Call: 0800 024 2476

Book A Collection

Contact Us

Client Portal

mobile-logo

Online Terms of business

Gigacycle > Online Terms of business

Data Processing Agreement

V1.1

APPROVAL AND VERSION CONTROL

Document Author Denver Hodgson Approved By Malcolm Jones
Previous Version 1.0 Date Active 14.04.2026
New Version 1.1 Date Active 17.04.2026
Date 17.04.2026 Next Review Date 31.12.2026

DATA PROCESSING AGREEMENT

BETWEEN:

  1. The entity submitting a request for services via the Gigacycle platform or agreeing to these terms online, whose details are provided at the point of order, including company name, registered address and contact details (hereinafter referred to as the “CONTROLLER”); and
  2. [GIGACYCLE LTD] incorporated in England and Wales with registered office at Unit D2 Gilchrist Road, Irlam, Manchester, M44 5AY hereinafter referred to as the “[PROCESSOR]”).

Acceptance of Terms

By ticking the acceptance box and submitting a request for services, the CONTROLLER:

  • Confirms it is authorised to enter into this agreement
  • Agrees to be bound by this Data Processing Contract
  • Confirms that the details provided during the booking/order process form part of this agreement

WHEREAS:

  1. [CONTROLLER] wishes to appoint [PROCESSOR] to undertake the Services (as defined in Schedule 4) on its behalf.
  2. To perform the Services on [CONTROLLER]’s behalf, [PROCESSOR] will require to process certain Categories of Data (as defined in Schedule 5) on behalf of [CONTROLLER].
  3. The Parties now wish to enter into this Contract (as defined below) to regulate the processing of these Categories of Data by [PROCESSOR] on behalf of [CONTROLLER].

IT IS HEREBY AGREED:

1. Definitions and Interpretation

1.1 The words and expressions below will have the meanings set out next to them:

Term Definition
“Applicable Laws” means any other law or regulation that may apply to the processing of Personal Data;
“Appointed Agent” means any auditor or third party, formally appointed by the Data Controller to perform a range of tasks associated with the validation of the performance of the Data Processor.
“Confidential Information” means all confidential information imparted by [CONTROLLER] to [PROCESSOR] during the term of this Contract or coming into existence because of [PROCESSOR]’s obligations hereunder which is either marked as confidential or which ought reasonably be regarded as confidential;
“Contract” means this Data Processing Contract;
“Controller Data” means all data processed by the Data Processor on behalf of the Data Controller under the terms of this data processing contract.
“Data Controller” means “controller” as defined in Article 4 (7) of the GDPR;
“Data Processor” means “processor” as defined in Article 4 (8) of the GDPR;
“Data Subject” means “data subject” as defined in Article 4 (1) of the GDPR;
“GDPR” means the UK General Data Protection Regulation Directive 2016/679;
“Personal Data” means “personal data” as defined by Article 4 (1) of the GDPR and which is processed by [PROCESSOR] on behalf of [CONTROLLER], as set out in Schedule 4 hereto;
“Party” or “Parties” means a party or the parties to this Contract;
“Services” means the provision of [DESCRIPTION OF DATA PROCESSING SERVICES] to [CONTROLLER] deemed to be the subject matter as per Article 28 GDPR;
“Data Subject Rights Request” means a request under Chapter 3 of GDPR which relates to the processing of Personal Data by [PROCESSOR] on behalf of [CONTROLLER]; and
“Third Party” means a party which is not [CONTROLLER], [PROCESSOR] or the Data Subject to whom the Personal Data relates.

1.2 In this Contract unless otherwise expressly stated:

  1. references to Clauses are to clauses of this Contract;
  2. reference to the Schedules are to the schedules to this Contract which form part of this Contract and are incorporated herein;
  3. references to the singular include references to the plural and vice versa;
  4. headings are inserted for convenience only and shall not affect the construction or interpretation of this Contract;
  5. any phrase introduced by the terms “including”, “include”, “in particular” or any similar expression are illustrative and do not limit the sense of the words preceding those terms and such terms shall be deemed to be followed by the words “without limitation”;
  6. references to a statute, or any section of any statute, include any statutory amendment, modification or re-enactment and instruments and regulations under it in force from time to time;
  7. references to regulatory rules include any amendments or revisions to such rules from time to time; and
  8. references to regulatory authorities refer to any successor regulatory authorities.

