From £45/month on EU-sovereign UK hosting. Cancel any time.

From £45/mo · EU-sovereign · Cancel any time

See the three tiers →
UK Web Marketing Start your build

Legal

Data Processing Agreement

Last updated: June 2026 · Next review: June 2027 · Read time: 8 min · Version 1.0

This Data Processing Agreement (“DPA”) governs the processing of any personal data we (UK Web Marketing) handle on behalf of you (our client) under your subscription with us. It is the UK GDPR Article 28 instrument that sits between us where you are the controller and we are the processor. It applies automatically to every subscription — Foundation £45/mo, Growth Engine £195/mo, Bespoke — alongside our Terms & Conditions and Privacy Policy. The matching sub-processor disclosure is at /compliance.

1. Parties & roles

The Processor is TicketWave HQ Ltd, trading as UK Web Marketing — registered in England and Wales, company number 17143167, registered office Radley House, Richardshaw Road, Pudsey, LS28 6LE. Contact for DPA matters: hello@ukwebmarketing.com.

The Controller is you (the subscriber named on the Stripe account / Order). Where you are a clinic, practice, school, firm, or other regulated entity, you remain the data controller of any personal data we process on your behalf — the agency is not the controller.

2. Subject matter, duration, nature & purpose

Subject matter: personal data processed in the course of designing, building, hosting, and operating your website and associated services (CRM, newsletter, lead-magnet flows) under your subscription.

Duration: for as long as you have an active subscription, plus the retention windows in section 9 below.

Nature & purpose: hosting your website on EU-sovereign infrastructure (Vercel London), receiving form submissions (Resend EU), routing inbound mail (Cloudflare Email Routing), and (at Growth Engine and above) storing contact records in Capsule CRM (UK) and sending newsletters via Resend EU.

3. Categories of data subject

  • Visitors to your website (form submitters, lead-magnet requesters).
  • Your customers, patients, clients, parents, pupils, or other end-users whose personal data you input into systems we operate.
  • Your staff (where staff details appear on the site or in CRM records we host).

4. Categories of personal data

Standard small-business contact data: name, email address, phone number, organisation, the message text, and any vertical / sector self-identification provided. We do not solicit special-category data (UK GDPR Article 9 — health, religious belief, sexual orientation, etc.) and you agree not to route special-category data through our forms or CRM without telling us first so we can confirm appropriate safeguards.

For regulated-sector clients (clinics, solicitors, schools, accountants), additional categories may apply by virtue of the form fields you design — section 6 covers the security measures and section 8 governs international transfers.

5. Our obligations as processor

We will:

  • Process personal data only on your documented instructions (this DPA, the Terms, and any reasonable written instruction from you);
  • Ensure everyone authorised to process personal data is bound by confidentiality;
  • Implement the technical and organisational security measures set out in section 6;
  • Engage sub-processors only on the terms in section 7;
  • Help you respond to data subject rights requests (Articles 12–23) by providing tooling, exports, and deletion within a reasonable time;
  • Help you meet your obligations under Articles 32–36 (security, breach notification, DPIA support);
  • Notify you without undue delay (within 72 hours of awareness) of any personal data breach affecting your data;
  • On termination of the subscription, at your choice, delete or return all personal data we hold for you (subject to section 9);
  • Make available to you all information necessary to demonstrate compliance with Article 28 and allow for audits or inspections at reasonable cadence (typically annual self-assessment summary; on-site audit available with reasonable notice and cost-recovery for time).

6. Security measures

We maintain appropriate technical and organisational measures, including:

  • Encryption in transit — TLS 1.3 on every page (Vercel automatic HTTPS); HSTS preload; secure cookies where used.
  • Encryption at rest — provided by sub-processors (Vercel, Resend, Capsule, Stripe) under their respective security baselines.
  • Access control — least-privilege access; two-factor authentication required on every administrative account (GitHub, Vercel, Capsule, Resend, Stripe).
  • Network controls — Vercel-managed DDoS protection; Cloudflare for DNS and email routing; restrictive Content-Security-Policy headers on the site itself.
  • Application hardening — semantic HTML, no inline scripts beyond what's necessary, strict CSP, defence-in-depth against XSS.
  • Backup & recovery — Vercel maintains daily backups of static assets; source code lives in version control (GitHub); CRM records exported on cancellation per section 9.
  • Monitoring — Vercel Analytics + Speed Insights (first-party, cookieless); alerting on availability and error rates.
  • Staff training — every person with access to client systems is briefed on UK GDPR data-handling, phishing, and breach reporting.

