Data Processing Agreement
January 2025
January 2025
(Version 1.1)
Data Handling
This Data Processing Agreement ("DPA") is entered into between the Client ("Controller") and GoGorilla Media and Technologies Group Ltd ("Processor") and is incorporated into the main service agreement. This DPA governs the processing of personal data by the Processor on behalf of the Controller in the course of providing its services.
Understanding Our Roles
This DPA applies when the Processor processes personal data on behalf of the Controller for the delivery of its services. The Controller is responsible for determining the legal basis for processing, managing data subject rights, and ensuring overall compliance. The Processor shall process personal data only on the documented instructions of the Controller and is responsible for implementing appropriate security measures and providing assistance to the Controller to meet its compliance obligations.
When This Applies
Our Data Processing Agreement comes into play when:
• Business Clients: You're a business using our services
• Personal Data Processing: We process personal data on your behalf
• Service Delivery: The processing is necessary to deliver our services to you
• Legal Compliance: We need clear legal framework for the processing
Our Respective Roles
Role
Responsibilities
Key Activities
You as Data Controller
Decision making, legal basis determination, data subject rights, compliance oversight
Decide what data to collect, determine legal basis, respond to data subject requests, ensure overall compliance
Us as Data Processor
Following instructions, security implementation, assistance provision, compliance support
Process data per instructions, implement security measures, help meet obligations, ensure processing compliance
Article 28 Compliance Framework
This DPA is designed to ensure full compliance with Article 28 of the UK General Data Protection Regulation (UK GDPR). It establishes a comprehensive written agreement defining the roles and responsibilities of each party, the security obligations of the Processor, and the framework for engaging sub-processors.
Legal Foundation
Our Data Processing Agreements fully comply with Article 28 of the UK GDPR, which means:
• Clear Roles: Defined responsibilities for both parties.
• Written Agreement: Comprehensive written terms covering all requirements.
• Security Obligations: Appropriate technical and organisational measures.
• Sub-Processor Rules: Clear framework for any sub-processors we use.
Key Protections
Every agreement includes:
• Processing Limitations: Clear boundaries on what we can and can't do with the data.
• Security Requirements: Specific security measures we must implement.
• Confidentiality: Binding confidentiality obligations for all our staff.
• Audit Rights: Your right to audit our compliance with the agreement.
Processing Instructions and Limitations
Processing Purposes
Processing is strictly limited to the purposes necessary for the delivery of services, including platform operations, customer support, analytics, and email marketing campaign management.
Purpose Category
Description
Examples
Service Delivery
Processing limited to what is necessary for our services
Platform operations, customer support, analytics
Email Marketing
Processing contact data for email campaigns
Contact management, campaign delivery, engagement tracking
Analytics
Processing usage data for performance insights
Usage analytics, performance metrics, optimisation insights
Customer Support
Processing data to provide support services
Support ticket management, issue resolution, communication
Data Categories and Subjects
The Processor may process data categories such as contact information, business information, usage data, and communication data. The data subjects may include the Controller’s clients, employees, prospects, and partners.
Data Categories We May Process
Contact Information
Business Information
Usage Data
Communication Data
Data Subject Categories
Your Clients
Your Employees
Your Prospects
Your Partners
Geographic and Processing Limitations
Processing shall occur within defined geographic locations, and any international data transfers are subject to the restrictions outlined in the main service agreement. Data retention periods are specified in the Data Retention Policy, and data is securely deleted upon the expiry of these periods or upon the Controller’s request.
Geographic Restrictions
• Processing Locations: Clear specification of where processing may occur.
• Transfer Limitations: Any restrictions on international data transfers.
• Storage Locations: Defined locations for data storage.
• Access Controls: Geographic restrictions on data access.
Retention and Deletion
• Retention Periods: Clear specification of how long we keep data.
• Automatic Deletion: Automated deletion when retention periods expire.
• On-Demand Deletion: Deletion upon your request.
• Secure Deletion: Secure deletion methods ensuring data cannot be recovered.
Security and Confidentiality Obligations
The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Technical Safeguards
Security Area
Implementation
Standards
Encryption
TLS 1.3 for data in transit, AES-256 for data at rest
Industry-leading encryption standards
Access Controls
Role-based access, multi-factor authentication
Principle of least privilege
Monitoring
24/7 monitoring, threat detection, incident response
Continuous security monitoring
Key Management
Secure encryption-key management practices
Hardware security modules
Organisational Measures
All personnel authorised to process personal data are subject to comprehensive data protection training and are bound by strict confidentiality agreements.
