Data Processing Agreement (DPA)

The sensible stuff about data, explained clearly.

1. Parties and Definitions

Primary Image Ltd is incorporated and registered in England and Wales with company number 07246478 and registered office at 282 Leigh Road, Leigh-on-Sea, Essex, SS9 1BW (the “Processor”).

The customer receiving website hosting, support, maintenance and related services (the “Controller”).

“UK GDPR” means Regulation (EU) 2016/679 as retained in UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.

2. Roles of the Parties

The Controller determines the purposes and means of the processing of Personal Data.

The Processor shall process Personal Data only as necessary to provide the services in accordance with the documented instructions of the Controller, unless required to do so by applicable UK law.

This Agreement forms part of the contractual relationship between the parties where the Processor processes Personal Data on behalf of the Controller.

3. Scope of Processing

Subject matter of processing

Website hosting, support, maintenance, development work, backups, security monitoring, and related technical services.

Duration of processing

For the duration of the services provided, and a reasonable backup retention period.

Categories of Personal Data
  • Website user data (e.g. contact form submissions, e-commerce or event registrations)
  • Website administrator and staff account details
  • Categories of Data Subjects
  • Website visitors
  • Controller’s staff and authorised users

4. Confidentiality

The Processor shall ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.

The Processor shall not disclose Personal Data to any third party except as permitted under this Agreement or as required by law.

Nothing in this Agreement prevents either party from complying with a legal obligation imposed by a regulator or court, provided reasonable notice is given where permitted.

5. Security Measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including but not limited to:

  • Website-level firewalls and security hardening measures
  • Data-centre-level web application firewalls (WAF)
  • Regular review and application of security-related software updates
  • Automatic installation of critical security patches where applicable
  • Use of trusted and official software sources only
  • Secure server-level operating systems maintained by data-centre technicians
  • Role-based access controls and audit logging
  • Secure password practices using encrypted password management tools
  • Isolated hosting environments using container-based systems
  • Multiple daily off-site backups and additional offline backups
  • Ongoing monitoring of website activity and system health
  • Anti-virus protection on internal systems
  • SSL encryption for websites to protect data in transit

6. Sub-processors (General Authorisation)

6.1 Use of Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors for the purposes of delivering its services.

The Processor shall remain liable, to the extent permitted by applicable law, for the acts and omissions of any sub-processor engaged in accordance with this Agreement.

6.2 Current Sub-processors

To provide hosting and website services, the Processor relies on a limited number of trusted third-party service providers (“sub-processors”). These sub-processors may process Personal Data strictly for the purposes of delivering the services.

Current sub-processors include:

All sub-processors are selected carefully and are contractually required to comply with GDPR and applicable data-protection laws.

This list may be updated from time to time.

6.3 Customer-Appointed Third Parties

The Controller may independently grant access to their website to third-party services of their choosing (for example analytics, tracking, CRM, or marketing platforms).

Such third parties are engaged directly by the Controller and do not act as sub-processors of the Processor. Any processing by those providers is governed by the Controller’s own agreements with them.

7. Assistance With Data Subject Rights

Taking into account the nature of the processing, the Processor shall provide reasonable assistance to the Controller in responding to requests from data subjects, including requests for access, rectification, erasure, restriction, or objection, insofar as this is possible using the information available to the Processor.

8. Personal Data Breaches

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller’s data.

The Processor shall provide information reasonably required to assist the Controller in meeting its obligations, including:

  • The nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

The Processor shall cooperate with the Controller in investigating and mitigating the breach.

9. Data Retention and Deletion

Personal Data shall be retained for as long as it exists within the live website and associated backups.

Backups are retained for a period of up to three years.

Upon written request from the authorised account holder, following termination of services, the Processor shall delete Personal Data, unless retention is required by applicable law.

Where required, the Processor shall provide written confirmation that data has been deleted.

10. Compliance and Information Rights

The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this Agreement and UK GDPR obligations.

11. Governing Law

This Agreement is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

Last updated 6th February 2026.