement of sub-processors. You may object to a proposed sub-processor within 14 days, in which case we will either not engage that sub-processor or work with you to find an alternative arrangement.
International transfers
For sub-processors located outside the UK and EEA (currently: Cloudflare, Stripe global infrastructure, Resend, Clerk), we rely on:
- The UK-US Data Bridge framework (for US-based sub-processors)
- Standard Contractual Clauses (where applicable)
- Sub-processor certifications (SOC 2, ISO 27001, GDPR compliance attestations)
A copy of the applicable Standard Contractual Clauses is available on request.
Data subject rights
We will assist you in responding to data subject requests (access, correction, deletion, portability) within reasonable time and at no additional charge for engagements of standard scope.
If responding to a data subject request requires substantial work beyond the scope of normal operations (e.g., bulk export of a large dataset), we will provide a quotation before proceeding.
Audits and inspections
You have the right to audit our compliance with this DPA, on reasonable notice (minimum 14 days) and not more frequently than once per year, except where a personal data breach has occurred.
Audits are conducted at your expense unless they reveal material non-compliance, in which case the cost is borne by us.
Termination
This DPA terminates with the underlying engagement. Upon termination, we will, at your written request:
- Return all personal data to you in a structured, commonly-used format, OR
- Delete all personal data (and certify deletion in writing)
We will retain personal data only as required by law, in which case we will continue to protect it under the terms of this DPA.
Liability
Liability under this DPA is governed by the liability provisions of the underlying engagement Terms of Engagement.
Contact
Data protection queries: hello@goliathus.co.uk. Personal data breaches or urgent matters: same email with subject line including "URGENT — DATA."
See also: Privacy Policy · Terms of Engagement