Please Read Our Data Processing Agreement

Last updated: 30 April 2026

1. Introduction

This Data Processing Agreement explains how personal data is handled where Conor Bradley Digital Agency processes personal data on behalf of a client.

This agreement forms part of our Terms of Service and applies where we provide services that involve processing personal data for a client, including website hosting, website maintenance, website support, website migrations, SEO, PPC, analytics support, email support, security support or related technical services.

This agreement is intended to meet the requirements for a written contract between a controller and processor under UK data protection law.

2. Parties

In this agreement:

Client, you or your means the person, business, organisation or other entity that purchases or uses our services.

Conor Bradley Digital Agency, we, us or our means Conor Bradley Digital Agency, operated by Conor Bradley in the United Kingdom.

Where this agreement applies, the client is usually the controller and Conor Bradley Digital Agency is usually the processor.

In some situations, we may act as an independent controller for our own business purposes, such as account management, billing, legal compliance, fraud prevention, service administration and direct communications. These activities are covered by our Privacy Policy.

3. Definitions

In this agreement:

Controller, processor, personal data, processing, data subject, personal data breach and special category data have the meanings given to them under UK data protection law.

Data protection laws means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations, and any other UK data protection laws that apply.

Services means the services we provide to you under our Terms of Service, quote, proposal, support agreement, service agreement or other written agreement.

Sub processor means another processor we use to help provide the services.

4. Scope of this agreement

This agreement applies where we process personal data on your behalf as part of providing the services.

This may include processing personal data contained in:

• Website files
• Website databases
• Website forms
• Customer accounts
• Order records
• Email accounts
• CRM systems
• Booking systems
• Analytics platforms
• Advertising platforms
• Server logs
• Security logs
• Website backups
• Support tickets
• DNS, hosting or domain systems
• Other systems we access or support for you

This agreement does not apply where we process personal data as an independent controller for our own business purposes. Those activities are covered by our Privacy Policy.

5. Description of processing

The processing covered by this agreement is described below.

Subject matter of processing

The provision of website, hosting, marketing, analytics, technical support and related digital services.

Duration of processing

For the duration of the services and for any further period required for backups, support history, legal obligations, security, dispute handling or agreed retention periods.

Nature and purpose of processing

We may process personal data to:

• Provide website hosting
• Provide website maintenance
• Provide website support
• Provide website migrations
• Provide WordPress support
• Provide email hosting or email support
• Provide SEO services
• Provide PPC and advertising support
• Provide analytics and tracking support
• Provide security monitoring or malware support
• Manage backups
• Troubleshoot technical issues
• Respond to support requests
• Maintain service security and reliability
• Prevent abuse, spam or unauthorised access
• Comply with legal or regulatory obligations
• Provide any other agreed service

Types of personal data

The personal data processed may include:

• Names
• Business names
• Email addresses
• Phone numbers
• Postal addresses
• IP addresses
• Website user account details
• Customer account details
• Order information
• Enquiry details
• Contact form submissions
• Support ticket content
• Website analytics data
• Advertising and conversion data
• Booking information
• CRM data
• Email mailbox data where support is requested
• Server logs
• Security logs
• Device and browser information
• Login or access records
• Other personal data contained in systems, websites, databases, backups or files you provide or ask us to access

Categories of data subjects

The personal data may relate to:

• Your clients
• Your customers
• Your website visitors
• Your employees
• Your contractors
• Your suppliers
• Your leads or prospects
• Your patients, students, members or users where applicable
• People who submit forms through your website
• People who communicate with your business
• People whose data is contained in systems you ask us to access or support

Special category data

We do not intentionally request special category data unless it is necessary for the agreed services.

However, special category data may appear in client websites, forms, emails, databases, uploaded files, support requests, booking systems, medical or health related websites, legal websites, recruitment websites or other client systems.

You are responsible for ensuring you have a lawful basis and any required condition for processing special category data.

You should not provide us with special category data unless it is necessary for the services and lawful for you to do so.

6. Controller responsibilities

As controller, you are responsible for:

• Determining the purpose and lawful basis for processing personal data
• Providing appropriate privacy notices to data subjects
• Obtaining consent where required
• Managing cookie consent where required
• Ensuring personal data is accurate and lawful
• Ensuring your website, forms, CRM, emails and systems comply with applicable data protection laws
• Ensuring you have the right to share personal data with us
• Ensuring your instructions to us are lawful
• Responding to data subject requests where you are responsible for doing so
• Maintaining your own records of processing where required
• Carrying out data protection impact assessments where required
• Informing us of any special requirements, risks or sensitive data involved in the services

You confirm that all personal data provided to us or made available to us has been collected and shared lawfully.

