Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Controller") and AVASOFT INNOVATION LTD. Registered in England and Wales No. 16368580. ("we", "us", "Processor") for use of Stratford IQ. It sets out the terms under which we process personal data on your behalf.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Controller" means the entity that determines the purposes and means of Processing.
  • "Processor" means the entity that Processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by the Processor to Process Personal Data.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
  • "UK GDPR" means the General Data Protection Regulation as it forms part of UK law, together with the UK Data Protection Act 2018.

2. Roles of the parties

2.1 Our compiled intelligence data

AVASOFT INNOVATION LTD. Registered in England and Wales No. 16368580. is the independent data controller for the business intelligence data we compile from public sources (Companies House, public registers, lawful web crawls). This includes information about UK companies and associated individuals such as directors, officers, and persons with significant control. We determine the purposes and means of this Processing in accordance with our Privacy Policy.

2.2 Customer-uploaded data

Where you upload or provide Personal Data for Processing by the Service (such as contact lists for data cleansing or enrichment), you are the Controller and we act as your Processor. We will Process such data only in accordance with your documented instructions and this DPA.

3. Subject matter & scope of processing

Categories of Personal Data

  • Names, job titles, and professional biographies.
  • Professional contact details (email, phone, social profiles).
  • Role information, notes, and classifications you provide.
  • Any other Personal Data contained in files you upload.

Categories of Data Subjects

  • Directors, officers, and PSCs of UK companies.
  • Business contacts and prospects you provide.
  • Third parties involved in compliance workflows.

4. Nature & purpose of processing

Processing includes storage, validation, cleansing, enrichment, analysis, scoring, and export of Personal Data for the purpose of providing business intelligence, compliance support, and lead generation functionality through Stratford IQ. Processing continues for the term of your subscription plus any post-termination retention period required for legal, accounting, or audit purposes (normally up to twelve months).

5. Processor obligations

As Processor, we will:

  • Process Personal Data only on your documented instructions, unless required by UK or EU law (in which case we will notify you where lawful).
  • Ensure that personnel authorised to Process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures as described in Section 8.
  • Assist you in responding to Data Subject requests (access, rectification, erasure, portability, objection) within statutory timeframes.
  • Assist you with data protection impact assessments and prior consultations with supervisory authorities where our Processing is relevant.
  • Notify you without undue delay after becoming aware of a Personal Data breach affecting data we Process on your behalf.
  • Delete or return Personal Data at the end of Processing, subject to any legal retention requirements.
  • Make available information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 10.

6. Controller obligations

As Controller, you will:

  • Ensure you have a lawful basis for any Personal Data you provide to us for Processing.
  • Provide clear, documented instructions regarding the Processing of Personal Data.
  • Comply with all applicable data protection laws in your use of the Service and any outputs.
  • Ensure any direct marketing activities using data from the Service comply with PECR and applicable regulations.
  • Notify us promptly of any Data Subject requests or complaints that require our assistance.

7. Sub-processors

You authorise us to engage the Sub-processors listed below. Each Sub-processor is bound by a written agreement requiring equivalent data protection safeguards. We remain fully liable for Sub-processor performance.

Sub-processor Service Location Safeguard
Postmark Transactional email delivery EU / USA SCCs with UK Addendum

Payment processing is provided by Paddle, who acts as an independent data controller for billing data under their own privacy policy and is not a Sub-processor under this DPA.

We will notify you of any intended changes to Sub-processors with reasonable notice. You may object on legitimate grounds, in which case we will work with you to find an alternative solution or you may terminate the affected services.

8. Security measures

We implement appropriate technical and organisational measures to protect Personal Data, including:

  • Encryption in transit (TLS 1.2+) and encryption at rest for stored data.
  • Role-based access control, multi-factor authentication, and least-privilege access policies.
  • Continuous monitoring.
  • Documented disaster recovery and incident response procedures.

9. International transfers

Where Personal Data is transferred outside the UK or EEA, we rely on adequacy regulations or approved safeguards such as the UK Addendum to the EU Standard Contractual Clauses. Transfer mechanisms for each Sub-processor are identified in Section 7. Details of hosting regions are available upon request.

10. Audit & compliance

We will provide documentation, certifications, and compliance reports reasonably necessary to demonstrate compliance with Article 28 of UK GDPR. You may conduct audits with reasonable advance notice (not less than 30 days), during normal business hours, and subject to appropriate confidentiality undertakings. Audits shall not unreasonably disrupt our operations. We will cooperate with supervisory authority enquiries and data protection impact assessments where our Processing is relevant.

11. Data Subject requests

If we receive a request from a Data Subject regarding Personal Data we Process on your behalf, we will promptly notify you and provide reasonable assistance to enable you to respond. We will not respond directly to Data Subjects except to direct them to you, unless legally required or you instruct us otherwise.

12. Data breach notification

We will notify you without undue delay (and in any event within 72 hours where feasible) after becoming aware of a Personal Data breach affecting data we Process on your behalf. Notification will include the nature of the breach, categories and approximate numbers of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

13. Termination & data return

Upon termination of the agreement, we will delete or return all Personal Data you have uploaded for Processing within 30 days. You may request a copy of your data in a commonly used format before deletion. Billing and transaction records may be retained for up to twelve months as required for legal, accounting, or audit purposes, after which they will be securely deleted.

14. Liability

Liability under this DPA is subject to the limitations set out in our Terms and Conditions. Nothing in this DPA excludes or limits liability for breaches of data protection law to the extent such exclusion or limitation is prohibited by applicable law.

15. Governing law

This DPA is governed by the laws of England and Wales. Disputes are subject to the exclusive jurisdiction of the courts of England and Wales.

Contact

Questions about this DPA can be sent to support@stratfordiq.com.

Last updated: 1st January 2026