Data Processing Addendum (DPA)
Last updated: 30/06/2025
This Data Processing Addendum (“DPA”) forms part of the service agreement (“Agreement”) between JFDI Consulting Ltd, a company registered in the UK with its principal place of business at 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF (“Processor”) and the Client (“Controller”).
This DPA is entered into in compliance with applicable Data Protection Laws, including the UK General Data Protection Regulation (UK GDPR) and the EU GDPR where applicable.
- Definitions
- Controller: The natural or legal person who determines the purposes and means of processing Personal Data.
- Processor: The party that processes Personal Data on behalf of the Controller.
- Data Protection Laws: All laws and regulations applicable to the processing of Personal Data, including the UK GDPR and EU GDPR.
- Personal Data: Any information relating to an identified or identifiable individual.
- Sub-Processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- Subject Matter and Duration
This DPA governs the Processor’s processing of Personal Data on behalf of the Controller as necessary to provide the services outlined in the Agreement. The DPA shall remain in effect for the duration of the Agreement.
- Nature and Purpose of Processing
JFDI Consulting Ltd may process Personal Data to deliver services including but not limited to:
- Digital transformation and systems integration
- Automation and workflow design
- Development and configuration of software platforms
- Hosting and support services
Processing is performed only as necessary to fulfil service obligations or as instructed by the Controller.
- Categories of Data Subjects and Data Types
| Data Subjects | Personal Data Categories |
| Client staff, users | Names, emails, job titles, login data |
| End-users or clients | Metadata, usage logs, form submissions |
| System users | IP addresses, technical identifiers |
No special category data (e.g. health, biometric) is intended to be processed unless specifically agreed.
- Processor Obligations
JFDI Consulting Ltd agrees to:
- Process Personal Data only on written instructions from the Controller
- Ensure staff are bound by confidentiality
- Implement appropriate technical and organisational measures to protect Personal Data
- Assist the Controller in meeting obligations related to data subjects’ rights, breach notifications, and data protection impact assessments
- Delete or return Personal Data at the end of the engagement upon request
- Sub-Processors
The Controller authorises the use of the following sub-processors, subject to appropriate data protection safeguards:
| Sub-Processor | Purpose | Location |
| Google LLC | Cloud storage, analytics, reCAPTCHA | EEA/US (SCCs) |
| Live Chat Tool (e.g., Tawk.to or equivalent) | Customer support | EEA/US (SCCs) |
| Hosting Provider (e.g., SiteGround, WP Engine) | Site hosting | UK/EU |
Controller will be notified of any intended additions or replacements at least 10 business days in advance.
- Data Subject Rights
Processor shall promptly notify the Controller if it receives a request from a data subject and will not respond directly unless authorised. The Processor shall assist the Controller in responding to such requests.
- International Transfers
If any processing takes place outside the UK or EEA, JFDI Consulting ensures that:
- The transfer is covered by Standard Contractual Clauses (SCCs) or
- Another adequate safeguard under Data Protection Law is in place
- Security Measures
Processor will maintain appropriate safeguards including, but not limited to:
- Encryption of data in transit (HTTPS, TLS)
- Access controls and authentication
- Regular software updates and WordPress security practices
- Backups and disaster recovery protocols
- Audit Rights
Upon reasonable notice, the Controller may audit JFDI Consulting Ltd’s data processing operations to verify compliance. Processor agrees to cooperate with such audits and provide relevant documentation.
- Breach Notification
Processor will notify the Controller without undue delay upon becoming aware of a Personal Data breach. The notice will include:
- Nature and scope of the breach
- Affected data types and data subjects
- Measures taken or proposed to address the breach
- Termination
Upon termination of services, JFDI Consulting Ltd shall:
- Return all Personal Data to the Controller; or
- Delete all Personal Data unless retention is required by law
- Governing Law
This DPA is governed by and construed in accordance with the laws of England and Wales.
- Contact
JFDI Consulting Ltd
Email: [email protected]
Website: https://jfdi.info
Signed by the parties as an addendum to the main Service Agreement.