7. Processor responsibilities

As processor, where we process personal data on your behalf, we will:

• Process personal data only on your documented instructions, unless required by law
• Keep personal data confidential
• Ensure people authorised to process the data are subject to confidentiality obligations
• Use appropriate technical and organisational security measures
• Assist you with data subject requests where reasonably possible
• Assist you with personal data breach obligations where reasonably possible
• Assist with data protection impact assessments where reasonably required
• Use sub processors only in line with this agreement
• Delete or return personal data at the end of the services, subject to backups, legal obligations, security, disputes and legitimate retention needs
• Make available information reasonably necessary to demonstrate compliance with processor obligations
• Notify you if, in our opinion, an instruction infringes data protection law
• Not sell personal data processed on your behalf

8. Documented instructions

You instruct us to process personal data as necessary to provide the services, comply with the Terms of Service, perform agreed support, maintain security, manage backups, troubleshoot issues and comply with applicable law.

Additional instructions may be given through:

• Quotes
• Proposals
• Support tickets
• Emails
• Project briefs
• Service agreements
• Client area requests
• Written approvals
• Other written communications

We are not required to follow instructions that are unlawful, unreasonable, technically unsafe, outside the agreed scope, or likely to compromise security, service reliability or third party rights.

Where your instructions require work outside the agreed services, additional technical work, data exports, data restoration, investigation, reporting or specialist support, we may charge a reasonable fee unless prohibited by law.

9. Confidentiality

We will ensure that people authorised to process personal data are subject to confidentiality obligations.

This may include employees, contractors, freelancers, technical providers, support providers or other authorised personnel involved in providing the services.

10. Authorised personnel

We will take reasonable steps to ensure that anyone authorised to process personal data on our behalf only does so where necessary to provide the services.

Authorised personnel may include employees, contractors, freelancers, technical support providers or other people who need access to provide, maintain, secure or support the services.

We will take reasonable steps to ensure authorised personnel understand their confidentiality and data protection responsibilities.

11. Security measures

We will use appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, disclosure or destruction.

These measures may include, where appropriate:

• Password protected systems
• Two factor authentication where available
• Access controls
• Secure hosting environments
• Firewalls and security tools
• Malware scanning or monitoring
• Encrypted connections where available
• Backups where included in the service
• Software updates where included in the service
• Restricting access to people who need it
• Logging and monitoring where appropriate
• Use of reputable suppliers and technical providers
• Removing or restricting access where it is no longer required

You acknowledge that no website, server, email system, software platform or online service can be guaranteed to be completely secure.

12. Client security responsibilities

You are responsible for:

• Using strong passwords
• Using two factor authentication where available
• Restricting access to authorised users
• Removing users who no longer need access
• Keeping your own devices secure
• Keeping your own systems and software secure where they are not managed by us
• Ensuring staff, contractors or users handle data appropriately
• Keeping independent backups where appropriate
• Informing us promptly of suspected security issues
• Ensuring your own website users, staff or suppliers follow appropriate security practices

We are not responsible for personal data breaches, data loss or unauthorised access caused by your own actions, your users, weak passwords, compromised devices, third party access, insecure plugins, external platforms or systems outside our control.

13. Sub processors

You give us general written authorisation to use sub processors where necessary to provide the services.

Sub processors may include providers of:

• Hosting infrastructure
• Server infrastructure
• Domain registration
• DNS services
• Email services
• Backup services
• Security tools
• Malware scanning
• Website software
• WordPress plugins and themes
• Payment processing
• Billing systems
• Support systems
• Analytics tools
• Advertising platforms
• Review widgets
• Cloud storage
• Project management tools
• Professional services
• Other technical or operational services needed to provide the services

We will take reasonable steps to ensure sub processors provide appropriate protection for personal data.

Where required, we will ensure sub processors are subject to written terms that provide appropriate data protection obligations.

Where we appoint a sub processor, we will remain responsible for the sub processor’s performance of its data protection obligations to the extent required by applicable data protection law.

14. Changes to sub processors

We may add, replace or change sub processors where needed to provide, maintain, improve, secure or support the services.

Where a change is likely to materially affect the processing of personal data, we will try to provide reasonable notice where practical.