7. Sub-processors

You authorise us to engage the sub-processors listed on the EU-sovereign compliance posture page. Headline:

  • Vercel Inc. — website hosting, served from London (lhr1). DPA in place; ISO 27001 certified.
  • Cloudflare, Inc. — DNS and Cloudflare Email Routing (inbound). DPA in place.
  • Resend, Inc. — outbound email delivery (EU region). DPA in place.
  • Stripe Payments Europe Ltd. (Ireland) — subscription billing. DPA in place.
  • Capsule CRM (Zestia Ltd.) — CRM (Manchester, UK), engaged at Growth Engine and above. DPA in place.

We will give you at least 30 days' notice of any new sub-processor (by email to the address on file). You may object on reasonable data-protection grounds within that window; if we can't accommodate your objection, you may terminate the subscription with a pro-rata refund of any prepaid Fees for the period after termination.

8. International transfers

Our default architecture keeps personal data on UK or EU infrastructure. Where any sub-processor processes data outside the UK / EEA (for example, Stripe routes some data through US infrastructure for fraud prevention, and Cloudflare operates a global network), transfers are protected by an appropriate safeguard — the UK International Data Transfer Agreement / Addendum to the EU SCCs, UK adequacy regulations, or equivalent. The sub-processor disclosure documents this per vendor.

9. Retention & deletion

For the duration of your subscription, we process personal data as needed to deliver the service. On termination:

  • Within 14 days of cancellation, we export all CRM records, newsletter subscribers, and form submissions to a format of your choice (CSV is default) and deliver them to the email address on file. You can also choose to keep the Capsule and Resend EU accounts (we transfer ownership to you).
  • Within 60 days we delete personal data from our active systems, unless you've asked us to keep it longer for a specific reason.
  • We may retain a minimum set of metadata (invoice records, audit logs, billing reconciliation) for up to 6 years to meet UK tax and accounting obligations. This is held by us as a controller, not as your processor.

10. Data subject rights

Where a data subject contacts us directly with a rights request (access, rectification, erasure, portability, objection), we will promptly forward it to you — you, as controller, are responsible for the response under Articles 12–23. We will provide reasonable technical assistance to you in fulfilling the request.

11. Breach notification

If we become aware of a personal data breach affecting your data, we will notify you without undue delay and in any event within 72 hours of awareness, providing — to the extent known — the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

12. Audits

We will make available to you all information necessary to demonstrate compliance with this DPA. On reasonable written notice (at least 30 days), and not more than once per year except in response to a regulator's request or a breach affecting your data, you may audit our compliance via a written questionnaire we will complete within 30 days. On-site audits are available at cost-recovery for our time.

13. Liability & precedence

Each party's liability under this DPA is subject to the liability limits in the Terms & Conditions. In the event of any conflict between this DPA and the Terms, this DPA takes precedence on data-processing matters only.

14. Governing law

This DPA is governed by the law of England and Wales, and the courts of England and Wales have exclusive jurisdiction.

15. How to sign or amend

By starting or maintaining a subscription with UK Web Marketing, you accept this DPA. If your organisation requires a signed paper copy (some clinics, schools, and law firms do), email hello@ukwebmarketing.com and we will sign and return a PDF executed copy within 5 working days. We can also accept your own DPA template by negotiation — typical for larger institutions with their own procurement framework.

16. Related documents

Sub-processors (canonical list — referenced from §7) · Privacy Policy · Cookie Policy · Vulnerability Disclosure · EU-sovereign compliance posture · All legal documents

17. Changelog

  • v1.0 — June 2026 — initial publication. Sub-processor list now mirrored at /sub-processors as the canonical reference.
← Back to legal index

Three honest tiers · From £45/mo · Cancel any time

Ready for the website + infrastructure your business should already have?

Start your build
Start your build — £45/mo WhatsApp