Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of, and is subject to, the statement of work or services agreement (the “Agreement”) between All-Secure Consultancy Ltd (“All-Secure”, “we”, the “Processor”) and the customer engaging our services (“you”, the “Customer”, the “Controller”). It sets out how All-Secure processes personal data on your behalf when delivering penetration testing, red team and related security services, and reflects the requirements of Article 28 of the UK GDPR.
1. Definitions
“UK GDPR”, “controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing” and “special categories of personal data” have the meanings given in the UK GDPR and the Data Protection Act 2018 (together, “Data Protection Law”). “Sub-processor” means any third party engaged by All-Secure to process personal data under this DPA.
2. Roles and scope
- The Customer is the controller and All-Secure is the processor in respect of any personal data processed to deliver the engagement.
- All-Secure will process personal data only to the extent necessary to perform the services, and only on the Customer's documented instructions, of which the Agreement and this DPA are the primary record.
- All-Secure does not determine the purposes of the processing and will not use the personal data for its own purposes.
- Incidental access. Accessing personal data is not the object of the services. All-Secure does not intentionally inspect, analyse or use personal data except where necessary to identify, verify or evidence a security finding.
- If All-Secure believes an instruction infringes Data Protection Law, it will inform the Customer without undue delay.
Customer obligations. The Customer warrants that it has all necessary rights, permissions and lawful authority to instruct All-Secure to process the personal data and to authorise testing of every in-scope system; that it has a lawful basis for the processing; and that it has given any notices and obtained any consents required under Data Protection Law. The Customer is responsible for the lawfulness of its instructions.
3. Details of processing
The processing carried out under this DPA is described below; specifics for a given engagement are refined in the applicable statement of work.
| Subject matter | Delivery of the security testing / assessment services described in the Agreement. |
|---|---|
| Duration | The term of the engagement, plus the limited retention period in clause 7. |
| Frequency | Processing occurs only during the agreed engagement window and any necessary reporting or remediation support; it is not continuous. |
| Nature & purpose | Accessing, viewing and testing in-scope systems to identify security weaknesses; recording findings and evidence; producing a report. Personal data is processed incidentally, not as the object of the work. |
| Types of personal data | Whatever the in-scope systems contain. This may include names, contact details, credentials/account identifiers, and system or log data. The services are not intended to involve special category personal data; where such data is incidentally accessible within in-scope systems, All-Secure processes it only to the extent necessary to perform the services and in accordance with this DPA. |
| Categories of data subjects | The Customer's staff, customers, users and any other individuals whose data resides in the in-scope systems. |
4. All-Secure's obligations
All-Secure will:
- Instructions. Process personal data only on the Customer's documented instructions, including as to international transfers, unless required to do so by applicable law (in which case it will notify the Customer first, unless the law prohibits this).
- Confidentiality. Ensure that personnel authorised to process the personal data are bound by confidentiality obligations, process it only as instructed, and that access is limited to personnel with a legitimate business need.
- Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of the state of the art and the nature of the data (see Annex A).
- Sub-processors. Not engage a sub-processor without the Customer's general authorisation. The Customer authorises the sub-processors listed in Annex B; All-Secure will give at least 30 days' notice before appointing a new sub-processor, during which the Customer may object on reasonable data-protection grounds, and will impose data-protection terms on each sub-processor equivalent to those in this DPA.
- Data-subject rights. Taking account of the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests to exercise data-subject rights.
- Assistance. Assist the Customer in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments and prior consultation (UK GDPR Articles 32–36), taking into account the nature of processing and the information available to All-Secure.
- Disclosure requests. Promptly notify the Customer if it receives a legally binding request from a public authority or other third party for disclosure of the Customer's personal data, and not disclose the data before doing so, unless prohibited by law.
- Deletion or return. At the Customer's choice, delete or return all personal data at the end of the engagement and securely delete all copies using methods appropriate to the storage media, unless retention is required by law (see clause 7).
- Audits. Make available to the Customer information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. Such audits shall: occur no more than once in any 12-month period (unless required following a personal data breach or by a regulator); take place during normal business hours on at least 30 days' written notice; avoid unreasonable disruption to All-Secure's business; be subject to confidentiality; and be at the Customer's expense unless the audit identifies material non-compliance.
5. Personal data breach
All-Secure will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data and, where feasible, within 48 hours of becoming aware, and will provide the information reasonably available to help the Customer meet its own notification obligations. All-Secure will not notify the ICO or data subjects on the Customer's behalf unless the Customer instructs it to.
6. International transfers
All-Secure and its testers are UK-based and personal data is processed in the UK. All-Secure will not transfer the Customer's personal data outside the UK without the Customer's prior written authorisation and an appropriate transfer mechanism under Data Protection Law (for example the UK International Data Transfer Agreement or Addendum).
7. Retention and deletion
Reports and associated evidence are retained only for as long as reasonably necessary to support the services, respond to Customer queries, defend legal claims or comply with legal obligations, held securely using encryption at rest and in transit where applicable. Working data captured during testing is deleted when no longer needed. On request, All-Secure will return or securely delete personal data and confirm deletion, save for copies it must retain by law, which remain subject to the confidentiality and security terms of this DPA.
8. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits either party's obligations or liability to a data subject or a regulator under Data Protection Law.
9. Term, governing law and contact
This DPA takes effect when the Agreement does and continues while All-Secure processes personal data for the Customer. It is governed by the laws of England and Wales, and disputes are subject to the exclusive jurisdiction of the English courts. Data protection queries and requests under this DPA should be sent to [email protected].
Annex A — Technical and organisational measures
- Encryption of data in transit (TLS) and at rest, including engagement data, reports and backups; full-disk / endpoint encryption on devices used to process client data.
- Multi-factor authentication enforced on corporate accounts.
- Role-based access control and least privilege; access limited to the assigned tester(s) and personnel with a legitimate business need.
- UK-based testers only; no offshoring of data or testing.
- Secure, access-controlled report delivery from All-Secure's own infrastructure (protected links / one-time credentials), not a third-party portal.
- Confidentiality obligations on all personnel; NDAs signed at scoping; regular security-awareness training.
- Vulnerability and patch management on All-Secure's own systems.
- Secure, encrypted backups; prompt, secure deletion of working data and secure disposal of media when no longer required.
- Logging and monitoring of access to client data; a breach detection and response process.
Annex B — Sub-processors
All-Secure keeps the use of sub-processors to a minimum, and reports are delivered from All-Secure's own infrastructure rather than a third-party portal. Where sub-processors are used (for example business email and encrypted off-site backup storage), each is bound by data-protection terms equivalent to those in this DPA. An up-to-date list of sub-processors is available on request from [email protected]; clause 4 governs how the Customer is notified of, and may object to, any change.