Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Data Processing Addendum

Because SmartTHING’s Service agreements incorporate our Data Processing Addendum (“DPA”), you do not need to sign a separate copy. This DPA (and the accompanying Standard Contractual Clauses) contain legal terms that apply to personal information that may be contained in Customer Content. We’ve updated the DPA as of July 2024.

If you need a standalone copy of this DPA for your records or other compliance purposes, you should contact our support team, who will be happy to arrange this: 

This document may be updated from time to time. The latest version is always available at or from our support team. Where the document is updated, customers will be notified by email, on our website, or via other appropriate means.



Company Name and Company Number:
THE SMARTTHING LIMITED (with company number: 07016770)
Address: Suite 4. 35c Windsor House, Harrogate, HG1 2PW


( The customer of THE SMARTTHING LIMITED )

Each of the parties above shall be referred to as a Party or, together, the Parties.


PurposeFor the purpose of the Supplier providing the Services to the Customer.
Scope and nature of the processing

The scope of the personal data includes but is not limited to:

  • Personal details
  • Personal details issued as an identifier by a public authority
  • Family, lifestyle and social circumstances
  • Education and training details
  • Employment details
  • Financial information

which shall be transferred and/or stored in digital format by the Supplier.

Categories of data subject

The categories of data subject that the personal data being processed includes but is not limited to:

  • Customer’s employees
  • Consultants
  • Contractors
  • Customers/Supporters/Donors/Students/Alumni
Categories of personal dataThe types of data that could be used to identify individuals and that are being processed, includes but it not limited to, name, address, email address, marketing preference, location information, IP addresses, donation or payment information (excluding card details)
Duration of ProcessingFor the duration that the Supplier provides the Services to the Customer, which is as long as the Supplier processes Customer Personal Data to fulfil the Purpose.
Data Protection Officer(s)The Supplier’s data protection officer can be contacted at


  1. The Supplier is providing services to the Customer where the Supplier is required to process Customer Personal Data to fulfil the Purpose (as defined in the Contract Details).
  2. This Agreement sets out the terms on which the Supplier will process the Customer Personal Data, in accordance with Data Protection Laws.



1.1 In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

Agreement: refers to this data processing addendum and includes the Contract Details and any Schedules attached to it. 

Customer Personal Data: the personal data processed by the Supplier on behalf of the Customer under this Agreement. This Personal Data is detailed as the ‘Scope and nature of processing’, the ‘Categories of personal data’ and the ‘Categories of data subjects’ in the Contract Details at the front of this Agreement. 

Contract Details: refers to the terms agreed between the Parties on the front pages of this Agreement titled “Contract Details”. 

Data Protection Laws: all applicable data protection and privacy legislation in force in the United Kingdom including
(i) the UK GDPR as defined in section 3(10) of the Data Protection Act 2018, and supplemented by section 205(4) (“UK GDPR“);
(ii) the Data Protection Act 2018;
(iii) the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426),

each as amended, updated or replaced from time to time.

Data controller, data processor, data subject, personal data, processing and appropriate technical and organisational measures shall have the meanings given to them in the UK GDPR.

Duration of Processing: the length of time the Supplier will process the Customer Personal Data as described in the Contract Details at the front of this Agreement. 

DP Regulator: a valid supervisory authority (as defined under the UK GDPR), which in the UK is the Information Commissioner. 

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Purpose: means the purpose for processing the Customer Personal Data, as detailed in the Contract Details. 

Services: the services that the supplier has agreed to supply to the Data controller as part of the contract.

Sub-Processor(s): any processor, including any agent, sub-contractor or other third party, engaged by the Supplier (or by any other Sub-Processor) for carrying out any processing activities in respect of the Customer Personal Data.

1.2 A person means an individual, a firm, a company, an unincorporated body or a government entity (whether or not having a separate legal identity from its members or owners) and any of its successors, permitted transferees or permitted assignees.

1.3 Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.

1.4 References to statutes, regulations or other legislation or enactments referenced herein shall be deemed to be references to that enactment as amended, supplemented, re-enacted or replaced from time to time.

1.5 The words include, including and similar words or expressions will not limit the meaning of the words that come before them.

1.6 Reference to writing or written includes e-mail but not any other form of electronic communication.


2.1 The Parties acknowledge that the Customer is the data controller of the Customer Personal Data that the Customer has given the Supplier access to and the Supplier is the data processor of the Customer Personal Data.

2.2 Both Parties will comply with all applicable requirements of Data Protection Laws in relation to personal data that is shared or processed under this Agreement. This Agreement does not relieve, remove or replace, a Party’s obligations or rights under applicable Data Protection Laws.


