Last updated: 08 September 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between addbuttr ltd (Company No. 16280270, registered in England and Wales, with its registered office at 71–75 Shelton Street, Covent Garden, London, UK, WC2H 9JQ) ("addbuttr", "we", "us") and the legal entity that has entered into the Agreement ("Client", "you"). By using the Services, you agree that this DPA governs addbuttr's processing of Personal Data on your behalf. Capitalised terms not defined here have the meanings set out in the Agreement or applicable Data Protection Laws.
This DPA applies to addbuttr's processing of Client Personal Data as Processor on behalf of Client (acting as Controller) in the course of providing the Services. The Agreement serves as written instructions for all Processing, unless Client provides additional documented instructions.
Client Personal Data: any Personal Data uploaded to or generated in the Services by or for Client, which addbuttr processes on Client's behalf. Data Protection Laws: UK GDPR, the Data Protection Act 2018, and any other applicable data protection legislation. Standard Contractual Clauses (SCCs): the EU SCCs (Commission Decision 2021/914) and/or the UK International Data Transfer Agreement or Addendum, as applicable. Other terms (Controller, Processor, Personal Data, Processing, Sub-processor, etc.) have the meanings given in Data Protection Laws.
Instructions: We process Client Personal Data only on documented instructions, including as necessary to deliver and improve the Services, unless required by law. Confidentiality: We ensure that anyone authorised to process Client Personal Data is bound by confidentiality obligations. Security: We implement and maintain appropriate technical and organisational security measures (see Appendix 2). Breach Notification: We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Client Personal Data, and provide information to support your obligations under Data Protection Laws. Assistance: We will assist you in fulfilling your obligations to respond to Data Subject requests and to comply with Articles 32–36 UK/EU GDPR (security, DPIA, breach notification, consultation). Return/Deletion: Upon termination of the Agreement, we will delete or return Client Personal Data at your choice (unless required by law to retain). Audit: We will make available information to demonstrate compliance with this DPA (such as security certifications or summaries) and allow reasonable audits in line with the Agreement.
Client is responsible for: Ensuring all lawful bases, notices, and consents are in place before instructing addbuttr to process Personal Data. Not instructing addbuttr to process Personal Data in a manner that breaches Data Protection Laws. The accuracy, quality, and legality of Client Personal Data.
Authorised Sub-processors: Client authorises addbuttr to use the Sub-processors listed in Appendix 1. Conditions: We will impose equivalent data-protection obligations on Sub-processors and remain liable for their performance. Changes: We will notify you of intended changes at least 15 days in advance, giving you the right to object on reasonable data-protection grounds.
Some of addbuttr's Sub-processors are located outside the UK and the European Economic Area (EEA), as listed in Appendix 1. Whenever Client Personal Data is transferred to a country that does not have an adequacy decision under applicable Data Protection Laws: The parties agree that the Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK International Data Transfer Agreement (IDTA) or Addendum will automatically apply and are incorporated by reference into this DPA. addbuttr will ensure that any Sub-processor located outside the UK/EEA is bound by equivalent contractual obligations that provide adequate protection for Client Personal Data. The technical and organisational measures described in Appendix 2 apply equally to all international transfers. Execution of the Agreement and this DPA constitutes execution of the SCCs and/or UK IDTA/Addendum between Client (as data exporter) and addbuttr (as data importer).
Subject Matter: Provision of the addbuttr SaaS platform. Duration: Term of the Agreement plus any required retention period. Nature & Purpose: Collection, storage, analysis, and reporting of survey and cultural data to deliver the Services. Categories of Data Subjects: Employees and Candidates of Client; other individuals whose data Client chooses to upload. Categories of Personal Data: Contact data (name, email), survey responses, motivator/feedback data, usage data (IP, device information), and any other data Client uploads. Special Category Data: addbuttr does not intentionally process special-category data unless Client configures surveys to capture it. Client is responsible for ensuring any such collection complies with Data Protection Laws.
Each party's liability under this DPA is subject to the limitations set out in the Agreement, except that no limitation applies to breaches of Data Protection Laws resulting in administrative fines attributable to that party.
If this DPA conflicts with the Agreement, this DPA prevails with respect to processing of Client Personal Data.
Questions about this DPA? Email: info@addbuttr.com
Amazon Web Services EMEA SARL (AWS) - Cloud hosting & storage (EU - Ireland). Cloudfare, Inc. - Content delivery network & edge security (Global - primary data centres EU/US). Postmark - Transactional email delivery (US). OpenAI, LLC - AI-powered analysis & insights (US). Stripe, Inc. - Payment Processing (US).
Access Controls: Role-based access; MFA for privileged accounts; least-privilege enforced. Encryption: TLS 1.2+ in transit; AES-256 at rest. Network Security: Firewalling, intrusion detection, DDoS protection (via Cloudflare). Backups & Continuity: Encrypted backups. Vulnerability Management: Regular automated scans; prompt patching. Vendor Management: Due diligence and monitoring of all Sub-processors.