Data Processing Agreement
UK GDPR Article 28 compliant · Version 1.0 · Cognition Systems Architecture
Background
The parties have entered into a Statement of Work or engagement agreement ("the Principal Agreement") under which Cognition Systems Architecture ("the Processor") provides financial systems architecture and related services to the Client ("the Controller"). In the course of performing those services, the Processor will process personal data on behalf of the Controller. This Data Processing Agreement ("DPA") sets out the terms on which such processing will take place, as required by Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018").
This DPA forms part of the Principal Agreement and is subject to its terms except where this DPA expressly overrides them in respect of data protection matters.
1. Definitions
In this DPA, the following terms have the meanings given in UK GDPR unless the context requires otherwise: "personal data", "special categories of personal data", "processing", "data subject", "controller", "processor", "sub-processor", "personal data breach", "supervisory authority". "ICO" means the UK Information Commissioner's Office. All other capitalised terms have the meanings given in the Principal Agreement.
2. Scope, nature and purpose of processing
The Processor shall process personal data on behalf of the Controller solely for the purposes set out in Schedule 1 to this DPA, and only to the extent necessary to perform the services under the Principal Agreement.
The Processor shall not process personal data for any purpose other than as documented in Schedule 1 or as subsequently instructed in writing by the Controller, save where processing is required by applicable UK law, in which case the Processor shall notify the Controller of that legal requirement before processing (unless prohibited by law).
3. Processor obligations
3.1 Instructions
The Processor shall process personal data only on documented instructions from the Controller. The Principal Agreement and this DPA constitute the Controller's initial documented instructions. Where the Processor considers that an instruction infringes UK GDPR or other applicable data protection law, it shall promptly notify the Controller.
3.2 Confidentiality
The Processor shall ensure that all personnel authorised to process personal data under this DPA are subject to a binding confidentiality obligation (whether by contract or statutory duty) and are informed of the confidential nature of the personal data. The Processor shall ensure that access to personal data is limited to those personnel who need access to perform the services.
3.3 Security
The Processor shall implement and maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, having regard to: (a) the state of the art; (b) the costs of implementation; (c) the nature, scope, context and purposes of processing; and (d) the risk to the rights and freedoms of data subjects. The measures in place are set out in Schedule 3 to this DPA.
3.4 Sub-processors
The Processor shall not engage any sub-processor to carry out processing activities on the Controller's behalf without the Controller's prior specific or general written consent. Where the Controller provides general written consent, the Processor shall notify the Controller of any intended changes to its sub-processor arrangements (additions or replacements) with reasonable advance notice, giving the Controller the opportunity to object. The Controller's consent to sub-processors engaged at the date of this DPA is recorded in Schedule 2.
Where the Processor engages a sub-processor, it shall impose on that sub-processor data protection obligations equivalent to those in this DPA by way of a written contract. The Processor shall remain fully liable to the Controller for the performance of sub-processors' obligations.
3.5 Data subject rights
Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as reasonably possible, to fulfil the Controller's obligations to respond to data subject requests under UK GDPR (including rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). The Processor shall promptly forward to the Controller any data subject request it receives that relates to data processed under this DPA.
3.6 Compliance assistance
The Processor shall, at the Controller's request and cost, assist the Controller in ensuring compliance with its obligations under Articles 32–36 UK GDPR, including in relation to: security of processing; notification and communication of personal data breaches; data protection impact assessments; and prior consultation with the ICO.
3.7 Personal data breach notification
The Processor shall notify the Controller without undue delay, and in any event within 36 hours of becoming aware, of any personal data breach affecting personal data processed under this DPA. Notification shall include, to the extent available at the time: (a) a description of the nature of the breach, including categories and approximate number of data subjects and records affected; (b) the contact details of the Processor's data protection contact; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach. The Processor shall document all personal data breaches and make that documentation available to the Controller on request.
3.8 Deletion or return of data
On termination of the Principal Agreement, or on the Controller's earlier written request, the Processor shall (at the Controller's election): (a) delete all personal data processed under this DPA and confirm deletion in writing; or (b) return all personal data to the Controller in a commonly used, machine-readable format and thereafter delete all copies. The Processor may retain personal data where required to do so by applicable UK law, but only for as long as required and subject to the same security obligations in this DPA.
3.9 Audit and records
The Processor shall: (a) make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA; and (b) permit and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to reasonable advance notice (not less than 30 days except in the event of a suspected breach) and agreement on scope and confidentiality. The Processor shall maintain records of all processing activities carried out on behalf of the Controller as required by Article 30(2) UK GDPR and make those records available to the ICO on request.