2. Subject and scope of the commissioned processing of Personal Data

  1. [PROCESSOR] processes the Controller Data exclusively on behalf of and on the instruction of [CONTROLLER] in accordance with Article 28 (1) GDPR (Commissioned Data Processing). [CONTROLLER] remains the controller for the purposes of data protection law.
  2. Schedule 5 to this Contract contains an exhaustive list of which types of Controller Data the Processor may process, the nature and purpose of processing, the permitted duration of processing, and to which categories of data subjects the Controller Data relate as per Article 28 (3).
  3. The processing of Controller Data will take place exclusively in the territory of a Member State of the European Union or of a contracting party to the Agreement on the European Economic Area (EEA). Data processing in other countries may only take place where the [CONTROLLER] has provided their prior written consent and, where applicable, additionally the requirements of Article. 44 to 47 GDPR are fulfilled, or there is an exception in accordance with Article. 49 GDPR.OR
    The processing of Controller Data will take place exclusively within the territory of the United Kingdom. Data processing in other countries may only take place where the [CONTROLLER] has provided their prior written consent and, where applicable, additionally the requirements of Article. 44 to 47 GDPR are fulfilled, or there is an exception in accordance with Article 49 GDPR. (UK)

3. Standards of Performance

  1. [PROCESSOR] hereby undertakes to [CONTROLLER] that it will undertake the Services on behalf of [CONTROLLER] in accordance with this Contract using all reasonable skill and care.
  2. [PROCESSOR] hereby provides sufficient guarantees to implement appropriate technical and organisation measures in such a manner that processing meets the requirements of Article 28 (1) of GDPR. These guarantees are listed in Schedule 6.
  3. [CONTROLLER] and [PROCESSOR] hereby acknowledge that in relation to the Personal Data and for the purposes of the Applicable Laws, [CONTROLLER] is the Data Controller and [PROCESSOR] is the Data Processor.

4. The Term

  1. This Contract shall continue in full force unless or until terminated in pursuance of Clause 19.

5. Obligations of [CONTROLLER]

  1. [CONTROLLER] shall provide such information as [PROCESSOR] may reasonably require for [PROCESSOR] to provide the Services outlined in Schedule 4.
  2. [CONTROLLER] shall instruct [PROCESSOR] generally in written or text form which includes email communication. If required, [CONTROLLER] may also issue instructions orally or via telephone. Instructions issued orally or via telephone require, however, immediate confirmation by [CONTROLLER] in written or text form.
  3. [CONTROLLER] shall have legal title on all goods being collected and therefore can instruct [PROCESSOR] to process equipment in accordance with the service agreed in the schedule laid out in this contract.

6. Obligations of [PROCESSOR]

  1. [PROCESSOR] undertakes to [CONTROLLER] that it shall process the Personal Data only on [CONTROLLER]’s instructions as given from time to time, and in accordance with the terms of this Contract and all Applicable Laws.
  2. Any instructions issued by [CONTROLLER] to [PROCESSOR] shall be done so in accordance with 5.2 and shall be documented by [PROCESSOR] to be evidenced to [CONTROLLER] on request.
  3. If [PROCESSOR] is of the reasonable opinion that an instruction by [CONTROLLER] breaches this Agreement, an earlier instruction, or applicable data protection laws, [PROCESSOR] must inform [CONTROLLER] in writing of this immediately.
  4. [PROCESSOR] shall ensure that only such of its employees who may be required by [PROCESSOR] to assist it in meeting its obligations under this Contract shall have access to the Personal Data. [PROCESSOR] shall ensure that all employees used by it to provide the Services (i) have undergone training in the laws of data protection and in the care and handling of the Personal Data in accordance with such laws, and (ii) have undergone vetting to an appropriate level.
  5. In particular, [PROCESSOR] undertakes to [CONTROLLER] that it will not disclose the Personal Data or any part thereof to any Third Party unless and only to the extent instructed to do so in writing by [CONTROLLER].
  6. [PROCESSOR] undertakes to [CONTROLLER] that it will not export the Personal Data or any part thereof outside the European Economic Area in any circumstances other than at the specific written request of [CONTROLLER]. If [PROCESSOR] intends to transfer Controller Data to a third country or an international organisation without having been instructed to this end by [CONTROLLER], [PROCESSOR] will inform [CONTROLLER] without undue delay and as soon as possible about the purpose, legal ground and affected Controller Data, to such an extent and insofar as such notification is not legally prohibited on the grounds of a substantial public interest.
  7. For the mutual benefit of both Parties, and to ensure compliance with this Contract and the Applicable Laws, [CONTROLLER] and [PROCESSOR] will liaise regularly, and [PROCESSOR] will allow its data processing facilities, procedures and documentation to be reviewed by [CONTROLLER] or its auditors.
  8. If at any time [PROCESSOR] is unable to meet any of its obligations under this Contract, it undertakes to inform [CONTROLLER] immediately by notice in writing.
  9. [PROCESSOR] is not permitted to make any copies or duplicates of the Controller Data without prior written approval by [CONTROLLER]. This excludes copies which are necessary for the orderly performance of this agreement as well as copies which are necessary for compliance with statutory retention obligations.
  10. Should [CONTROLLER] be required to provide information to a public authority or a person relating to the processing of Controller Data, or to otherwise cooperate with a public authority, [PROCESSOR] shall support [CONTROLLER] at the first request with the provision of such information or the fulfilment of other obligations to cooperate. This applies to immediate provision of all information and documents relating to technical and organisational measures taken in line with Article. 32 GDPR relating to the technical procedure for the processing of Controller Data, the sites at which Controller Data are processed, and relating to the employees involved in processing the Controller Data
  11. [PROCESSOR] will support [CONTROLLER] in any activity, relevant to services being carried out by [PROCESSOR], which [CONTROLLER] or appointed agents must undertake to comply with GDPR such as Data Privacy Impact Assessment and Register of Processing Activities.
  12. [PROCESSOR] must have a Data Protection Officer throughout the term of this contract and inform [CONTROLLER] of the contact details of this appointment. Should the [PROCESSOR] make any changes to the Data Protection Officer this information must be passed onto [CONTROLLER] without undue delay. Should [PROCESSOR] believe they do not have to appoint a Data Protection Officer this information should be passed onto [CONTROLLER] prior to the enactment of this contract.