3.1 Each Party shall maintain records which indicate how that Party processes personal data under its responsibility. These records will contain at least the minimum information required by the Data Protection Laws and each Party shall make that information available to any DP Regulator on request.

3.2 To the extent that the Supplier processes Customer Personal Data on behalf of the Customer, the Supplier shall:

3.2.1 process that Customer Personal Data only on the documented instructions of the Customer, which shall include processing the Customer Personal Data to the extent necessary for the Purpose, unless the Supplier is otherwise required by applicable laws. 

3.2.2 implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, including as appropriate:

  1. a) the pseudonymisation and encryption of Customer Personal Data;
    b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    c) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
    d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;

3.2.3 maintain the confidentiality of the Customer Personal Data, not disclose the Customer Personal Data to any third party other than as authorised to do so under this Agreement and ensure that any personnel engaged and authorised by the Supplier to process Customer Personal Data have committed themselves to obligations of confidentiality;

3.2.4 assist the Customer in responding to any request from a data subject and in ensuring the Customer’s compliance with its obligations under applicable Data Protection Laws. This process shall be provided (at the Customer’s cost) and shall include:

  1. a) recording and referring all requests and communications received from data subjects or any DP Regulator to the Customer which relate to any Customer Personal Data promptly (and in any event within five days of receipt); and
    b) not responding to any such requests without the Customer’s express written approval and strictly in accordance with the Customer’s instructions unless and to the extent required by applicable law.

3.2.5 promptly (and in any event within 24 hours):

  1. a) notify the Customer if it (or any of the Sub-Processors or the Supplier personnel) becomes aware of any actual occurrence of any Personal Data Breach in respect of any Customer Personal Data; and
    b) provide all information as the Customer reasonably requires to report the circumstances to a DP Regulator and to notify affected data subjects under Data Protection Laws.

3.3 Where the Supplier is relying on applicable laws as the basis for processing Customer Processor Data under clause 3.2.1 above, the Supplier shall use reasonable efforts to notify the Customer of this before performing the processing required by the applicable laws unless those applicable laws prohibit the Supplier from so notifying the Customer.


4.1 The Customer hereby provides its prior, general authorisation for the Supplier to appoint Sub-Processors to process the Customer Personal Data, provided that the Supplier:

4.1.1 shall ensure any Sub-Processors will comply with applicable Data Protection Laws, and will comply with terms that are materially similar to those imposed on the Supplier in this clause 4;

4.1.2 shall remain responsible for the acts and omissions of any such Sub-Processor as if they were the acts and omissions of the Supplier; and

4.1.3 shall inform the Customer of any intended changes concerning the addition or replacement of the Sub-Processors; giving the Customer the opportunity to object to such changes. Where the Customer objects to the changes and cannot demonstrate, in the Supplier’s reasonable opinion, that the objection is due to an actual or likely breach of applicable Data Protection Law, the Customer shall indemnify the Supplier for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier in accommodating the objection.

4.1.4 The Supplier will maintain a list of its current subprocessors, including their functions and locations, on their website at

4.1.5 where the Customer elects to use a sub-processor to provide a service, examples of which could include:

  • address cleaning
  • providing email marketing
  • providing event management services
  • storing contact detail
  • storing donation information

the Customer will:

  • conduct a data protection review of the sub-processor’s service and agree a contract with the sub-processor
  • instruct the Supplier to use that sub-processor to provide the Services
  • In doing so, the Customer agrees that the use of that sub-processor is outside the terms of this agreement and is covered by the Customers own direct relationship with that sub-processor


5.1 The Supplier may transfer Customer Personal Data outside of the United Kingdom and European Economic Area as required to process the Customer Personal Data for the Purpose under this Agreement, provided that the Supplier shall ensure that all such transfers are made in accordance with applicable Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of the Supplier, including any request to enter into standard data protection clauses to safeguard international transfers, as adopted by the UK Information Commissioner.


6.1 Neither Party excludes nor limits any liability for:

6.1.1 personal injury (including sickness and death) to the extent that such injury results from the negligence or wilful default of a Party or its employees; or

6.1.2 fraud or fraudulent misrepresentation; or

6.1.3 any other liability to the extent it cannot be excluded or limited by law.

6.2 Subject to the provisions of this clause 6 and the last paragraph of the clause titled “indemnity” below, the Supplier’s total aggregate liability arising under or in connection with this Agreement, or applicable Data Protection Laws, shall be limited to the value of the annual contract.


