Legal
Data Processing Agreement
Version 2.2 · Last updated: 3 May 2026
This Data Processing Agreement ("DPA") forms part of the agreement between BuiltByGo Ltd (the "Processor", "we", "us", "our") and the client entity that signs the principal agreement (the "Controller", "you", "your") where we process personal data on your behalf in connection with our services.
This DPA reflects the requirements of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 (the "DPA 2018"). It is intended to satisfy the Processor's obligations under Article 28 of the UK GDPR.
In the event of any inconsistency between this DPA and the principal agreement, this DPA prevails with respect to the processing of personal data. In all other respects, the principal agreement prevails.
This DPA is drafted in English. Where translated, the English version prevails in any dispute.
1. Definitions
1.1 Unless otherwise defined, capitalised terms have the meanings given in the UK GDPR and the DPA 2018. In this DPA:
“Data Protection Laws” means the UK GDPR, the DPA 2018, and any other applicable data protection or privacy legislation in the United Kingdom, together with the EU GDPR (Regulation (EU) 2016/679) where applicable to processing carried out under this DPA. Where the Controller is established in or directs services to other jurisdictions, “Data Protection Laws” includes the applicable data protection laws of those jurisdictions (including, where relevant, the Brazilian Lei Geral de Proteção de Dados (LGPD) and the Mexican Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP)).
“ICO” means the United Kingdom's Information Commissioner's Office.
“International Transfer Mechanism” means the UK International Data Transfer Agreement (IDTA), the International Data Transfer Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, or any other safeguard recognised under Article 46 of the UK GDPR or Article 46 of the EU GDPR.
“Principal Agreement” means the contract between the Controller and the Processor for the provision of services, including any Master Services Agreement and Statements of Work executed under it.
“Security Measures” means the technical and organisational security measures set out in Schedule 1.
“Sub-processor” means any third party engaged by the Processor to process personal data on behalf of the Controller in connection with the services.
“Transfer Risk Assessment” or “TRA” means the risk assessment required by the ICO's guidance for international transfers (and, where applicable, the equivalent EU Transfer Impact Assessment (“TIA”)).
2. Roles and scope
2.1 The parties acknowledge and agree that:
(a) the Controller is the data controller; and
(b) the Processor is a data processor for the purposes of the Data Protection Laws in respect of the processing activities described in this DPA.
2.2 The subject matter, nature, purpose, and duration of the processing, the types of personal data processed, and the categories of data subjects are set out in Schedule 2.
2.3 This DPA applies from the commencement date of the Principal Agreement and continues until termination or expiry of the Principal Agreement, after which the Processor shall delete or return all personal data in accordance with Section 10.
2.4 The Processor does not knowingly process personal data of children under 13 years of age (or the higher age of consent applicable in the relevant jurisdiction). The Controller warrants that it shall not provide personal data of such children for processing without prior written agreement and the implementation of additional safeguards.
3. Processor obligations
3.1 The Processor shall process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2 The Processor shall ensure that persons authorised to process personal data are subject to a binding duty of confidentiality (whether by contract, statute, or professional obligation).
3.3 The Processor shall implement and maintain the Security Measures set out in Schedule 1.
3.4 The Processor shall not engage any new Sub-processor without the Controller's prior authorisation, which may be specific or general as set out in Section 5.
3.5 The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests for exercising data subject rights under Chapter III of the UK GDPR (and equivalent provisions of other applicable Data Protection Laws).
3.6 The Processor shall assist the Controller in ensuring compliance with Articles 32 to 36 of the UK GDPR (security of processing, data protection impact assessments, and prior consultation with the supervisory authority), taking into account the nature of processing and the information available to the Processor.
3.7 At the Controller's election, the Processor shall delete or return all personal data processed on behalf of the Controller after the end of the provision of services, and shall delete existing copies unless retention is required by applicable law. The Processor may retain anonymised, aggregated data for analytical purposes, provided that such data is anonymised to the standard set out in the ICO's Anonymisation, Pseudonymisation and Privacy Enhancing Technologies guidance and cannot reasonably be used to re-identify any data subject.
3.8 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller, subject to Section 11.
4. Controller obligations
4.1 The Controller warrants that it has a lawful basis for the processing of personal data under the Data Protection Laws and that the processing instructions it provides to the Processor comply with those laws.
