Data Processing Agreement
Effective Date: 01/03/2025
Last Updated: 01/03/2025
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Agreement") between Geeky Code Ltd ("Processor", "we", "us", or "our") and the customer ("Controller", "you", or "your") and governs the processing of personal data in connection with the services we provide.
This DPA is entered into in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018.
In plain English — who does what?
There are two parties in this agreement:
- You (the "Controller") — you decide what personal data is collected and why. You are responsible for having a legal basis to collect that data (e.g. consent or a contract), making sure the data you give us is accurate, and telling your own users how their data is handled.
- Geeky Code Ltd (the "Processor") — we handle personal data on your behalf to provide our services. We are responsible for keeping that data secure, only processing it as you instruct us, notifying you within 48 hours if there is a data breach, and deleting or returning your data when the contract ends.
We also use a small number of sub-processors (Hetzner, AWS, and Stripe) to host infrastructure and process payments. We make sure they meet the same data-protection standards we do.
This summary is provided for convenience only. The full legal terms below take precedence in all cases.
1. Definitions
1.1 Personal Data – Any information relating to an identified or identifiable natural person, as defined under the UK GDPR and EU GDPR.
1.2 Processing – Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
1.3 Controller – The customer who determines the purposes and means of processing personal data.
1.4 Processor – Geeky Code Ltd, which processes personal data on behalf of the Controller.
1.5 Sub-processor – A third party engaged by the Processor to process personal data on behalf of the Controller.
2. Scope & Purpose of Processing
2.1 Purpose – We process personal data solely for the purpose of providing and maintaining our SaaS services as described in the Agreement.
2.2 Types of Personal Data – The personal data processed may include, but is not limited to:
- * Names and contact details (email addresses, phone numbers).
- * Account credentials and authentication data.
- * Usage data and service interaction logs.
- * Any other personal data submitted by the Controller through the services.
2.3 Data Subjects – The data subjects may include the Controller's employees, customers, end users, and any other individuals whose data is submitted to our services.
2.4 Duration – Processing shall continue for the duration of the Agreement and for any retention period specified herein or required by law.
3. Obligations of the Processor
3.1 Lawful Processing – We shall process personal data only on documented instructions from the Controller, unless required to do so by applicable law.
3.2 Confidentiality – We shall ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.
3.3 Security Measures – We shall implement appropriate technical and organisational measures to protect personal data, including but not limited to:
- * Encryption of data in transit and at rest.
- * Access controls and authentication mechanisms.
- * Regular security assessments and monitoring.
- * Incident detection and response procedures.
3.4 Data Protection Impact Assessments – We shall provide reasonable assistance to the Controller in conducting data protection impact assessments where required.
3.5 Records of Processing – We shall maintain records of all processing activities carried out on behalf of the Controller, as required by Article 30 of the UK GDPR.
4. Obligations of the Controller
4.1 Lawful Basis – The Controller shall ensure that there is a valid lawful basis for the processing of personal data and that all necessary consents have been obtained.
4.2 Instructions – The Controller shall provide clear and documented instructions regarding the processing of personal data.
4.3 Data Accuracy – The Controller is responsible for ensuring the accuracy and quality of personal data provided to us.
5. Sub-processors
5.1 Authorisation – The Controller provides general authorisation for the Processor to engage sub-processors. We shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
5.2 Current Sub-processors – The following sub-processors are currently engaged:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure and data hosting | Germany (EU) |
| Amazon Web Services (AWS) | Cloud infrastructure services | EU/UK regions |
| Stripe | Payment processing | United States (with EU/UK safeguards) |
5.3 Sub-processor Obligations – We shall ensure that all sub-processors are bound by data protection obligations no less protective than those set out in this DPA.
6. Data Storage & International Transfers
6.1 Data Location – Customer data is primarily stored in Hetzner data centres in Germany and/or AWS infrastructure within EU/UK regions.
6.2 International Transfers – Where personal data is transferred outside the UK or EEA, we shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or an adequacy decision.
6.3 Data Residency – We shall not transfer personal data to a jurisdiction outside the UK or EEA without ensuring compliance with applicable data protection laws.
7. Data Subject Rights
7.1 Assistance – We shall assist the Controller in responding to requests from data subjects exercising their rights under the UK GDPR, including:
- * Right of access.
- * Right to rectification.
- * Right to erasure ("right to be forgotten").
- * Right to restriction of processing.
- * Right to data portability.
- * Right to object.
7.2 Response Time – We shall respond to data subject requests forwarded by the Controller without undue delay and within the timeframes required by law.
8. Data Breach Notification
8.1 Notification – In the event of a personal data breach, we shall notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach.
8.2 Breach Details – The notification shall include:
- * The nature of the breach, including the categories and approximate number of data subjects affected.
- * The likely consequences of the breach.
- * The measures taken or proposed to address the breach.
- * Contact details for further information.
8.3 Cooperation – We shall cooperate with the Controller and take reasonable steps to assist in the investigation and mitigation of any data breach.
9. Audits & Compliance
9.1 Audit Rights – The Controller may request reasonable evidence of our compliance with this DPA. We shall make available all information necessary to demonstrate compliance.
9.2 On-site Audits – The Controller may conduct or commission audits, subject to reasonable notice and confidentiality obligations. Such audits shall be limited to once per year unless a data breach has occurred.
10. Data Retention & Deletion
10.1 Retention – We shall retain personal data only for as long as necessary to fulfil the purposes of the Agreement, unless a longer retention period is required by law.
10.2 Deletion on Termination – Upon termination of the Agreement, we shall, at the Controller's choice, delete or return all personal data within 90 days, unless retention is required by applicable law.
10.3 Certification – Upon request, we shall provide written confirmation that personal data has been deleted in accordance with this DPA.
11. Liability
11.1 Liability – Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.
11.2 Indemnification – Each party shall indemnify the other against any costs, claims, or damages arising from a breach of this DPA, to the extent caused by the indemnifying party's negligence or non-compliance.
12. Governing Law
12.1 This DPA shall be governed by the laws of England and Wales.
12.2 Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Agreement.
13. Contact
For any questions or requests relating to this DPA, please contact us at:
hello@geekyco.de
Company information:
Geeky Code Ltd
Company Number: 12200751
Contact us:
Email us for all enquiries.
hello @ geekyco.de