4. Controller obligations
The Controller warrants and represents that: (a) it has a valid lawful basis for all processing instructions given to the Processor under this DPA; (b) all personal data provided to the Processor has been collected lawfully and the data subjects have been given the information required under Articles 13–14 UK GDPR; and (c) it has authority to enter into this DPA on behalf of the Controller entity identified above.
5. International transfers
The Processor shall not transfer personal data outside the United Kingdom unless: (a) the destination country or territory benefits from a UK adequacy regulation; (b) appropriate safeguards are in place pursuant to Article 46 UK GDPR (such as UK International Data Transfer Agreements); or (c) the Controller has given explicit prior written consent and a derogation under Article 49 UK GDPR applies. Any approved international transfers and applicable safeguards are recorded in Schedule 2.
6. Liability and indemnity
Each party's liability under this DPA is subject to the limitations set out in the Principal Agreement save that: (a) liability for breach of the security obligations in clause 3.3 and for failure to notify personal data breaches under clause 3.7 shall not be limited below the greater of £50,000 or the fees paid in the preceding 12 months; and (b) nothing in this DPA limits either party's liability where such limitation is prohibited under applicable data protection law or where liability arises from fraud or wilful misconduct.
7. Term and termination
This DPA takes effect on the date of the Principal Agreement and continues until the Processor has completed deletion or return of personal data in accordance with clause 3.8. Obligations of confidentiality (clause 3.2) and audit rights (clause 3.9) shall survive termination for a period of six years.
8. Governing law
This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
| Item | Details |
|---|---|
| Subject matter | [e.g. Processing of employee and transactional personal data in connection with the design and implementation of financial management systems for the Client] |
| Duration | [Start date] to [End date / until completion of SOW reference XX] |
| Nature of processing | [e.g. Collection, storage, analysis, structuring, and retrieval of financial transaction and payroll data for system design, testing, and migration purposes] |
| Purpose of processing | [e.g. To design, build, test and implement bespoke AI-driven financial systems as specified in SOW reference XX, including data migration from legacy systems] |
| Categories of personal data |
Select all that apply: [☐ Employee names and contact details ☐ Payroll and salary data ☐ Supplier/customer names ☐ Bank account details (business accounts) ☐ Expense records ☐ Other: ___________] |
| Special categories of personal data | [☐ None ☐ Yes — specify: ___________] Note: if special category data is involved, additional safeguards and a separate lawful basis are required. |
| Categories of data subjects | [e.g. Employees, directors, contractors, suppliers, customers of the Client] |
| Retention period | [e.g. Data to be deleted / returned within 30 days of project completion. Any data retained for testing purposes to be pseudonymised and deleted within 14 days of go-live.] |
Approved sub-processors
| Sub-processor | Location | Purpose | Safeguard (if outside UK) |
|---|---|---|---|
| Microsoft Azure / Microsoft 365 | UK / EEA data centres | Cloud infrastructure, document storage, communication | UK adequacy (EEA) / Microsoft DPA |
| [e.g. Notion / Slack] | [Location] | [Purpose] | [Safeguard / IDTA] |
The Processor will notify the Controller no less than 14 days in advance of any changes to this list. The Controller may object to a new sub-processor within 7 days of notification by written notice; failure to object within that period constitutes consent.
International transfers
All primary processing takes place within the United Kingdom or the European Economic Area. Where any sub-processor listed above processes data outside the UK, the applicable transfer mechanism is noted in the Safeguard column above.
The following measures are in place as at the date of this DPA. The Processor shall update these measures as technology and best practice evolve and shall notify the Controller of any material changes.
| Category | Measures in place |
|---|---|
| Access control | Role-based access control; multi-factor authentication on all systems holding Client data; principle of least privilege enforced; access reviews conducted on engagement commencement and at least quarterly |
| Encryption | All personal data encrypted at rest (AES-256 or equivalent) and in transit (TLS 1.2 minimum); encryption keys managed separately from data stores |
| Pseudonymisation | Personal data pseudonymised where technically feasible during development, testing, and QA phases; re-identification keys held separately |
| Availability and resilience | Cloud infrastructure with documented backup and recovery procedures; recovery time objective (RTO) and recovery point objective (RPO) agreed per engagement |
| Breach detection and response | Security monitoring and alerting; documented incident response procedure; personal data breach register maintained; Controller notified within 36 hours |
| Personnel | All personnel who access Client personal data subject to confidentiality obligations and data protection training; background screening for personnel with access to sensitive financial data |
| Physical security | No physical storage of Client personal data on removable media unless encrypted; clean desk policy; screen locks enforced |
| Vendor management | All sub-processors assessed for security compliance before engagement; DPAs in place with all sub-processors |
SIGNED for and on behalf of the Controller
SIGNED for and on behalf of Cognition Systems Architecture