4.2 The Controller shall ensure that its disclosure of personal data to the Processor is lawful, accurate, and limited to what is necessary for the purposes of the services.
4.3 Where the Controller becomes aware of a personal data breach affecting personal data processed by the Processor on the Controller's behalf — including breaches originating in the Controller's own systems that may affect data shared with or held by the Processor — the Controller shall notify the Processor without undue delay so that the Processor can take appropriate action to assess and limit the impact.
5. Sub-processors
5.1 General authorisation. The Controller provides general written authorisation for the Processor to engage the Sub-processors listed in Schedule 3. The current register is also published at builtbygo.com/subprocessors; the canonical contractual list is the version set out in Schedule 3 at the time of execution, as updated in accordance with Section 5.2.
5.2 Changes to Sub-processors. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, providing sufficient information to enable the Controller to assess the change. Where the Controller objects on reasonable grounds within 14 days of notification, the parties shall discuss alternative arrangements in good faith. Where no reasonable alternative is available, the Controller may terminate the affected services on written notice without liability.
5.3 Equivalent obligations. Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, the Processor shall impose on that Sub-processor, by way of a written contract, data protection obligations equivalent to those imposed on the Processor under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.
5.4 Liability for Sub-processors. Where a Sub-processor fails to fulfil its data protection obligations, the Processor remains fully liable to the Controller for the performance of that Sub-processor's obligations.
6. International transfers
6.1 Where the Processor transfers personal data out of the United Kingdom, or where personal data subject to the EU GDPR is transferred to a country outside the European Economic Area, the Processor shall ensure that an appropriate International Transfer Mechanism is in place, including:
- the UK International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the EU Standard Contractual Clauses for transfers from the UK;
- the EU Standard Contractual Clauses (controller-to-processor or processor-to-processor as applicable) for transfers from the EEA;
- a Transfer Risk Assessment (TRA) — or, where the EU GDPR applies, a Transfer Impact Assessment (TIA) — documenting the assessment of the legal framework and enforceability of data subject rights in the destination country; and
- supplementary measures (technical, contractual, or organisational) where the TRA or TIA identifies gaps in protection.
6.2 The current processing locations and applicable transfer mechanisms for each Sub-processor are set out in Schedule 3.
6.3 By executing the Principal Agreement and this DPA, the parties agree that the relevant International Transfer Mechanism is incorporated into this DPA by reference, with the parties' details and the description of the transfer drawn from this DPA and its Schedules.
7. Personal data breach notification
7.1 In the event of a personal data breach involving personal data processed by the Processor on behalf of the Controller, the Processor shall:
- notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach;
- provide the following information to the extent known or reasonably ascertainable at the time of notification: (i) the nature of the breach (including, where possible, the categories and approximate number of data subjects and personal data records concerned); (ii) the likely consequences of the breach; (iii) the measures taken or proposed to address the breach and mitigate its possible adverse effects; (iv) the name and contact details of the Processor's contact point from whom further information can be obtained;
- cooperate fully with the Controller and any applicable supervisory authority during the investigation and remediation; and
- provide updates to the Controller as further information becomes available.
7.2 The Processor shall document all personal data breaches, including the facts surrounding the breach, its effects, and the remedial action taken, and shall make that documentation available to the Controller on request.
7.3 The Processor's notification obligations under this Section 7 do not apply to incidents that are unlikely to result in a risk to the rights and freedoms of natural persons, as determined by the Processor in good faith and documented for the Controller's audit on request.
8. Data subject rights
8.1 The Processor shall, to the extent technically feasible and taking into account the nature of the processing, assist the Controller in responding to data subject requests under Chapter III of the UK GDPR (and equivalent provisions of other applicable Data Protection Laws), including requests for access, rectification, erasure, restriction, data portability, and objection.
8.2 If a data subject makes a request directly to the Processor relating to personal data processed on behalf of the Controller, the Processor shall forward the request to the Controller within 5 working days and shall not respond to the data subject without the Controller's prior authorisation.
8.3 Cost of assistance. Routine assistance with data subject rights requests is included at no additional cost, up to 4 hours of Processor time per calendar quarter per Controller. Where assistance reasonably requires more than 4 hours of Processor time in a calendar quarter, the Processor may charge at its standard then-current rates with prior written notice to the Controller and an estimate of the time required. No charge applies where the request arises from a breach of this DPA by the Processor.
