cursor
Unhectic
Policies and statements

Data Processing Addendum

Document version 1.0 — published 2026-05-04

Document owner: Unhectic Limited (company number 17194284)

Reviewed at least annually

Contact for questions about this document: [email protected]

About this addendum

This Data Processing Addendum (DPA) sets out the standard terms under which Unhectic Limited processes personal data on behalf of a client. It is intended to satisfy the controller-to-processor obligations of UK GDPR Article 28 as a baseline. Where the client requires a signed bilateral DPA referencing the underlying engagement — for example, where a client’s procurement process requires a counter-signature — please contact us at [email protected]; we can normally turn that around within one working day.

1. Definitions

The following terms have the meanings given to them in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018: “Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, “Sub-processor”, and “Supervisory Authority”. Reference: UK General Data Protection Regulation 2018, as retained and amended in UK law.

2. Roles

In the context of any engagement to which this DPA applies, the client is the Controller of the Personal Data being processed and Unhectic Limited is the Processor acting on the Controller’s behalf. Where the client is itself acting as a processor for a downstream controller, Unhectic acts as a sub-processor on equivalent terms.

3. Scope and purpose

Unhectic processes Personal Data only on the documented instructions of the client, set out in the engagement contract or in writing thereafter, and only to the extent necessary to deliver the agreed services. We do not process Personal Data for any independent purpose of our own. If we believe an instruction infringes UK GDPR or other applicable data-protection law, we will tell the client.

4. Confidentiality

Unhectic ensures that personnel with access to Personal Data are bound by appropriate contractual or statutory confidentiality obligations that survive the end of their engagement with us. Access to Personal Data is granted on a least-privilege basis to the personnel who need it for the work.

5. Security of processing

Unhectic implements technical and organisational measures appropriate to the risk of the processing, in line with UK GDPR Article 32 and our Information Security Statement, which sets out the underlying control set in plain terms. Where a specific engagement requires controls beyond our standard set, those are agreed in the statement of work for that engagement.

6. Sub-processors

Unhectic may engage Sub-processors to provide the services. The current list of Sub-processors is published at /legal/sub-processors/. Sub-processors are engaged on terms that flow down the substantive obligations of this DPA. Where the engagement requires advance notice of Sub-processor changes, that notice is provided in line with the Master Services Agreement, and the client may object to a proposed change in accordance with the contract.

7. Data subject rights

Where a Data Subject contacts Unhectic directly to exercise their UK GDPR rights of access, rectification, erasure, restriction, portability, or objection, we forward the request to the client (as Controller) without undue delay and assist the client in responding within the statutory deadlines. We do not respond to the Data Subject directly except to acknowledge receipt and to indicate that the request has been forwarded.

8. Personal data breach

In the event of a Personal Data breach affecting client data, Unhectic will notify the client without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects affected, the categories and approximate number of records affected, the likely consequences, and the steps Unhectic has taken or proposes to take. We will provide the client with the information it needs to meet its own UK GDPR Article 33 and 34 notification obligations.

9. International transfers

Where Personal Data is transferred outside the United Kingdom as part of providing the services — notably to our Mumbai operations or to client-chosen Sub-processors — Unhectic uses an appropriate transfer mechanism. The default mechanism is the UK International Data Transfer Agreement (IDTA) or, where appropriate, the UK Addendum to the EU Standard Contractual Clauses. Where the destination country has been the subject of UK adequacy regulations, the transfer relies on those adequacy regulations.

10. Audit

Unhectic provides clients with the information necessary to demonstrate compliance with UK GDPR Article 28, including, on reasonable request and under appropriate confidentiality terms, copies of relevant policies, evidence of control operation, and a summary of any third-party assessments we have undergone. Where the client reasonably requires an on-site audit beyond that, the audit is arranged at the client’s cost and at a time that does not unduly disrupt our operations, and is not used to the prejudice of other clients’ data.

11. Termination and return of data

On termination of the engagement, Unhectic returns or deletes all Personal Data, at the client’s election, save where retention is required by law (for example, statutory record-keeping obligations for tax, audit, or anti-money-laundering record retention). Where data is deleted, we delete it from active systems within thirty days of termination and from backups within the regular backup-rotation cycle.

12. Liability

Liability for breach of this DPA is governed by the limitation provisions of the underlying engagement contract, save for liability that cannot be limited at law (notably, statutory liability under UK GDPR Article 82 to a Data Subject). Nothing in this DPA is intended to exclude or limit such liability.

13. Governing law

This DPA is governed by the laws of England and Wales. Disputes are subject to the jurisdiction provisions of the underlying engagement contract.

14. Bilateral signature

Where the client requires a signed bilateral DPA naming both parties and the underlying engagement, please contact [email protected]. We can sign within one working day of receiving the client’s draft, and we are happy to use the client’s preferred template provided its substance is consistent with this addendum.