Back to homepage

Data Processing Agreement

Version
1.0
Effective
March 2026
Jurisdiction
England & Wales
Regulation
UK GDPR & DPA 2018
Important Notice: This agreement is provided as a practical document and is not a substitute for independent legal advice. Specific processing details for each engagement are set out in a separate Data Processing Schedule, agreed and signed at the point of engagement.

1 Definitions

1.1 "Data Controller" means the client organisation engaging Seahorse, who determines the purposes and means of processing personal data.

1.2 "Data Processor" means Seahorse Integrations Ltd, who processes personal data on behalf of the Data Controller.

1.3 "Personal Data" means any information relating to an identified or identifiable natural person, as defined by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.4 "Processing" means any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

1.5 "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

1.6 "The Project" means the engagement described in the Data Processing Schedule and related Service Agreement or Project Proposal agreed between the parties.

1.7 "Data Processing Schedule" means the project-specific document setting out the nature, purpose, categories of data, and duration of processing, agreed and signed by both parties at the point of engagement.

2 Scope and Purpose of Processing

2.1 Seahorse shall process personal data only for the purpose of delivering the Project as described in the relevant Data Processing Schedule.

2.2 Seahorse shall not process personal data for any purpose other than as instructed by the Data Controller or as required by applicable law.

2.3 The personal data processed is limited to the categories specified in the Data Processing Schedule for that engagement.

2.4 Seahorse acknowledges that the Data Controller retains full ownership and control of all personal data at all times.

3 Obligations of the Data Processor

3.1 Seahorse shall process personal data only on documented instructions from the Data Controller, unless required to do so by law. Where required by law to process without instruction, Seahorse shall notify the Data Controller before processing where legally permitted to do so.

3.2 Seahorse shall ensure that all persons authorised to process the personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Seahorse shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
  • encryption of personal data in transit (HTTPS/TLS) and at rest where technically feasible;
  • access controls ensuring only authorised Seahorse personnel can access the data during the project;
  • secure development practices including version control and access review;
  • regular testing of security measures during development;
  • not storing personal data on personal devices, removable media, or unsecured systems.

3.4 Seahorse shall not engage any sub-processor without the prior written consent of the Data Controller. Any approved sub-processor must be bound by data protection obligations no less restrictive than those in this Agreement.

3.5 Seahorse shall assist the Data Controller in responding to requests from data subjects exercising their rights under UK GDPR, including access, rectification, erasure, restriction, portability, and objection, insofar as this is possible given the nature of the processing.

3.6 Seahorse shall assist the Data Controller in ensuring compliance with obligations under Articles 32 to 36 of UK GDPR, taking into account the nature of the processing and information available to Seahorse.

4 Data Storage and Access

4.1 All personal data shall be stored on infrastructure controlled by or agreed with the Data Controller. Seahorse shall not host, store, or retain copies of personal data on Seahorse systems beyond what is strictly necessary for project delivery.

4.2 During the project, Seahorse will require access to the data in order to design, build, and test the agreed solution. This access is granted by the Data Controller and may be revoked at any time.

4.3 Seahorse may use a limited sample of anonymised or pseudonymised data for development and testing purposes where this is technically necessary. Any such sample data shall be deleted from Seahorse systems upon project completion.

4.4 Seahorse shall not transfer personal data outside the United Kingdom without the prior written consent of the Data Controller.

5 Data Breach Notification

5.1 Seahorse shall notify the Data Controller without undue delay, and in any event within 24 hours, upon becoming aware of any Data Breach affecting the Data Controller's personal data.

5.2 The notification shall include:
  • a description of the nature of the breach, including the categories and approximate number of data subjects and records affected;
  • the name and contact details of the person at Seahorse from whom more information can be obtained;
  • a description of the likely consequences of the breach;
  • a description of the measures taken or proposed to address the breach, including steps to mitigate its effects.

5.3 Seahorse shall cooperate fully with the Data Controller in investigating and resolving any Data Breach and shall take all reasonable steps to mitigate its effects.

6 Data Return and Deletion

6.1 Upon completion of the Project, including any agreed post-launch support period, or upon earlier termination, Seahorse shall:
  • cease all processing of the Data Controller's personal data;
  • securely delete all copies of personal data in Seahorse's possession, including working copies, test data, backups, and development databases;
  • provide written confirmation to the Data Controller that deletion has been completed.

6.2 All data stored within the production application hosted on the Data Controller's own infrastructure remains the Data Controller's property and is unaffected by this clause. This clause relates only to data held on Seahorse systems during development.

6.3 Seahorse may retain genuinely anonymised, non-attributable data for internal analytics and service improvement. No personal data shall be retained.

7 Audit and Inspection Rights

7.1 Seahorse shall make available to the Data Controller all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits and inspections conducted by the Data Controller or a mandated third-party auditor.

7.2 The Data Controller shall give Seahorse reasonable notice of at least 7 days prior to any audit or inspection, which shall be conducted during normal business hours.

7.3 Seahorse shall immediately inform the Data Controller if, in Seahorse's opinion, any instruction from the Data Controller would infringe UK GDPR or other applicable data protection provisions.

8 Liability

8.1 Each party shall be liable for any damage caused by processing that infringes UK GDPR, to the extent attributable to that party's actions or omissions.

8.2 Seahorse shall indemnify the Data Controller against all claims, costs, damages, losses, and expenses (including reasonable legal fees) arising from any breach of this Agreement by Seahorse, or any processing carried out by Seahorse not in accordance with the Data Controller's documented instructions.

8.3 Nothing in this Agreement excludes or limits liability for fraud, death or personal injury caused by negligence, or any other liability that cannot be excluded by law.

9 Term and Termination

9.1 This Agreement comes into effect when a Data Processing Schedule referencing it is signed by both parties and shall remain in force for the duration of the relevant Project, including any agreed post-launch support period.

9.2 This Agreement shall automatically terminate in relation to a specific Project when all personal data for that Project has been deleted or returned in accordance with clause 6.

9.3 The Data Controller may terminate this Agreement immediately by written notice if Seahorse breaches any term of this Agreement or the UK GDPR.

9.4 Clauses 5, 6, 7, and 8 shall survive termination of this Agreement.

10 General Provisions

10.1 Entire agreement: This Agreement, together with the relevant Data Processing Schedule and Service Agreement, constitutes the entire agreement between the parties in relation to data processing for the applicable Project.

10.2 Amendments: Seahorse reserves the right to update these terms. The version in force at the time of signing a Data Processing Schedule shall govern that engagement. Material changes will be communicated at seahorseltd.co.uk/legal/dpa.

10.3 Severability: If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

10.4 Governing law: This Agreement shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.

10.5 Counterparts: The Data Processing Schedule may be signed in counterparts, including by electronic signature, each of which shall constitute an original.