9. Security measures
9.1 The Processor shall implement and maintain the Security Measures described in Schedule 1. The Processor may update the Security Measures from time to time provided that such updates do not materially reduce the overall security of the processing.
9.2 The Processor shall ensure that its personnel have received appropriate data protection training and are subject to contractual confidentiality obligations.
9.3 The Processor's information security framework alignment, certifications, and roadmap are set out in Schedule 1.
10. Data retention and deletion
10.1 Upon termination or expiry of the Principal Agreement, the Processor shall, at the Controller's election:
(a) return all personal data processed on behalf of the Controller in a structured, commonly used, and machine-readable format; or
(b) delete all personal data processed on behalf of the Controller and certify deletion in writing, within 90 days of termination, unless retention is required by applicable law.
10.2 The Processor may retain anonymised, aggregated data derived from the personal data for analytical and business purposes, provided that such data is anonymised in accordance with Section 3.7 and cannot reasonably be used to re-identify any data subject.
10.3 Where retention is required by applicable law, the Processor shall continue to protect the personal data in accordance with this DPA for the duration of the retention period and shall delete or return the data at the end of that period.
11. Audit rights
11.1 Subject to Sections 11.2 and 11.3, the Controller may audit the Processor's compliance with this DPA by:
- reviewing the Processor's then-current SOC 2, ISO 27001, Cyber Essentials Plus, or equivalent certification reports (if held);
- requesting the Processor to complete a security questionnaire in a standard format mutually agreed by the parties (such as CAIQ, SIG, or the Controller's standard form), with reasonable response timelines; or
- appointing an independent third-party auditor (subject to the Processor's reasonable approval, not to be unreasonably withheld) to conduct an on-site or remote audit, on no more than an annual basis (save where a material data breach or material breach of this DPA has occurred) and on at least 30 days' written notice.
11.2 The Controller shall: (a) provide at least 30 days' written notice of any audit (save in the case of a material breach, where shorter notice may be reasonable); (b) ensure that the audit is conducted during normal business hours; (c) take all reasonable measures to minimise disruption to the Processor's operations; and (d) ensure that any third-party auditor is bound by confidentiality obligations equivalent to those in the Principal Agreement.
11.3 Costs. The Controller bears its own costs and the Processor's reasonable costs in connection with audits under Section 11.1(c). The Processor bears its own costs in respect of Sections 11.1(a) and 11.1(b). If an audit identifies a material non-compliance by the Processor, the Processor bears its own costs and shall remedy the non-compliance within a reasonable timeframe at its own cost.
11.4 All audit findings are Confidential Information of the Processor and subject to the confidentiality provisions of the Principal Agreement.
12. Liability
12.1 Each party's liability under or in connection with this DPA is subject to and forms part of the limitation of liability provisions in the Principal Agreement. This DPA does not impose additional liability on either party beyond that set out in the Principal Agreement, and any cap, carve-out, or excluded loss in the Principal Agreement applies equally to liability arising under this DPA.
12.2 Nothing in this DPA limits or excludes either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any matter for which it would be unlawful to limit or exclude liability under applicable law.
13. Force Majeure
13.1 Performance of obligations under this DPA is suspended during a Force Majeure Event as defined in the Principal Agreement, save that the Processor's core data protection obligations (including confidentiality, breach notification, and the prohibition on unauthorised processing) continue to apply to the extent reasonably possible.
14. Governing law and jurisdiction
14.1 This DPA is governed by the laws of England and Wales.
14.2 Any disputes arising out of or in connection with this DPA are subject to the exclusive jurisdiction of the courts of England and Wales, except that either party may seek injunctive or other equitable relief in any court of competent jurisdiction. Where the Principal Agreement provides for multi-tiered dispute resolution, that procedure also applies to disputes under this DPA.
15. Contact
All notifications and communications under this DPA shall be sent to:
BuiltByGo Ltd
Privacy contact: privacy@builtbygo.com (general queries: hello@builtbygo.com)
Company No. 11121829 · ICO Registration: ZA564668
The Mill House Court Farm, Church Lane, Norton, Worcester, WR5 2PS, United Kingdom
Schedule 1: Security Measures
1. Information security framework
The Processor's operational security controls are aligned with the ISO/IEC 27001 control families and the NIST Cybersecurity Framework. Cyber Essentials Plus accreditation is in active pursuit through 2026; ISO/IEC 27001 certification is on the 2026–2027 roadmap.
