Data Processing Agreement (Template)

Where Mecha Site is the controller of data about your account (name, email, login activity), our Privacy Policy governs that processing instead. This DPA covers only the controller- to-processor flow for your end-user data.

Data Controller: You, the customer organisation that owns and operates the website(s) under management (“Controller”).

Data Processor: Mecha Site Ltd, a company registered in England & Wales, providing website maintenance, management, and related technical services (“Processor”).

Capitalised terms not defined here have the meanings given in the UK GDPR. “Personal Data”, “Processing”, “Data Subject”, “Sub-processor”, and “Personal Data Breach” have the meanings in UK GDPR Art. 4 and 28.

• Subject matter: processing required to deliver the Mecha Site managed-website service to Controller.
• Duration: for the term of the service agreement, plus the post-termination periods set out in Section 12.
• Nature and purpose: hosting, monitoring, maintenance, content delivery, contact-form processing, and related technical operations on the website(s) Controller engages us to manage.
• Categories of personal data: contact-form submissions, account/CMS user identifiers, IP addresses, browser metadata, and any personal data Controller publishes on the website(s).
• Categories of data subjects: Controller’s website visitors, customers, prospects, and end users; Controller staff with CMS access.

Mecha Site undertakes to:

• Process Controller’s personal data only on documented instructions from Controller, including with regard to international transfers, unless required to do so by UK or applicable EU law.
• Ensure all personnel with access to Controller’s personal data are bound by written confidentiality obligations.
• Implement appropriate technical and organisational security measures (Section 6).
• Engage Sub-processors only as set out in Section 7.
• Assist Controller in fulfilling its obligations to data subjects (Section 10).
• Notify Controller without undue delay of any Personal Data Breach affecting Controller’s data, no later than 24 hours after detection (Section 9).
• At the end of the service relationship, return or delete all personal data per Controller’s election (Section 12).
• Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits (Section 11).

Controller warrants that:

• It has a lawful basis under UK GDPR Art. 6 (and where applicable Art. 9) for the personal data it instructs Mecha Site to process.
• It has obtained any necessary consents from its data subjects for the processing activities described above.
• It has the authority to grant Mecha Site access to its website, hosting environment, and integrated services.
• It will respond to data-subject requests directed to Mecha Site by confirming whether to action or refuse the request (Mecha Site cannot independently determine the validity of a request against Controller’s lawful basis).

Mecha Site implements the technical and organisational measures described at /legal/security, which is incorporated by reference into this DPA. Material changes will be reflected in updates to that page.

Without limitation, those measures include encryption of all stored credentials at rest, TLS 1.3 in transit, role-based access control with audit logs, mandatory MFA for staff with production access, and per-category retention enforcement with monitoring.

Controller grants Mecha Site general written authorisation to engage Sub-processors to assist in delivering the service, subject to:

• The current list of Sub-processors at /legal/sub-processors, which Controller acknowledges as accepted on entering this DPA.
• 30 days’ prior written notice of the intended addition or replacement of any Sub-processor that processes Controller’s personal data, via the notification mechanisms described on the Sub-processors page.
• Controller’s right to object on reasonable data-protection grounds during the notice period; Mecha Site will work in good faith to find an alternative or, failing that, allow Controller to terminate the relevant service without penalty.
• Mecha Site imposing data-protection obligations on each Sub-processor that are no less onerous than those in this DPA.
• Mecha Site remaining fully liable to Controller for the performance of any Sub-processor.

Where Mecha Site or a Sub-processor transfers Controller’s personal data outside the United Kingdom, Mecha Site will rely on one of: a UK adequacy decision, the UK Extension to the EU-US Data Privacy Framework (where the recipient is so certified), the UK IDTA, or the UK Addendum to the EU SCCs.

For each cross-border transfer, Mecha Site maintains a Transfer Risk Assessment evaluating destination-country protection against the “not materially lower” standard under DUAA 2025. Assessments are reviewed annually and on any material change.

Mecha Site will notify Controller without undue delay (and in any event within 24 hours of becoming aware) of any Personal Data Breach affecting Controller’s personal data. The notification will include all information reasonably required for Controller to fulfil its own obligations under UK GDPR Articles 33 and 34, including:

• The nature of the breach and approximate scope.
• Likely consequences for affected data subjects.
• Measures taken or proposed to mitigate.
• Contact point for additional information.

Mecha Site’s public commitments on detection and timing are at /legal/breach-notification.

Mecha Site will, taking into account the nature of the processing, provide reasonable assistance to Controller in fulfilling Controller’s obligation to respond to requests from data subjects exercising their UK GDPR rights, including by:

• Providing data exports in machine-readable form within 14 days of Controller’s request.
• Executing erasure within 14 days of Controller’s confirmed instruction (subject to legal-obligation retention exceptions).
• Restricting processing during dispute investigation on Controller’s instruction.
• Providing data-protection impact assessment input on request.

Mecha Site will make available all information necessary to demonstrate compliance with this DPA. Controller may audit Mecha Site’s compliance once per twelve-month period (and additionally following a Personal Data Breach affecting Controller’s data).

Audits may be satisfied by:

• A current SOC 2 Type II report (anticipated Q2 2027) plus supplementary written responses to specific Controller questions.
• A documentation review and Q&A session conducted remotely.
• On-site audit at Mecha Site’s premises with reasonable advance notice and Controller bearing reasonable costs of audit.

On termination of the service relationship, at Controller’s election (made in writing within 30 days of termination), Mecha Site will:

• Return all Controller personal data in machine-readable form, OR
• Delete all Controller personal data,

subject to retention required by law (e.g., HMRC invoice records, 7 years) and the audit-log retention set out in our retention schedule. Any such retained data is pseudonymised and segregated from active processing systems.

Each party’s liability under this DPA is subject to the exclusions and limitations set out in the master service agreement between the parties.

This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales for any dispute arising out of or in connection with this DPA.

This DPA is incorporated into the master service agreement on Controller’s acceptance of our terms during onboarding. Controllers requiring a separately-executed paper DPA can request one by emailing legal@mechasite.com; we will provide a counterpart DOCX or PDF for signature.