Staff Training
• Comprehensive Training: All staff trained on data protection requirements
• Specialised Training: Additional training for staff handling sensitive data
• Regular Updates: Ongoing training on new requirements and best practices.
• Competency Assessment: Regular assessment of staff data protection knowledge.
Confidentiality
• Binding Obligations: All staff bound by confidentiality agreements.
• Employment Contracts: Data protection obligations in employment contracts.
• Contractor Agreements: Confidentiality requirements for all contractors.
• Ongoing Monitoring: Regular monitoring of confidentiality compliance.
Sub-Processor Management
The Processor shall not engage any sub-processor without the prior specific or general written authorisation of the Controller. Where a sub-processor is engaged, the Processor shall conduct comprehensive due diligence and impose contractual obligations equivalent to those set out in this DPA. The Processor remains fully liable to the Controller for the performance of the sub-processor’s obligations.
When We Use Sub-Processors
Sub-Processor Scenarios
• Cloud Infrastructure: Cloud service providers for data storage and processing.
• Specialised Services: Specialised service providers for specific functions.
• Technology Partners: Technology partners providing platform capabilities.
• Support Services: Service providers supporting our operations.
Authorisation Process
Process Step
Requirements
Documentation
Prior Authorisation
Written approval before engaging sub-processors
Service description, data categories, processing activities
Due Diligence
Comprehensive assessment of sub-processor capabilities
Security assessment, compliance review, reference checks
Contractual Protection
Equivalent data-protection obligations
Same security standards, confidentiality, compliance monitoring
Liability Chain
Full liability for sub-processor performance
Direct recourse, insurance coverage, remediation rights
Data Subject Rights Support
The Processor shall provide technical and organisational assistance to the Controller to respond to requests from data subjects exercising their rights under UK GDPR. This includes providing capabilities for data retrieval, portability, correction, and deletion.
Technical Assistance
System Capabilities
• Data Retrieval
• Data Portability
• Data Correction
• Data Deletion
Response Support
• Data Provision
• Technical Guidance
• System Access
• Documentation
Response Coordination
Timely Responses
• Rapid Processing: Quick processing of rights request support.
• Coordination: Close coordination with you to ensure timely responses.
• Status Updates: Regular updates on the status of rights request processing.
• Escalation: Clear escalation procedures for complex requests.
Quality Assurance
• Accuracy Verification: Verification of data accuracy before provision.
• Completeness Checks: Ensuring complete responses to rights requests.
• Format Compliance: Providing data in appropriate formats.
• Documentation: Comprehensive documentation of response activities.
Breach Notification and Incident Response
The Processor shall provide technical and organisational assistance to the Controller to respond to requests from data subjects exercising their rights under UK GDPR. This includes providing capabilities for data retrieval, portability, correction, and deletion.
Rapid Detection
Standard/Certification
Scope
Response Time
24/7 Monitoring
Continuous monitoring for potential data breaches
Real-time detection
Automated Alerts
Automated alerting systems for security incidents
Immediate notification
Threat Intelligence
Advanced threat intelligence and detection capabilities
Proactive identification
Regular Scanning
Regular vulnerability scanning and assessment
Certified
Rapid Detection
Immediate Notification
• 24-Hour Notification: Notification to you within 24 hours of breach discovery.
• Comprehensive Information: Detailed information about the nature and scope of the breach.
• Impact Assessment: Assessment of likely consequences and risks.
• Recommended Actions: Recommendations for response and mitigation measures.
Remediation Support
Technical Support
• Breach Containment: Technical support for containing and stopping breaches.
• System Recovery: Support for system recovery and restoration.
• Security Enhancement: Implementation of additional security measures.
• Monitoring Enhancement: Enhanced monitoring to prevent recurrence.
Regulatory Support
• Notification Assistance: Support for regulatory notification requirements.
• Documentation: Comprehensive documentation for regulatory reporting.
• Investigation Support: Support for regulatory investigations.
• Compliance Verification: Verification of ongoing compliance post-breach.
Contact Us About Data Processing
Data Processing Questions
Email:
privacy@gogorilla.com
Subject:
Data Processing Agreement
Response Time:
Within 48 hours
Agreement Requests
Email:
legal@gogorilla.com
For:
New data processing agreement requests, agreement modifications
Compliance Support
Email:
compliance@gogorilla.com
For:
Compliance questions, audit support, incident reporting
Technical Support
Email:
support@gogorilla.com
For:
Technical questions about data processing capabilities
When we process data on your behalf, we take that responsibility seriously. Our comprehensive Data Processing Agreement framework ensures that we meet the highest standards of data protection while enabling you to deliver great services to your customers.
Last Updated: January 2025
Version: 1.1