2. Organisational measures
| Measure | Detail |
|---|---|
| Information security policy | Written policy reviewed at least annually; covers access control, incident response, data protection, business continuity, and acceptable use |
| Staff training | Annual data protection and security awareness training for all personnel; additional role-specific training for engineering and support staff |
| Confidentiality | All personnel are bound by contractual confidentiality obligations covering both personal data and Controller Confidential Information |
| Insurance | Professional Indemnity (£2,000,000), Cyber Liability (£1,000,000), Public Liability (£2,000,000), and Employer's Liability (£10,000,000) insurance maintained throughout the term |
| Vendor due diligence | All Sub-processors assessed for data protection and security posture before engagement; ongoing monitoring of Sub-processor compliance |
| Penetration testing | Periodic third-party penetration testing of infrastructure and applications, with annual cadence targeted by Q4 2026 |
| Restore validation | Annual restore drills across the managed estate to validate backup integrity and rebuild procedures; per-engagement quarterly drills available on request as part of priority support |
| AI tooling governance | Internal policy prohibits production personal data being passed to AI APIs without prior anonymisation; AI-assisted internal tools are listed as conditional Sub-processors |
3. Technical measures
| Measure | Detail |
|---|---|
| Encryption in transit | TLS 1.3 for all personal data transmitted over public networks |
| Encryption at rest | AES-256 encryption for personal data at rest where the Processor controls the storage layer; provider-native equivalent encryption (AES-256 or stronger) where storage is managed by Sub-processors |
| Access control | Least-privilege principle; role-based access control for all systems handling personal data |
| Authentication | Two-factor authentication (2FA / MFA) required for all infrastructure and administrative access |
| Logging and monitoring | Access logs maintained and reviewed regularly; automated alerts on anomalous activity; centralised security monitoring |
| Vulnerability management | Regular patching schedule; automated dependency scanning for managed projects; security update management aligned to Cyber Essentials Plus baseline |
| Backup and recovery | Continuous content versioning (Sanity); daily automated database backups (Supabase Pro tier, 7-day retention); additional encrypted database snapshot exports to Cloudflare R2 (AES-256, 30-day rolling retention); Git mirroring with branch protection |
| Endpoint protection | Device encryption (FileVault on macOS), endpoint detection, and OS update management on all company-managed devices |
| Physical security | All infrastructure is hosted in ISO 27001-certified data centres operated by Sub-processors listed in Schedule 3 |
| Network security | Cloudflare WAF, DDoS protection, bot management, and edge security controls |
| Incident response | Documented incident response plan covering identification, containment, eradication, recovery, and post-incident review |
4. Recovery objectives
The Processor's Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for personal data are set out in the Master Services Agreement (Backup, Disaster Recovery, and Continuity clause) and incorporated by reference.
Schedule 2: Processing details
| Element | Description |
|---|---|
| Subject matter of processing | Provision of website development, application development, hosting, maintenance, support, and related services as described in the Principal Agreement |
| Duration of processing | The term of the Principal Agreement, plus up to 90 days post-termination for data return or deletion |
| Purpose of processing | Delivering the services described in the Principal Agreement, including system operation, maintenance, support, improvement, and security |
| Nature of processing | Collection, recording, storage, retrieval, organisation, structuring, adaptation, alteration, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, and destruction of personal data |
| Categories of data subjects | End users of Controller systems, customers of the Controller, employees and contractors of the Controller, and other individuals whose personal data is contained within the Controller's systems or applications operated or supported by the Processor |
| Types of personal data | Identity data (names, job titles); contact data (email addresses, phone numbers, postal addresses); account credentials (usernames, hashed passwords); transaction and order data; user-generated content (form submissions, comments, uploaded files); technical data (IP addresses, browser and device information, session data); communication records; and any other personal data the Controller submits or causes to be submitted to the services |
| Special category data | None knowingly processed by the Processor. The Controller warrants it shall not provide special category personal data (as defined in Article 9 of the UK GDPR) for processing unless expressly agreed in writing in advance and subject to additional safeguards |
| Children's data | Not knowingly processed (see Section 2.4) |
| Data residency | UK region by default. Alternative regions may be selected per engagement based on data subject geography and regulatory requirements; selection is documented in the relevant Statement of Work |
Schedule 3: Sub-processors
The current sub-processor register as at the date of this DPA. The canonical published version is also maintained at builtbygo.com/subprocessors; the version below is the contractual list as at execution.