7. Assignment & Subcontracting

  1. [PROCESSOR] shall not be entitled to assign this Contract nor all or any of its rights or obligations hereunder, without the prior written consent of [CONTROLLER].
  2. The [CONTROLLER] hereby consents to the use by the [PROCESSOR] of the services of the subcontractors set out in Schedule 3of this Agreement for the purposes set out therein.
  3. [PROCESSOR] shall not be entitled to sub-contract performance of its obligations hereunder without [CONTROLLER]’s prior written consent and [PROCESSOR] shall, at all times, be responsible as between itself and [CONTROLLER] for the observance by its assignees of the obligations contained in this Contract as if such sub-contractors were [PROCESSOR].
  4. In the event that [PROCESSOR] requires [CONTROLLER]’s prior written consent in pursuance of Clause 7, [CONTROLLER] shall be entitled, at its discretion, to withhold such consent and prior to issuing such consent [CONTROLLER] may require the party that [PROCESSOR] proposes to sub-contract the performance (or any part thereof) of its obligations hereunder, to enter into a direct contractual relationship with [CONTROLLER] in respect of the processing of any Personal Data by such party.
  5. For the assessment of such approval, [PROCESSOR] must provide [CONTROLLER] with a copy of the intended commissioned data processing agreement between [PROCESSOR] and the further commissioned data processor. [PROCESSOR] must obligate the further commissioned data processor in that written agreement in exactly the same manner as the former is obligated on the basis of this Agreement and include the requirements set out in Clause 14.
  6. [PROCESSOR] is obligated to only select – and, should [CONTROLLER] approve, to make use of – those further commissioned data processors which offer sufficient guarantees that the appropriate technical and organisational measures will be implemented in such a manner that the processing of Controller Data takes place in accordance with the requirements of the GDPR. [PROCESSOR] must satisfy itself prior to the commencement of the processing of compliance with the technical and organisational measures by the further commissioned data processor and will confirm by means of a request for approval by [CONTROLLER]. Upon request, [PROCESSOR] will provide evidence to [CONTROLLER] to this end.
  7. There is no right or claim to the granting of approval. The statutory liability of [PROCESSOR] in their capacity as commissioned data processor remains unaffected by any approval granted.
  8. [CONTROLLER] must also be granted audit and examination rights in relation to subcontractors in accordance with Clause 6 of this Contract. [CONTROLLER] may request from [PROCESSOR] information about the essential terms and conditions of the subcontract and the implementation of the subcontractor’s obligations relating to data protection, if necessary, also by inspection of the relevant contractual documentation.

8. Security of processing (As per Article 32 GDPR)

  1. [PROCESSOR] warrants that it undertakes appropriate technical and organisational measures to ensure a suitable level of protection for the Controller Data corresponding to the risk. This must be in consideration of the state of the art, implementation costs and the type, scope, circumstances, and aims of the processing as well as the varying likelihood of occurrence and severity of the risk to the rights and freedoms of data subjects. These measures include, inter alia, the following:
    1. the pseudonymisation and encryption of Controller Data;
    2. the ability to permanently ensure the confidentiality, integrity and availability of the systems, services and Controller Data in connection with the processing;
    3. the ability to rapidly recover the availability of the Controller Data and access to them, should a physical or technical disruption occur;
    4. a process for the regular review, assessment, evaluation and evidence of the effectiveness of the technical and organisational measures for the purposes of ensuring the security of the processing.
  2. [PROCESSOR] guarantees that it has, prior to the commencement of the processing of the Controller Data, provided evidence to [CONTROLLER] that it has taken the appropriate technical and organisational measures to protect the data which is being processed. This evidence could be the accreditation of its Data Processing Service by an industry recognised accreditation scheme. (Article 28 (5) GDPR) [PROCESSOR] guarantees that it will maintain these during the term of the Agreement.
  3. [PROCESSOR] guarantees that it adheres to an approved code of conduct [Article 28 (5)] prior to the commencement of the contract.
  4. [PROCESSOR] guarantees that as technology and threat evolves, by means of continual assessment, the technical and organisational measures in place are assessed for appropriateness. Because of this assessment [PROCESSOR] is permitted to implement alternative, adequate measures, if they do not fall below the security level of the measures agreed at the start of this Agreement. Any alternative measures are subject to the prior clauses of this contract and evidenced to [CONTROLLER] as per 8.1 and 8.2.