If you object to a sub processor change, you must notify us in writing and explain the reason for the objection.

If we cannot reasonably resolve the objection, either party may need to end the affected service.

15. International transfers

Some services, platforms or sub processors may process personal data outside the United Kingdom.

Where personal data is transferred outside the UK, we will rely on appropriate safeguards where required, such as adequacy regulations, standard contractual clauses, international data transfer agreements or other lawful transfer mechanisms recognised under UK data protection law.

You acknowledge that some third party platforms, such as analytics, advertising, email, software, cloud or support services, may involve international processing depending on how those services operate.

16. Data subject requests

If we receive a request from a data subject relating to personal data we process on your behalf, we will normally refer the request to you where we can identify you as the controller.

You are responsible for responding to data subject requests where you are the controller.

We will provide reasonable assistance where possible and where required by law.

Additional work required to support complex, excessive or time consuming requests may be chargeable unless otherwise agreed.

17. Personal data breaches

If we become aware of a personal data breach affecting personal data we process on your behalf, we will notify you without undue delay after becoming aware of it.

Our notification may include, where available:

• The nature of the breach
• The data or systems affected
• Likely consequences
• Measures taken or proposed
• Information reasonably available at the time

You are responsible for deciding whether the breach must be reported to the ICO or affected individuals, unless we are legally required to report it ourselves.

We will provide reasonable assistance where possible.

You must notify us promptly if you become aware of a security incident or suspected personal data breach involving services we provide.

18. Deletion or return of data

At the end of the services, we will delete or return personal data processed on your behalf where reasonably possible and where required by law.

You acknowledge that:

• Some data may remain in backups until overwritten or deleted through normal backup cycles
• Some records may be retained for legal, accounting, security, billing, dispute or compliance reasons
• Some data may be retained in support tickets, logs or audit records where reasonably necessary
• Some deletion may not be possible where data is controlled by third party platforms or suppliers
• Data may be permanently deleted following cancellation, suspension or termination in line with our Terms of Service

You are responsible for downloading, exporting or backing up any data you require before services end.

19. Assistance with compliance

Where reasonably possible, and taking into account the nature of the processing and information available to us, we will assist you with:

• Data subject rights requests
• Security obligations
• Personal data breach obligations
• Data protection impact assessments
• Consultation with supervisory authorities where required

Assistance may be chargeable where it requires significant time, technical work, investigation, reporting, exporting, restoration or specialist support.

20. Audits and information

We will make available information reasonably necessary to demonstrate compliance with our processor obligations under this agreement.

Where required by law, we will allow for and contribute to reasonable audits or inspections.

Audits must:

• Be requested in writing
• Be limited to what is necessary
• Be carried out during normal business hours
• Not compromise security, confidentiality, other clients, systems or supplier obligations
• Not unreasonably disrupt our business
• Be subject to reasonable confidentiality requirements

We may provide documentation, summaries, security information, supplier information or written responses instead of direct system access where this is sufficient and appropriate.

You are responsible for your own audit costs. We may charge reasonable fees for time spent supporting audits, unless prohibited by law.

21. Records

We may keep records relating to processing activities where required or useful for compliance, security, billing, support, legal obligations or dispute handling.

You are responsible for maintaining your own records of processing where required by law.

22. Data location and hosting

Unless agreed otherwise, hosting and processing locations may depend on the service, hosting provider, platform, supplier or technical setup used.

We may move data between servers, data centres, hosting environments or suppliers where reasonably necessary for security, performance, maintenance, support, migration, disaster recovery, supplier changes or service continuity.

Where this involves international transfers of personal data, the international transfers section of this agreement applies.

23. Data backups

Where backups are included in a service, they are provided subject to the Terms of Service and the specific service purchased.

Backups may contain personal data.

Backups may be retained for limited periods and overwritten or deleted according to backup schedules.

Backups are not guaranteed unless specifically agreed in writing.

You should maintain your own independent backups where appropriate.

24. Support tickets and communications

Support tickets, emails, messages and other communications may contain personal data.

We may retain support records to provide service history, evidence instructions, troubleshoot issues, maintain security, manage disputes, comply with legal obligations and improve services.

You should avoid including unnecessary personal data or sensitive data in support requests.

25. Special category data and high risk data

You must tell us in writing if the services involve special category data, criminal offence data, children’s data, large scale sensitive data or other high risk personal data.

You are responsible for ensuring that any such data is processed lawfully and that appropriate safeguards are in place.

