Data Processing Agreement

Controller–Processor commitments

Last updated: November 30, 2025. This DPA supplements the Terms of Service and applies whenever Deep Terminal processes personal data on behalf of a customer subject to GDPR, UK GDPR, or similar laws.

1. Subject Matter & Duration

  • Processor: Deep Terminal Ltd., registered in the United Kingdom.
  • Controller: The customer identified in the applicable subscription or credit purchase.
  • Purpose: Deliver analytics, credits, alerts, and AI services on behalf of the controller for the duration of the customer account plus legally required retention periods.

2. Processing Instructions

  • We will process personal data only on documented instructions from the controller as set out in the Terms of Service, Privacy Policy, and this DPA.
  • We will promptly inform the controller if an instruction appears to violate GDPR or other applicable laws unless disclosure is prohibited.

3. Confidentiality & Security

  • All personnel with access to personal data are bound by confidentiality agreements and receive regular security training.
  • Deep Terminal maintains technical and organizational measures including encryption, access controls, monitoring, and incident response playbooks audited at least annually.

4. Sub-processors

  • We rely on vetted infrastructure and tooling providers (e.g., cloud hosting, email delivery, log management). A current list is available upon request.
  • We will notify controllers before onboarding new sub-processors, giving you an opportunity to object. Continued use after notice constitutes consent.

5. Data Subject Rights & Assistance

  • We will assist the controller in responding to data subject requests by providing tooling or reasonably requested information.
  • If we receive a request directly, we will forward it to the controller without undue delay unless legally restricted.

6. Security Incidents

  • In the event of a personal data breach we will notify the controller without undue delay and share relevant information to support any required notifications to regulators or individuals.

7. Audits & Documentation

  • We maintain records of processing activities and can provide summaries of penetration tests or compliance reports under NDA.
  • Controllers may request reasonable audits once per year. Remote document reviews are preferred; onsite visits require 30 days’ notice.

8. Return or Deletion

  • Upon termination of the services, we will delete or return personal data within 60 days unless retention is required by law.
  • Backups are cryptographically destroyed during scheduled rotation cycles.

To execute a countersigned copy or request the current sub-processor list, email dpa@deepterminal.com. Include your company name, registered address, and account email so we can authenticate the request.