9. Transfer of Personal Data

  1. Before transferring any Personal Data to [CONTROLLER], [PROCESSOR] will establish with [CONTROLLER] the appropriate method of transfer or transmission and will securely transfer or transmit the Personal Data to [CONTROLLER] in line with [CONTROLLER]’s requirements.

10. Data Subject Requests

  1. [CONTROLLER] shall be responsible for responding to all Data Subject Requests in accordance with Article 12. GDPR (“data subject rights”) which may be received from Data Subjects to which the Personal Data relates.
  2. [PROCESSOR] hereby agrees to assist [CONTROLLER] with all applicable Data Subject Requests which may be received from the Data Subjects to which the Personal Data relates as per Schedule 1.
  3. If [PROCESSOR] receives a Data Subject Request from a Data Subject relating to the Personal Data processed on behalf of the [CONTROLLER] it shall immediately and without undue delay, forward it to the person nominated by [CONTROLLER] under clause 20 of this Contract.
  4. Where [CONTROLLER] considers that it is necessary for copies of the Personal Data to be transferred to it to respond to a Data Subject Request, [CONTROLLER] will inform [PROCESSOR] that it requires copies to be transferred. Before transferring the copies, [PROCESSOR] will establish with [CONTROLLER] the appropriate method of transfer and will securely transfer the copies of the Personal Data to [CONTROLLER] in line with [CONTROLLER]’s requirements, to arrive no more than 10 working days from the date of [CONTROLLER]’s request to [PROCESSOR].

11. Complaints relating to processing of Personal Data under this Contract

  1. [CONTROLLER] shall be responsible for the handling of and responding to processing any complaints or expressions of dissatisfaction which may be received from the Data Subjects to which the Personal Data relates or others, in relation to the processing of the Personal Data under this Contract.
  2. [PROCESSOR] hereby agrees to assist [CONTROLLER] with any applicable complaints or expressions of dissatisfaction which may be received from the Data Subjects to which the Personal Data relates or others, in relation to the processing of the Personal Data under this Contract as per Schedule 1.
  3. If [PROCESSOR] receives any complaints or expressions of dissatisfaction, relating to the Personal Data processed on behalf of the [CONTROLLER] it shall immediately and without undue delay, forward it to the person nominated by [CONTROLLER] under clause 20 of this Contract..
  4. Where [CONTROLLER] considers that it is necessary for copies of the Personal Data to be transferred to it to allow it to respond to a complaint or expression of dissatisfaction, [[CONTROLLER] will inform [PROCESSOR] that it requires copies to be transferred. Before transferring the copies, [PROCESSOR] will establish with [CONTROLLER] the appropriate method of transfer and will securely transfer the copies of the Personal Data to [CONTROLLER] in line with [CONTROLLER]’s requirements, to arrive no more than 5 working days from the date of [CONTROLLER]’s request to [PROCESSOR].

12. Breach Identification and Notification

  1. Under the context of this contract a Data Breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
  2. [PROCESSOR] will ensure that there are sufficient checks being made on processing activities to ensure that data is being protected at all time as per clause 8.
  3. [PROCESSOR] will without undue delay inform [CONTROLLER] if the former becomes aware of an incident which under the definition of 12.1, constitutes a data breach. This communication will be made to the contact as designated in Clause 20 and be classed as “Initial Notification”.
  4. [CONTROLLER] will be responsible for informing the Local Supervisory Authority as denoted in Clause 20. This notification will be made no later than 72 hours from the “Initial Notification’ as per Article 33 GDPR.
  5. [PROCESSOR] must inform [CONTROLLER] within 24 hours of Initial Notification the following details where possible; natural of personal breach including categories and approximate number of data subjects concerned, names and contact details of the Data Protection Office or other contact point, likely consequences of personal data breach and any measures taken or proposed to be taken to mitigate the adverse effects of the data breach. Where it is not possible to provide this information in full within 24 hours, a clearly articulated plan of activities and timelines for obtaining any missing information should be submitted to [CONTROLLER] within the 24-hour window.
  6. [PROCESSOR] will support the [CONTROLLER] or [CONTROLLER]’s appointed agent, in the investigation of any data breach incident unless such activities contravene legal or contractual obligations already in place. In such situations, a written explanation supporting the [PROCESSOR]’s position is required.

13. Retention and Disposal of Personal Data

  1. [PROCESSOR] undertakes to retain and dispose of the Personal Data in line with the Retention and Disposal Guidelines, as contained in Schedule 7 to this Contract.