We may refuse to process high risk data or require additional terms, safeguards or fees where appropriate.

26. Email and mailbox access

Where you ask us to support email hosting, mailboxes or email delivery, we may process personal data contained in email account details, routing information, DNS records, mail logs, support information or mailbox content where access is required.

You should not provide mailbox access unless it is necessary for support.

Where possible, you should provide temporary access, test accounts or limited access rather than full mailbox access.

27. Analytics, advertising and tracking data

Where we provide SEO, PPC, analytics, conversion tracking or reporting services, we may process personal data or pseudonymous data contained in analytics, advertising, tracking, call tracking, form tracking or reporting systems.

You are responsible for ensuring that your website privacy notices, cookie notices and consent mechanisms cover the tracking technologies used.

We are not responsible for unlawful tracking caused by missing consent, incorrect cookie settings, third party scripts added by others or client instructions that do not comply with data protection law.

28. Client websites and forms

Where we host, maintain or support your website, you are responsible for ensuring that your own website has suitable privacy notices, cookie notices, consent mechanisms and lawful bases for collecting personal data.

This includes personal data collected through:

• Contact forms
• Quote forms
• Booking forms
• Order forms
• Newsletter forms
• Live chat
• Analytics tools
• Advertising tracking
• Customer accounts
• Payment forms
• Embedded third party services

We are not responsible for the legal compliance of your website privacy wording, cookie consent, forms, tracking or marketing unless we have been specifically engaged to advise on or implement those items.

29. Domain names and registration data

Where we provide domain registration, renewal, transfer or management services, personal data may be processed by registrars, registries, registry operators, domain authorities, WHOIS/RDAP systems, escrow providers and other domain related providers.

Some domain registration processing may be carried out by third parties as independent controllers rather than processors.

Domain registration processing is also covered by our Privacy Policy and Terms of Service.

30. Overseas clients

We may provide services to clients based outside the United Kingdom.

Where you are based outside the UK, you are responsible for ensuring that your use of our services and any personal data provided to us complies with the data protection, privacy, marketing, tax and business laws that apply in your own country or location.

We do not provide legal, tax or regulatory advice for overseas jurisdictions.

31. Liability

Each party remains responsible for complying with its own obligations under applicable data protection law.

Nothing in this agreement limits or excludes liability where it would be unlawful to do so.

Our liability under this agreement is subject to the limitation of liability provisions in our Terms of Service, unless applicable law requires otherwise.

32. Conflict

If there is a conflict between this Data Processing Agreement and our Terms of Service, this Data Processing Agreement will apply only to the extent of the conflict in relation to the processing of personal data where we act as processor.

For all other matters, the Terms of Service continue to apply.

33. Changes to this agreement

We may update this Data Processing Agreement from time to time to reflect changes in law, guidance, services, suppliers, technology or business operations.

The latest version will be published on our website with the updated date.

If changes materially affect active services, we will try to provide reasonable notice where practical.

34. Governing law

This Data Processing Agreement is governed by the laws of England and Wales.

35. Schedule 1: Processing details

Subject matter

The provision of website, hosting, domain, email, marketing, analytics, advertising, maintenance, migration, support and related digital services.

Duration

For the duration of the services and for any further period required for backups, legal obligations, billing, support history, security, dispute handling or agreed retention periods.

Nature and purpose

The processing of personal data to provide, maintain, secure, support, troubleshoot, migrate, back up, monitor, improve and administer the services.

Types of personal data

Names, business names, email addresses, phone numbers, postal addresses, IP addresses, account details, enquiry data, website user data, order data, analytics data, advertising data, support data, email data where support is requested, logs, database content, website files and any other personal data contained in client systems that we are asked to access or support.

Categories of data subjects

Clients, customers, website visitors, leads, prospects, employees, contractors, suppliers, users, members, patients, students, form submitters, account holders and any other individuals whose data is contained in systems we are asked to host, access, migrate, maintain or support.

Processing operations

Hosting, storage, access, retrieval, consultation, copying, transfer, backup, restoration, troubleshooting, security monitoring, deletion, modification, migration, reporting, support and other processing necessary to provide the services.

36. Contact

For questions about this Data Processing Agreement, please contact:

Conor Bradley Digital Agency
Website: https://conorbradley.co.uk
General contact: ku.oc.yeldarbronoc@tcatnoc
Privacy contact: ku.oc.yeldarbronoc@ycavirp
ICO registration number: ZC135245