Data Processing Addendum (DPA)
Last updated: May 2026 • UK GDPR Article 28 compliant
1. Background
This Data Processing Addendum ("DPA") forms part of the agreement between Inclusive IT Solutions ("Processor", "we") and the Customer ("Controller", "you") for the supply of services that involve the processing of personal data within the meaning of the UK GDPR and the Data Protection Act 2018.
When we provide our Microsoft 365 cost audit, cloud usage analysis, or licensing management services, we act as a data processor on behalf of you as the data controller.
2. Subject matter, nature and purpose of processing
We process personal data only to provide the services requested — specifically:
- Reading licence assignment, sign-in activity and group membership from your Microsoft 365 tenant (audit service)
- Reading billing and cost data from your connected Microsoft Azure, Google Cloud, or Amazon Web Services accounts (cloud usage service)
- Storing portal user accounts, support tickets and invoice records (portal service)
The duration of processing is the term of the underlying agreement plus the retention period stated in §10.
3. Categories of data subjects and personal data
Data subjects: your employees, contractors and end users whose accounts exist in systems you connect to our services.
Categories of personal data: work email address, display name, last sign-in date, licence assignment, cost-centre tags. We do not process special- category data (Article 9 UK GDPR) under any circumstances.
4. Sub-processors
We use the following sub-processors. We will give 30 days' notice of any change.
| Sub-processor | Service | Region |
|---|---|---|
| Amazon Web Services EMEA SARL | Hosting, storage, identity, email, observability | UK (eu-west-2) |
| Microsoft Ireland Operations Limited | Authentication, Microsoft 365 audit telemetry | EU/UK |
| Xero (UK) Limited | Invoicing | UK / Australia |
| Amazon SES (within AWS EMEA SARL) | Outbound transactional email | UK (eu-west-2) |
5. Processor obligations
We will:
- Process personal data only on your documented instructions, including with regard to international transfers (Article 28(3)(a))
- Ensure that all persons authorised to process the personal data are bound by confidentiality (Article 28(3)(b))
- Implement the technical and organisational measures listed in §6 (Article 32)
- Engage sub-processors only with your prior general written authorisation as given by accepting this DPA (Article 28(2)(4))
- Assist you in responding to data subject access, rectification, erasure, restriction, portability, and objection requests (Article 28(3)(e))
- Assist you in complying with your obligations under Articles 32–36 (security, breach notification, DPIAs)
- Return or delete all personal data at the end of the agreement, unless retention is required by law (Article 28(3)(g))
- Make available all information necessary to demonstrate compliance, and contribute to audits (Article 28(3)(h))
6. Technical and organisational measures (Article 32)
Our infrastructure runs in AWS eu-west-2 (London). All customer data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to production is restricted to a small set of authorised engineers using AWS SSO with MFA. Authentication is Cognito-backed with adaptive risk scoring; sessions expire after 30 minutes idle. We run AWS GuardDuty and Security Hub for threat detection, CloudTrail for audit logging with 365-day retention, and AWS Backup for RDS and EBS with 30-day retention. Code changes pass branch protection, dependency scanning, and CI gates before deployment. Our portal database uses Postgres row-level security enforcing tenant isolation at the database layer.
7. Personal data breach notification
We will notify you of any personal data breach affecting your data without undue delay and in any event within 48 hours of becoming aware. The notification will include the nature of the breach, categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.
8. International transfers
Personal data is hosted in the UK. All current sub-processors are inside the UK jurisdiction. Should any future sub-processor transfer personal data outside the UK, the transfer will be governed by the UK International Data Transfer Agreement or the equivalent EU SCCs supplemented by the UK Addendum.
9. Audit rights
You may, on 30 days' written notice and not more than once per year, audit our compliance with this DPA. To minimise disruption we may satisfy this obligation by providing relevant certifications (ISO 27001 from our hosting provider, SOC 2 Type II reports where available) and a written response to a reasonable security questionnaire. On-site audits will be at your expense and at mutually agreed times.
10. Retention and deletion
On termination of the underlying agreement, we will delete all personal data within 30 days unless legally required to retain (e.g., financial records under HMRC rules — 6 years). You may request a copy in machine-readable form before deletion.
11. Liability and indemnity
Each party's liability under this DPA is subject to the limitation of liability set out in the underlying agreement, except for liability arising from the wilful or grossly negligent breach of this DPA which cannot be excluded.
12. Order of precedence
If there is any conflict between this DPA and the underlying agreement on matters concerning the processing of personal data, this DPA prevails.
13. Signing
This DPA is incorporated into your customer agreement by reference. Acceptance of the customer agreement (whether by online click-through, signature, or use of the services) constitutes acceptance of this DPA on behalf of the entity you represent.
If you require a counter-signed copy for your records, email dpa@inclusiveitsolutions.co.uk with your company name and registered address — we will return a PDF within 5 working days.