14. Evidence and inspections

  1. [PROCESSOR] shall provide [CONTROLLER] with all necessary information to prove compliance with [CONTROLLER]’s obligations under this Agreement upon request. Upon request of [CONTROLLER], [PROCESSOR] shall provide [CONTROLLER] immediately with all relevant certificates and audit reports.
  2. [CONTROLLER] is entitled to receive information from the Data Protection Officer of [PROCESSOR] relating to all aspects regarding the processing of Controller Data, including the technical and organisational measures taken in accordance with Clause 8.
  3. [CONTROLLER] or appointed agent is entitled, with reasonable notice, to enter the business premises of [PROCESSOR] during normal business hours (Mondays to Fridays from 09:00 until 18:00) and inspect the technical and organisational measures as well as the processes of [PROCESSOR], to satisfy themselves of the compliance with the provisions of this Agreement as well as the relevant statutory data protection provisions by [PROCESSOR].
  4. [PROCESSOR] guarantees [CONTROLLER], or appointed agent, the access rights, information rights, and inspection rights necessary for this purpose. [PROCESSOR] will guarantee access to the data processing facilities, files, and other documents to allow for monitoring and auditing of the relevant data processing facilities, files and other documentation relating to the processing of the Controller Data. [PROCESSOR] will provide [CONTROLLER], or an agent appointed by the same, with all information necessary for the inspection.
  5. [CONTROLLER] and [PROCESSOR] are subject to public audits by the competent data protection authorities. Upon request of [CONTROLLER], [PROCESSOR] will provide the requested information to the supervisory authorities and will also grant the latter the opportunity to audit; this includes inspections of [PROCESSOR] by the supervisory authorities and persons appointed by them. [PROCESSOR] guarantees to the competent authorities in this context the necessary access rights, information rights, and inspection rights.
  6. [PROCESSOR] shall hold relevant industry accreditations to evidence capabilities in their field. These are to be maintained throughout the duration of this contract and are listed in Schedule 8.

15. Indemnity

  1. [PROCESSOR] hereby agrees to indemnify [CONTROLLER] up to a maximum of £5million per incident against all losses, costs, expenses, damages, liabilities, demands, claims, fines, penalties, actions or proceedings which [CONTROLLER] may incur arising out of any failure by [PROCESSOR] or its employees to comply with any of its obligations under this Contract.

16. Ownership

  1. All right, title and interest in the Confidential Information shall vest solely with [CONTROLLER] or its licensees.

17. Confidentiality

  1. [PROCESSOR] shall procure that all Confidential Information disclosed to it by [CONTROLLER] under this Contract or which at any time during the term of the Contract come into [PROCESSOR]’s knowledge, possession or control, shall be kept secret and confidential and shall not be used for any purposes other than those required or permitted by this Contract and shall not be disclosed to any third party except insofar as this may be required for the proper operation of this Contract and then only under appropriate confidentiality provisions approved in writing by [CONTROLLER].
  2. [PROCESSOR] will ensure, pursuant to Article. 29 GDPR, that all persons under their authority process the Controller Data exclusively in accordance with this Agreement, as well as the instructions of [CONTROLLER].
  3. The obligations of confidence contained in this Clause 17 shall not prevent [PROCESSOR] from disclosing information to the extent required by law or for any regulatory purposes, provided that prior written notice is given to [CONTROLLER] of such disclosure.
  4. The obligations of confidence contained in this Clause 7 shall not apply to any information which:
    1. is or becomes generally available to the public through no act or default of [PROCESSOR] or its directors, employees or agents; or
    2. [PROCESSOR] can demonstrate from its written records, prior to its receipt from [CONTROLLER] was in its possession and at its free lawful disposal; or
    3. [PROCESSOR] can demonstrate from its written records, is after its receipt from [CONTROLLER], generated by employees of [PROCESSOR] independently of, and without knowledge of, the Confidential Information; or
    4. [PROCESSOR] can demonstrate from its written records, is subsequently disclosed to it without any obligation of confidence by a third party who has not derived it directly or indirectly from [CONTROLLER].
  5. The obligations of confidence contained in this Clause 17 shall survive the termination of this Contract for whatever reason for a period of: (i) three (3) years following the final disclosure of the Confidential Information by [CONTROLLER] to [PROCESSOR]; or (ii) if longer, but only to the extent reasonably required, for as long as the ongoing confidentiality of the Confidential Information, or any part thereof, remains of value to [CONTROLLER] and or its interests.

18. Termination

  1. This Contract may be terminated by [CONTROLLER] giving not less than 3 months written notice to [PROCESSOR]
  2. This Contract may be terminated by the [PROCESSOR] giving not less than 3 months written notice to [CONTROLLER]

19. Consequences of Termination

  1. On termination of this Contract for whatever reason, [PROCESSOR] shall cease to process the Personal Data and Confidential Information and shall arrange for the prompt and safe return of all of the Personal Data and Confidential Information, processed under the terms of this Contract to Controller, together with all copies of the Personal Data in its possession or control or that of its agents or contractors, within such time and by such secure means as [CONTROLLER] shall provide for in writing at the time of termination of the Contract.
  2. On termination of this Contract, should [CONTROLLER] require the deletion of Controller Data still held by [PROCESSOR] then [PROCESSOR] should provide written evidence to support the deletion activity.
  3. Termination of this Contract shall not affect any rights or obligations of either Party which have accrued prior to the date of termination and all provisions which are expressed to, or do by implication, survive the termination of this Contract shall remain in full force and effect.