Active Sub-processors
| Sub-processor | Service | Data processed | Region | Transfer mechanism |
|---|---|---|---|---|
| Cloudflare, Inc. | CDN, DNS, edge security, Pages hosting, R2 backups | Anonymous request data, encrypted backups | Global edge / EU + US data centres | UK IDTA / EU SCCs (DPA in place) |
| Railway Corp. | Container hosting (search, application services) | Search queries, API payloads, application logs | US (default); EU available | UK IDTA / EU SCCs |
| Supabase, Inc. | PostgreSQL database, authentication | User data, submission data, business data | UK / EU / Latam / US (per engagement) | UK IDTA / EU SCCs where applicable |
| Sanity.io | Headless content management | Content drafts, media assets, editor metadata | EU (Frankfurt) | Within EEA — no transfer mechanism required for EU data |
| Resend (Resend Inc.) | Transactional email | Sender name, email address, message body | EU region | Within EEA |
| PostHog Inc. | Product analytics | Page views, events, anonymised IP, device info | EU (Frankfurt) | Within EEA |
| Functional Software, Inc. (Sentry) | Error monitoring | Stack traces, browser/OS info, URL at error | EU region | Within EEA |
| Better Stack (Better Uptime) | Uptime monitoring | HTTP status, response times, SSL certificate metadata; no user data | EU | Within EEA |
| DeepL SE | Translation via DeepL API (when enabled per engagement) | Text strings (configured under DeepL API no-training data-handling commitment) | EU (Germany) | Within EEA |
Conditional Sub-processors (AI-assisted internal tooling)
The following AI tools are listed as conditional Sub-processors. They are governed by the Processor's internal AI usage policy, which prohibits production personal data being passed to these APIs without prior anonymisation.
| Sub-processor | Service | Data processed | Region | Transfer mechanism |
|---|---|---|---|---|
| Anthropic PBC (Claude) | AI-assisted internal tooling via MCP and equivalent integrations under Commercial Terms | Anonymised data only, per Processor policy | US | Anthropic DPA with Standard Contractual Clauses, available at anthropic.com/legal/data-processing-addendum |
| DeepSeek | AI-assisted internal tooling | Anonymised data only, per Processor policy | International | Subject to Processor anonymisation policy |
Excluded — not Sub-processors
The following are used by the Processor but do not process personal data on behalf of the Controller (and are therefore not Sub-processors under this DPA):
| Provider | Reason for exclusion |
|---|---|
| GitHub, Inc. | Source code repositories only; no production personal data stored under standard policy |
| Cloudflare Pages CI | Build pipeline only; no production personal data in build artefacts under standard policy |
Changes to Sub-processors
Any addition, replacement, or removal of Sub-processors is notified in accordance with Section 5.2.
Document history
| Version | Date | Changes |
|---|---|---|
| 1.0 | May 2026 | Initial Article 28-compliant DPA with Schedules 1–3 |
| 2.0 | May 2026 | Comprehensive revision: harmonised with Master Services Agreement; expanded Sub-processor register from 2 to 11 active + 2 conditional; aligned breach notification to 72 hours; clarified general authorisation for Sub-processors; added Transfer Risk Assessment terminology; added children's data and special category data exclusions; cost-capped DSAR assistance; liability cap deferred to Principal Agreement; added Force Majeure cross-reference; added privacy contact; added governing language clause; updated Security Measures table for accuracy and added insurance limits, AI tooling governance, and pen testing roadmap |
| 2.1 | 3 May 2026 | Schedule 3 sub-processor regional corrections: Sentry confirmed EU-region deployment (within EEA, no transfer mechanism required); Resend confirmed EU-region deployment; DeepL clarified as DeepL API tier with the API's no-training data-handling commitment (rather than DeepL Pro tier). |
| 2.2 | 3 May 2026 | Anthropic DPA referenced explicitly by URL (anthropic.com/legal/data-processing-addendum) in Schedule 3 conditional Sub-processors table; Commercial Terms basis clarified. |