Our DPA, in writing.
When we process personal data on behalf of a client — for example, the admin logins of your team using a CMS we’ve built — UK GDPR Article 28 requires a written agreement between us. This is it. It applies to any engagement WBD undertakes for you in which we act as your data processor.
1. Parties and scope
This Data Processing Agreement (“DPA”) is entered into between Where Beagles Dare Ltd trading as WBD (the “Processor”) and any client of WBD (the “Controller”) who has engaged WBD under a statement of work, engagement letter, or other commercial agreement (each, a Services Agreement) under which WBD processes Personal Data on the Controller’s behalf.
This DPA forms part of, and is incorporated by reference into, the Services Agreement. Where the Services Agreement and this DPA conflict on a data-protection matter, this DPA prevails.
This DPA is dormant for engagements in which WBD does not process any Personal Data on the Controller’s behalf (e.g. design or copywriting engagements with no live data touchpoint). It activates automatically the moment such processing begins.
2. Definitions
Capitalised terms not defined here have the meaning given in the UK GDPR (the United Kingdom General Data Protection Regulation, as retained and amended) and the Data Protection Act 2018 (together, Data Protection Law).
“Personal Data”, “Process”, “Processing”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Personal Data Breach”, and “Supervisory Authority” carry their Data Protection Law meanings.
3. Roles and instructions
The Controller is the data controller, and WBD is the processor, in relation to the Personal Data described in Schedule 1.
WBD will process Personal Data only on the documented instructions of the Controller, including the instructions set out in the Services Agreement and this DPA, unless required to do otherwise by UK or EU law. Where WBD believes an instruction infringes Data Protection Law, it will tell the Controller without delay.
4. Confidentiality and personnel
WBD will ensure that any person it authorises to process Personal Data is bound by confidentiality obligations (whether contractual or statutory) and has received appropriate data-protection training. Access is limited to those who need it to deliver the Services.
5. Security
WBD will implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The measures currently in place are described in Schedule 3 and are reviewed and updated as the Services and the threat landscape evolve.
6. Sub-processors
The Controller authorises WBD to engage the Sub-processors listed in Schedule 2 as at the date of this DPA. WBD may engage new Sub-processors and will give the Controller at least 30 days’ prior written notice (which may be by email or by an update to this page on wewbd.com flagged in the “updated” date), during which the Controller may object on reasonable data-protection grounds. If the parties cannot resolve the objection, the Controller may terminate the affected part of the Services Agreement.
WBD will impose on each Sub-processor data-protection obligations substantially the same as those set out in this DPA, and remains liable to the Controller for the acts and omissions of its Sub-processors as if they were its own.
7. Data subject rights
Taking into account the nature of the processing, WBD will assist the Controller by appropriate technical and organisational measures in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Data Protection Law (access, rectification, erasure, restriction, portability, objection). WBD will forward any such requests it receives directly to the Controller without undue delay rather than responding itself.
8. Personal data breaches
WBD will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data. The notice will include the information the Controller needs to meet its own notification obligations to the Information Commissioner’s Office and affected Data Subjects.
9. Data protection impact assessments
WBD will provide the Controller with reasonable assistance in carrying out data protection impact assessments and any related prior consultations with the Supervisory Authority, where required by Data Protection Law and where the assistance relates to WBD’s processing under the Services Agreement.
10. International transfers
Some Sub-processors listed in Schedule 2 are based outside the UK and EEA. Where Personal Data is transferred to such a Sub-processor, the transfer relies on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, an adequacy decision (including the UK Extension to the EU – US Data Privacy Framework where applicable), or another lawful transfer mechanism under Data Protection Law. WBD will provide copies of the safeguards in place on request.
11. Audits and information
WBD will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the UK GDPR. The Controller (or an independent auditor it mandates, bound by appropriate confidentiality obligations) may audit WBD’s processing of Personal Data once per twelve-month period on at least 30 days’ written notice, at a mutually agreed time, during normal business hours, and in a manner that does not unreasonably disrupt WBD’s operations. The Controller bears the reasonable costs of any audit it conducts.
12. Return or deletion of personal data
On termination or expiry of the Services Agreement, or earlier on the Controller’s written request, WBD will (at the Controller’s choice) return all Personal Data it processes on the Controller’s behalf, or delete it, and delete any existing copies, except to the extent UK or EU law requires WBD to retain specific data. Records that fall under WBD’s own statutory retention obligations (e.g. accepted quotes and invoices held under tax and company-law rules) are retained as set out in the WBD privacy notice.