20. Notices

  1. Any notice under or in connection with this Contract shall be in writing (but not by fax, e-mail or similar means) and shall be delivered personally, or sent by courier or by recorded or registered mail to the following addresses:
    Notices to [PROCESSOR]: GIGACYCLE LTD
    Address: Unit D2 Gilchrist Road, Irlam, Manchester, M445AY
    Marked for the attention of: Denver Hodgson – Data Protection Officer
    Notices to [CONTROLLER]: As outlined in section (1)
    Address: As outlined in section (1)
    Marked for the attention of: Chief Executive

    A notice shall become effective on the date it is delivered to the address of the recipient Party shown above. A Party may notify the other of a change to its notice details.

  2. Local Supervisory Authority for the purposes of this contract is agreed to be the UK, Information Commissioners Office.

21. Severability

  1. Should any provision of this Contract be held to be illegal, invalid or unenforceable in any respect by any judicial or other competent authority under the law of any jurisdiction:
  2. If by substituting a shorter time period or more restricted application of the provision, it would be valid and enforceable, such shorter time period or more restricted application shall be substituted.
  3. If Clause 18.1 is not applicable:
    1. such provision shall, so far as it is illegal, invalid or unenforceable in any jurisdiction, be given no effect by the Parties and shall be deemed not to be included in this Contract in that jurisdiction;
    2. the other provisions of this Contract shall be binding on the Parties in that jurisdiction as if such provision were not included herein;
    3. the legality, validity and enforceability of the provision in any other jurisdiction shall not be affected or impaired; and
    4. the Parties shall negotiate in good faith to agree an alternative provision in terms which as closely as possible achieve the intention of the Parties in the original provision, do not substantially impair the Parties’ original interests and do not render such provisions invalid or unenforceable.

22. Variation

  1. No variation or amendment to this Contract shall bind either Party unless made in writing and signed by duly authorised officers of both Parties.

23. Waiver and Remedies

  1. A failure to exercise or any delay in exercising any right or remedy provided by this Contract or by law does not constitute a waiver of that right or remedy or a waiver of any other rights or remedies.

24. Entire Contract

  1. This Contract constitutes the entire Contract and understanding of the Parties relating to its subject matter and supersedes all prior proposals, Contracts and understandings between the Parties or their advisors relating to such subject matter.
  2. Each of the Parties hereby acknowledges and agrees that in entering into this Contract, it does not rely on any statement, representation, warranty, undertaking, Contract or understanding of any nature whatsoever made by any person other than as expressly included in this Contract as a warranty (a “Prior Representation”) and to the extent that it is so included that Party’s only remedy shall be a contractual one for breach of warranty under the terms of this Contract for damages. To the extent that, notwithstanding the foregoing a Prior Representation has been made and relied upon by either Party, the relevant party unconditionally and irrevocably waives any claims, rights or remedies it may have in relation thereto.
  3. Nothing in this Clause 4 or in this Contract shall operate to limit or exclude any liability of either Party, or the remedies available to either Party for fraud, including fraudulent acts and/or fraudulent misrepresentations.

25. Further Assurance

  1. The Parties shall execute all further documents as may be reasonably necessary or desirable to give full effect to the terms of this Contract and to protect the rights of the Parties under it.

26. Governing Law

  1. This Contract shall be governed in all respects by the laws of England and Wales, and each Party hereby irrevocably submits for all purposes in connection with this Contract to the exclusive jurisdiction of the Courts of England and Wales.

IN WITNESS whereof this Contract consisting of this and the preceding 12 pages and the attached Schedules part is executed as follows:

Signed for and on behalf of the said [CONTROLLER]

Signature …………………………………………………

Print Name …………………………………………………

Job Title …………………………………………………

Signed for and on behalf of the said [PROCESSOR]

Signature …………………………………………………

Print Name …………………………………………………

Job Title …………………………………………………

Schedule 1 Data Subject Rights Request Process

In addition to Clause 10 of this contract, the PROCESSOR agrees to follow the following process when required to do so by the CONTROLLER.

  1. Receipt of Request
    • Any Data Subject Rights Request (DSAR) received directly by the PROCESSOR must be identified immediately.
    • Requests include (but are not limited to): access, rectification, erasure, restriction, portability, objection.
  2. Immediate Notification
    • The PROCESSOR must notify the CONTROLLER without undue delay and within 24 hours of receipt.
    • The request must be forwarded in full, including:
      • Identity of requester (if known)
      • Nature of request
      • Any supporting documentation
  3. No Direct Response
    • The PROCESSOR shall not respond directly to the Data Subject unless explicitly authorised in writing by the CONTROLLER.
  4. Verification Support
    • Assist the CONTROLLER in verifying identity where required.
  5. Data Identification & Retrieval
    • Identify and securely retrieve all relevant Personal Data held on behalf of the CONTROLLER.
    • Provide data in a structured, commonly used, secure format.
  6. Timescales
    • Provide requested data to the CONTROLLER within 5–10 working days or sooner if required.
  7. Record Keeping
    • Maintain a log of: Date received, Data reported to Controller and Actions take

Schedule 2 Breach Notification Process

In addition to Clause 12.0 of this contract, the PROCESSOR agrees to follow the following process when required to do so by the CONTROLLER.