7.1 The Supplier shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of the Customer.

7.2 Such records shall include all information necessary to demonstrate its compliance with this Agreement and the information referred to in Articles 30(1) and 30(2) of the UK GDPR.

7.3 The Supplier shall make copies of such records referred to in this clause 7 available to the Customer promptly on written request by the Customer.

7.4 The Supplier shall (and shall ensure all Sub-Processors shall) promptly on written request by the Customer make available to the Customer (at no cost the Customer) such information as is required to demonstrate the Supplier’s with their obligations under this Agreement and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections, by the Customer (or another auditor instructed by the Customer) for this purpose annually (if requested) and in the event of an actual or suspected Personal Data Breach.

7.5 Except in the event of an actual or suspected Personal Data Breach, the Customer shall provide no less than 30 days’ notice to the Supplier of any audit under this clause 7 and shall use reasonable endeavours to cause minimal disruption to the Supplier’s business during any such audit.


8.1 This Agreement shall remain in full effect for the Duration of Processing following which it shall automatically terminate.

8.2 Where the Supplier no longer requires the Customer Personal Data for the Purpose, it shall, at the written direction of the Customer, delete (so far as technically possible) or return Customer Personal Data and any copies to the Customer within 30 days of termination of this Agreement, unless the Supplier is required by any applicable law to continue to process that Customer Personal Data.

8.3 For the purposes of this clause 8, Customer Personal Data shall be considered deleted where it can longer be used further by the Supplier.


9.1 The Supplier shall indemnify and keep indemnified the Customer against:

9.1.1 all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to data subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by the Supplier of its obligations under this Agreement; and

9.1.2 all amounts paid or payable by the Customer to a third party which would not have been paid or payable if the Supplier’s breach of this Agreement had not occurred.

9.2 For the avoidance of doubt, the limit of liability at clause 6.2 shall not apply to the indemnity in this clause 9.


10.1 Costs

Each Party is responsible for its legal and other costs in relation to the preparation and performance of this Agreement.

10.2 Survival of terms

The Parties intend the following terms to survive termination: clauses 1, 6, 7, 8, 9 and 10 and all clauses required for their interpretation.

10.3 Relationship of the Parties

The Parties are independent businesses and not partners, principal and agent, or employer and employee, or in any other relationship of trust to each other.

10.4 Third party rights

For the purposes of the Contracts (Rights of Third Parties) Act 1999, this Agreement is not intended to and does not give any person who is not a party to it any right to enforce any of its provisions. However, this does not affect any rights or remedy of such a person that exists or is available apart from that Act.

10.5 Assignment and other dealings

No Party may assign, subcontract or encumber any right or obligation under this Agreement, in whole or in part, without the other Party’s prior written consent or except as expressly permitted in this Agreement.

10.6 Entire Agreement

This Agreement, and any document referred to in it, contains the whole Agreement between the Parties relating to its subject matter and supersedes any prior Agreements, representations or understandings between them unless expressly referred to in this Agreement. Each Party acknowledges that it has not relied on, and will have no remedy in respect of, any representation (whether innocent or negligent) made but not covered in this Agreement. Nothing in this clause limits or excludes any liability for fraud or fraudulent misrepresentation.

10.7 Variation

No amendment or variation of this Agreement will be valid unless agreed in writing by an authorised signatory of each Party.

10.8 Severability

If any clause in this Agreement (or part of a clause) is or becomes illegal, invalid or unenforceable under applicable law, but would be legal, valid and enforceable if the clause or some part of it was deleted or modified (or the duration of the relevant clause reduced), the relevant clause (or part of it) will apply with such deletion or modification as may be required to make it legal, valid and enforceable, and the Parties will promptly and in good faith seek to negotiate a replacement provision consistent with the original intent of this Agreement as soon as possible.

10.9 Waiver

No delay, act or omission by either Party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.

10.10 Notices

Notices under this Agreement must be in writing and sent to the other Party’s address, as set out above in the Contract Details. Letters sent in the United Kingdom will be deemed delivered 3 business days (excluding English Bank Holidays), after sending. Emails will be deemed delivered the same day (or the next business day, if sent on a non-business day or after 5pm on any business day at the recipient’s location).

10.11 Governing law and jurisdiction

This Agreement is governed by the law of England and Wales. All disputes under this Agreement will be subject to the exclusive jurisdiction of the courts of England and Wales.


Get your free copy today


Get your free copy today

Select your platform:


Get your free copy today


Start your 30-day free trial today


Start your 30-day free trial today