13. Liability
The liability of each party under or in connection with this DPA is governed by, and subject to, the limitations and exclusions set out in the Services Agreement. Nothing in this DPA limits a Data Subject’s rights, or either party’s liability to a Data Subject or a Supervisory Authority under Data Protection Law.
14. Governing law
This DPA is governed by the laws of England and Wales. Any dispute about it will be settled in the exclusive jurisdiction of the courts of England and Wales.
Schedule 1 — Details of processing
Subject matter.The Personal Data the Controller makes accessible to WBD in the course of the Services Agreement, and which WBD processes on the Controller’s behalf.
Duration. For the term of the Services Agreement and the wind-down period set out in clause 12.
Nature and purpose. Designing, building, deploying, and maintaining digital products (most commonly e-commerce sites and adjacent applications), migrating content and configuration from prior systems, and providing ongoing support — in each case only to the extent those activities require Personal Data to be processed.
Categories of Personal Data.
- Identification and contact details of the Controller’s staff and stakeholders (names, work emails, job titles, phone numbers)
- Authentication credentials for staff using systems WBD builds or administers on the Controller’s behalf (usernames, hashed passwords or comparable secrets, session tokens)
- During migrations or cutovers only: customer records or subscriber records being transferred between systems (names, email addresses, order history, addresses where applicable), for the limited period of the migration
- Content the Controller chooses to publish on its own site that happens to contain Personal Data (e.g. a team page, a customer testimonial)
WBD does not request, and is not engaged to process, special categories of Personal Data (Article 9 UK GDPR) or criminal-offence data (Article 10) unless the Controller specifically instructs otherwise in writing.
Categories of Data Subjects.
- The Controller’s employees, contractors, and stakeholders
- The Controller’s customers, prospects, and subscribers (during migrations only)
- Individuals whose Personal Data the Controller chooses to publish on its site
Schedule 2 — Sub-processors
WBD currently uses the Sub-processors listed below in delivering its Services. The list reflects the position at the “updated” date at the foot of this page. WBD will give the Controller at least 30 days’ prior notice of any change.
| Sub-processor | Purpose | Location |
|---|---|---|
| Sanity | Content management, structured data and asset storage for sites WBD builds | United States (EU+US regions) |
| Vercel / Railway | Hosting and edge delivery of sites and applications | Global (EU regions where configured) |
| Cloudflare | DNS, edge caching, and bot mitigation | Global |
| Resend | Transactional email infrastructure for sites WBD builds | United States |
| Shopify | E-commerce platform for client stores built on Shopify (where applicable to a given engagement) | Canada (global edge) |
| GitHub | Source-code repository and deployment pipeline | United States |
Engagement-specific Sub-processors (e.g. a client’s chosen ESP, analytics provider or payment gateway, where the Controller directs WBD to integrate with one) are recorded in the Services Agreement for that engagement.
Schedule 3 — Technical and organisational measures
Access control. Production systems are accessible only to named WBD personnel, with individual accounts, multi-factor authentication, and role-based permissions. Access is reviewed periodically and removed promptly when no longer required.
Encryption. Personal Data is encrypted in transit (TLS 1.2 or higher) and at rest in the stores listed in Schedule 2. Secrets and API credentials are held in encrypted vaults, never in source code.
Network security. All production endpoints are exposed over HTTPS. Cloudflare provides edge mitigation against denial-of-service and automated abuse. Bot challenges are applied at public ingress points where Personal Data could be submitted.
Code and change management. All changes to production code go through version control (Git) and are reviewable. Deployments are scripted and reproducible. Production credentials are scoped narrowly and rotated when personnel changes occur.
Data minimisation. WBD collects only the Personal Data necessary to deliver the Services. Test and staging environments do not use live Personal Data unless the Controller specifically requires it and supplies anonymisation parameters.
Backups and resilience. Sites WBD builds rely on the durability guarantees of the providers in Schedule 2. Where the engagement includes managed hosting, backups are scheduled at a frequency appropriate to the Services Agreement and tested for restorability.
Incident response. WBD maintains a documented procedure for detecting, triaging, containing, and reporting Personal Data Breaches, including the 48-hour notification commitment in clause 8.
Personnel training. Anyone authorised to access Personal Data receives appropriate data-protection guidance and is bound by written confidentiality obligations.
Physical security. WBD has no physical data centres; all data resides with the cloud-infrastructure providers in Schedule 2, each of which maintains its own audited physical-security regime (typically ISO 27001 / SOC 2). Workstations used by WBD personnel are full-disk encrypted, password-protected, and centrally manageable.
Execution
This DPA may be incorporated into the Services Agreement by reference, or signed separately by the parties below. Where signed, the signatures may be electronic (typed name + date) under the Electronic Communications Act 2000.