  1. Identification
    • All staff must report suspected or actual breaches immediately.
    • Includes loss, unauthorised access, corruption, or disclosure of data.
  2. Initial Containment
    • Take immediate steps to:
      • Isolate affected systems
      • Prevent further data loss
      • Secure physical assets if applicable
  3. Internal Escalation
    • Escalate to Data Protection Officer (DPO) immediately.
  4. Notification to CONTROLLER
    • Notify within 24 hours of awareness.
    • Provide:
      • Nature of breach
      • Categories and approximate number of data subjects
      • Type of data affected
      • Likely consequences
      • Immediate mitigation steps
  5. Investigation
    • Conduct root cause analysis.
    • Document findings and timeline.
  6. Ongoing Updates
    • Provide updates every 24–48 hours until resolved.
  7. Mitigation
    • Implement corrective actions:
      • Technical fixes
      • Process improvements
      • Staff retraining (if required)
  8. Support to CONTROLLER
    • Assist with:
      • ICO reporting (within 72 hours)
      • Data subject notifications
      • Evidence provision
  9. Post-Incident Review
    • Produce formal incident report including lessons learned.

Schedule 3 Sub-processors approved by the Controller.

For the purposes of this contract:

The PROCESSOR confirms that no sub-processors are currently used in the delivery of services under this Agreement.

Should this change:

  • Written approval from the CONTROLLER is required in advance
  • Full due diligence and contractual flow-down obligations will apply

Schedule 4 Data Processing Services

CONTROLLER agreed for the PROCESSOR to perform the following services to achieve the objective of this contract.

  1. Scope of ServicesThe PROCESSOR shall provide IT Asset Disposal (ITAD) services including:
    • Collection and transportation of IT equipment from CONTROLLER premises
    • Secure logistics and handling of assets
    • Receipt, tracking, and auditing of all equipment
    • Data sanitisation and/or physical destruction of data-bearing media
    • Refurbishment and remarketing of suitable equipment
    • Recycling of non-reusable assets in accordance with environmental legislation
  2. Logistics & Collection Services
    • The PROCESSOR is authorised to provide logistical services, including:
      • On-site collections from CONTROLLER premises
      • Use of own secure transport and approved personnel
      • Transfer of assets to PROCESSOR’s secure facility (Gigacycle ltd)
    • The CONTROLLER grants permission for:
      • Multi-point collections, where required for operational efficiency
    • All collections will be documented via:
      • Collection notes / transfer documentation
      • Asset tracking records
  3. Transfer of Custody and Liability
    • Custody and liability for IT assets transfer from the CONTROLLER to the PROCESSOR at the point where:
      • Assets are physically collected and signed for by an authorised representative of the PROCESSOR; or
      • Assets are delivered to and formally accepted at the PROCESSOR’s facility
    • From this point, the PROCESSOR assumes responsibility for:
      • Secure handling
      • Storage
      • Processing
      • Data destruction
    • A documented chain of custody will be maintained at all times.
  4. Asset Auditing & TrackingThe PROCESSOR shall provide a full audit trail including:
    • Unique asset identification (where possible)
    • Logging of:
      • Asset type
      • Serial numbers / identifiers
      • Quantity and condition
    • Tracking throughout the lifecycle:
      • Collection → Receipt → Processing → Final disposition
    • The CONTROLLER will be provided with:
      • Asset reports
      • Data destruction certification
      • Final disposition reporting (reuse, recycle, destroy)
  5. Data Sanitisation & Destruction (Data Capability Statement)The PROCESSOR shall apply approved data sanitisation methods appropriate to each media type, including:
    1. Magnetic Media (HDDs, Servers, Laptops, Desktops)
      • Software-based data erasure using certified tools (e.g. Aiken, Blancco or equivalent)
      • Erasure aligned to recognised standards such as:
        • NCSC guidance
        • HMG Infosec Standard No.5 (where applicable)
        • ADISA Approved Methods
      • Verification reporting produced for each device
    2. Solid State Media (SSDs, Flash Storage)
      • Software erasure where supported and verified
      • Physical destruction where erasure is not possible or fails verification
    3. Removable Media (USBs, Tapes, Optical Media)
      • Physically shredding USB, Optical Media.
      • Degaussing and shredding for tapes and storage tape media.
    4. Failed or Non-Functional Media
      • Physical destruction via shredding
  6. Verification & Certification
    • All data sanitisation activities are:
      • Verified to ensure complete data removal
      • Logged and auditable
    • The CONTROLLER will receive:
      • Certificates of Data Destruction / Erasure
      • Full audit reports linked to processed assets
  7. Compliance & StandardsAll services are delivered in accordance with:
    • UK GDPR requirements
    • ADISA ITAD standards and best practice
    • Environmental regulations (WEEE Directive)
    • Industry-recognised data sanitisation standards
  8. Security ControlsThroughout service delivery, the PROCESSOR shall ensure:
    • Secure facilities with access controls, CCTV, and alarm systems
    • Vetted and trained personnel
    • Secure transport and handling procedures
    • Protection against unauthorised access, loss, or damage
  9. Final DispositionAssets will be:
    • Remarketed where data has been securely removed and reuse is appropriate
    • Recycled in accordance with environmental regulations
  10. Sanitisation Requirements by Media Type
    Storage Type Re-Use Destroy
    Dial 1 Dial 2 Dial 3 All
    Magnetic Hard Disk Drives Shredding (20mm, 6mm) Aiken Workbench V2, Blancco Drive Eraser v7.18.0 Aiken Workbench V2, Blancco Drive Eraser v7.18.0 Aiken Workbench V2, Blancco Drive Eraser v7.18.0
    Solid State Shredding (6mm) Aiken Workbench V2, Blancco Drive Eraser v7.18.0 Aiken Workbench V2, Blancco Drive Eraser v7.18.0 Aiken Workbench V2, Blancco Drive Eraser v7.18.0
    Hybrid Drives N/A N/A N/A Shredding (6mm)
    Magnetic Tape N/A N/A Not permitted Degaussing & Shredding (6mm)
    Optical N/A Shredding (6mm)
    Paper N/A Shredding
  11. Sanitisation Requirements by Product Type
    Product Type Re-Use Destroy
    Laptops with embedded storage. Aiken Workbench V2 Shredding (6mm)
    Network Devices such as routers, switches. NovaFox Hydra, Manual erasure of Config Files, Memory Flash, Factory Reset function. Physically Destroy
    Smart Phone and Tablets. Aiken Workbench V2 Shredding (6mm)
    Internet of Things (IOT) (including Smart Watches and games consoles) Approved factory reset/other approved methods Shredding (20mm, 6mm)
    Printers, Copiers and Multi-function devices Aiken Workbench V2 Shredding (20mm, 6mm)
    Removable flash such as SD Card and USB or rigid magnetic disks N/A Shredding (6mm)

