DPA July 2025
Our Commitment to Data Protection
DATA PROCESSING AGREEMENT
(Updated May 2025)
THE PARTIES AGREE as follows:
1. DEFINITIONS
“Agreement” means the Framework Services Agreement.
“Controller’s Group” means the Controller and any corporate entities that directly or indirectly control, are controlled by, or are under common control with the Controller.
“Data” means all personal data (as defined below) provided by or on behalf of the Controller to the Processor or otherwise collected or obtained by the Processor on behalf of the Controller or otherwise in connection with the Agreement.
“Data Protection Legislation” means any and all data protection and privacy laws throughout the world to the extent they apply to the subject matter of this Agreement, which may include: (i) Regulation 2016/679 of the European Parliament and of the Council (the “GDPR”); (ii) the UK GDPR; (iii) the Data Protection Act 2018; (iv) the California Consumer Privacy Act of 2018 (the “CCPA”); and (v) any other similar data protection laws in any other applicable territory, each as amended, replaced, or superseded.
“DPA” means this Data Processing Agreement.
“Party” means a party to this DPA.
“SCCs” means the standard contractual clauses adopted by the European Commission on 4 June 2021.
The terms "data breach", "data processor", "data controller", "personal data", "data subject", "processing" and "supervisory authority" shall be as defined in the Data Protection Act 2018 and UK GDPR.
2. COMPLIANCE
2.1 Each Party shall comply with its respective obligations under the Data Protection Legislation.
2.2 The Controller warrants that it has a lawful basis under Data Protection Legislation for the processing of the Data, and that it has complied with all applicable transparency requirements.
2.3 The Parties agree and acknowledge that where the Processor acts as a data processor in respect of the Data, the following processing may be performed:
Subject-matter: the Data necessary to comply with the Processor’s obligations under the Agreement.
Duration: for the term of the Agreement.
Type of Data: as defined above.
Categories of Data Subjects: the subjects of the Data.
2.4 Where the Processor processes Data on behalf of any member of the Controller’s Group, it shall do so in full compliance with this DPA, and shall be fully liable for any breach by the Processor or any Sub-Processor.
2.5 Nothing in this DPA relieves either Party from its own responsibilities and liabilities under the Data Protection Legislation.
3. PROCESSOR OBLIGATIONS
3.1 The Processor shall:
3.1.1 Process the Data only on documented instructions from the Controller, including with regard to international transfers, unless required by applicable law and, where permitted, shall inform the Controller beforehand.
3.1.2 Ensure all authorised persons are under appropriate confidentiality obligations.
3.1.3 Comply with applicable obligations under the Data Protection Legislation.
3.1.4 Have general authorisation to appoint Sub-Processors, provided that:
the Controller is informed of changes in advance and given opportunity to object;
any Sub-Processor is subject to equivalent data protection obligations under a written contract.
3.1.5 Remain fully liable for all acts and omissions of Sub-Processors.
3.1.6 Assist the Controller in fulfilling data subject rights requests (including access, rectification, erasure, restriction, objection, and portability), and notify the Controller without undue delay of any such request received.
3.1.7 Assist the Controller in ensuring compliance with Articles 32 to 36 UK GDPR, taking into account the nature of processing and information available.
3.1.8 Notify the Controller without undue delay upon becoming aware of a data breach and assist with related notifications to supervisory authorities or data subjects, if required.
3.1.9 On termination of the Agreement, and at the Controller’s choice, delete or return all Data, unless required to retain it under applicable law. Where retained, such Data shall be securely protected and used only as legally required.
3.1.10 Make available to the Controller all information necessary to demonstrate compliance and allow for audits (including inspections) by the Controller or an auditor mandated by the Controller. The Processor shall inform the Controller if any instruction it receives in connection with such audits, in its opinion, infringes Data Protection Legislation.
4. TRANSFERS OF PERSONAL DATA
4.1 The SCCs shall apply where:
the Controller is subject to the GDPR or UK GDPR;
Personal Data is transferred from the EU, EEA, Switzerland, or UK to a country not recognised as adequate;
no alternative legal mechanism for transfer is available.
4.2 For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the SCCs shall apply in addition to the SCCs.
4.3 The SCCs (and UK Addendum, if applicable) shall not apply to data that is not transferred outside the EEA or UK.
4.4 If the SCCs or UK Addendum are invalidated or replaced, the Parties shall cooperate in good faith to implement alternative mechanisms ensuring adequate protection.
5. COMMUNICATIONS
5.1 Communications under this DPA shall be in English and in writing, delivered:
by hand or recorded delivery; or
by email to the addresses provided in the Agreement.
6. GENERAL
6.1 If any term of this DPA is found to be invalid or unenforceable, it shall be severed, and the remainder shall remain in effect.
6.2 No variation of this DPA shall be effective unless agreed in writing and signed by both Parties.
6.3 Neither Party may assign or transfer its rights or obligations under this DPA without the prior written consent of the other Party.
7. COUNTERPARTS
7.1 This DPA may be executed in counterparts, each of which constitutes an original and all of which together form one agreement.
8. ARBITRATION
8.1 Any dispute arising from or related to this DPA, including non-contractual matters, shall be resolved by arbitration under the Rules of Arbitration of the International Chamber of Commerce by one arbitrator appointed in accordance with those Rules.
9. GOVERNING LAW
9.1 This DPA and any related non-contractual obligations shall be governed by and construed in accordance with the laws of England and Wales.
Cophi protects your data with industry-leading standards.
We’re committed to transparency and continuous improvement when it comes to information security.
Your insights are safe with us.
Cophi is designed with data privacy and organisational trust at its core — from encryption to responsible data access.
Fully GDPR Compliant
All data is securely stored and processed within the EEA, with encryption both in transit and at rest.
Access Control & SSO
Enterprise-level access via Single Sign-On and user-level control ensures your teams stay secure.
Ongoing Monitoring
We continuously test, assess, and evolve our platform’s security posture through audits and external penetration testing.