Schedule 5 Type of Data being processed.

Purposes and scope of the processing, type of data, and categories of data subjects

Category Details
Type of Controller Data Personal Data, Special Category etc
Type of processing and scope Data Sanitisation Services on all data bearing media and devices
Categories of data subjects Employees, Customers etc
Length of processing As part of this data processing agreement the processor will sanitise the data within 20 working days

Schedule 6 Sufficient Guarantees regarding the Processing Activities

The PROCESSOR (Gigacycle Ltd) demonstrates compliance and capability through:

  1. Certifications & Standards
    • ISO 27001 – (Information Security Management – UKAS Accredited
    • ISO 9001 – Quality Management System – UKAS Accredited
    • ISO 14001 – Environmental Management – UKAS Accredited
    • Environmental Agency – Registered Waster Carrier/Broker/Producer
  2. Technical & Operational Controls
    • Certified data erasure software (ADISA Approved)
    • Degaussing and physical destruction capability
    • Full asset tracking & audit trail
    • Chain of custody procedures
    • Secure transport (tracked vehicles, vetted staff)
  3. Personnel Controls
    • Staff vetting (background checks)
    • Mandatory data protection training
    • Confidentiality agreements
  4. Auditing & Validation
    • Internal audits (regular)
    • External audits (ADISA / clients)
    • Downstream vendor audits (where applicable)
  5. Compliance
    • UK GDPR compliance framework
    • ICO registration: ZA184689
    • Documented policies:
      • Information Security Policy
      • Data Protection Policy
      • Incident Response Plan

Schedule 7 Data Disposal and Retention Policy

As part of this contract and the service gigacycle provides we will not retain any data (This refers to Gigacycle’s own business data, not customer device data)

  1. Retention Periods
    • Customer records: 6 years (legal requirement)
    • Financial records: 6 years
    • Audit logs & processing records: 3–6 years
    • CCTV footage: 30–90 days (unless required for investigation)
  2. Storage Controls
    • Secure digital systems with access controls
    • Encrypted storage where appropriate
    • Physical records stored in secure facilities
  3. Disposal Methods
    • Digital data:
      • Secure deletion / overwriting
    • Physical documents:
      • Cross-cut shredding or approved contractor
  4. Review Process
    • Annual review of retention schedules
    • Data minimisation principles applied

Schedule 8 Required Credentials

The PROCESSOR agrees to maintain the following for the duration of this contract:

  1. Insurance
    • Public Liability Insurance (minimum £5 million)
    • Employers Liability Insurance (minimum £5 million)
    • Professional Indemnity Insurance (minimum £2 million)
  2. Accreditations & Compliance
    • ADISA Certification (or equivalent)
    • ICO Registration: ZA184689
    • ISO Certifications (where applicable)
    • Waste Carrier Licence (Environment Agency)
    • Hazardous Waste Handling Compliance
  3. Operational Credentials
    • Secure facility controls (access, CCTV, alarms)
    • Approved data destruction processes
    • Auditable chain of custody