Data Processing Agreement
Version: 2.0
Reviewed: 18th June 2026
This document is provided for information purposes only and does not constitute a binding agreement. The binding version of the Data Processing Agreement applicable to your account will be made available within the Compliance section of your account following login.
Parties
- Processor: UK Postbox Limited, registered in England & Wales (06723381), registered office: 13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom (“Processor”).
- Controller: [Controller Name], company number [●], principal place of business: [●] (“Controller”).
This Data Processing Agreement (“DPA”) sets out the terms under which the Processor Processes Personal Data on behalf of the Controller in accordance with the UK GDPR, the Data Protection Act 2018, PECR 2003, and applicable data protection laws.
1. Definitions
Unless otherwise defined, capitalised terms have the meanings given in the UK GDPR.
- Confidential Information: Information disclosed under this DPA that is confidential by nature or designation.
- Personal Data Breach: As defined in UK GDPR Article 4(12).
- Processing Instructions: Documented lawful instructions from the Controller (UK GDPR Art. 29).
- Services: UK Postbox mail-handling, digitisation, forwarding, storage and related services, including associated hosting, support, communications and security services.
- Sub-processor: A third party engaged by the Processor to Process Personal Data for the Services.
- IDTA / UK Addendum: The ICO International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
- TRA: Transfer Risk Assessment conducted in line with UK guidance.
Where the EU GDPR applies, references to the UK GDPR shall be read as references to the EU GDPR.
2. Purpose & Scope
- This DPA governs the Processor’s Processing of Personal Data solely to deliver the Services on the Controller’s documented instructions.
- This DPA applies to the Processing described in Appendix A.
3. Roles of the Parties
- Controller: Determines the purposes and means of the Processing.
- Processor: Processes Personal Data on behalf of the Controller in accordance with this DPA.
4. Details of Processing (UK GDPR Art. 28(3))
The subject matter, nature and purpose of Processing, categories of data subjects, types of Personal Data, Processing duration, Processing locations and applicable technical and organisational measures are set out in Appendix A.
5. Processor Obligations
5.1 Instructions
The Processor shall Process Personal Data only on the Controller’s documented instructions, including with respect to international transfers, unless required to do so by law. Where legally permitted, the Processor shall inform the Controller before carrying out such Processing.
5.2 Security (Art. 32)
The Processor shall implement appropriate technical and organisational measures proportionate to risk to ensure a level of security appropriate to the Processing. Minimum measures are described in Appendix A.
5.3 Confidentiality
The Processor shall ensure that personnel authorised to Process Personal Data are subject to binding confidentiality obligations that survive termination of this DPA.
5.4 Records
The Processor shall maintain records of Processing activities relating to the Services in accordance with UK GDPR Article 30 and make them available to the Controller on reasonable request.
5.5 Use Restrictions
The Processor shall not:
- sell Personal Data,
- use Personal Data for advertising or analytics,
- train algorithms or models using Personal Data, or
- combine Personal Data with other datasets, except as strictly necessary to provide the Services in accordance with the Controller’s instructions.
6. Data Subject Requests
Where the Processor receives a request directly from a data subject relating to Personal Data Processed under this DPA, the Processor shall, to the extent legally permitted, promptly notify the Controller and shall not respond unless authorised by the Controller or required by law.
7. Personal Data Breaches & Legal Requests
7.1 Breach Notification
The Processor shall notify the Controller without undue delay and, where feasible, within 24 hours of becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA. The notification shall include, to the extent known at the time, the nature of the breach, the categories of Personal Data affected, the likely consequences, and the measures taken or proposed to address the breach. Where all information is not available at the time of notification, the Processor may provide further information in phases as it becomes available.
7.2 Government and Third-Party Requests
The Processor shall promptly notify the Controller of any legally binding request for access to Personal Data from a public authority or third party and shall not disclose Personal Data without the Controller’s prior written instruction unless required by law.
Where legally permitted, the Processor shall seek to challenge or narrow any unlawful or disproportionate request and shall disclose only the minimum data required, maintaining appropriate records of the request and disclosure.
8. Sub-processors (Art. 28(2)–(4))
- Authorisation: The Controller grants general authorisation for the Processor to engage Sub-processors. The Processor maintains an up-to-date list in its Trust Centre and will provide at least 14 days’ prior notice of any additions or replacements.
- Objection: The Controller may object on reasonable data protection grounds. If unresolved, the Controller may suspend the affected Processing or terminate the relevant Services without penalty.
- Flow-down: The Processor shall impose data protection obligations on Sub-processors no less protective than those in this DPA and remains fully liable for their performance.
9. Assistance (Arts. 32–36)
Taking into account the nature of the Processing and information available, the Processor shall assist the Controller with:
- security obligations,
- Personal Data Breach notifications,
- data protection impact assessments,
- prior consultations with supervisory authorities, and
- responses to data subject requests, upon reasonable request.
10. Audit & Assurance (Art. 28(3)(h))
The Controller (or its mandated auditor) may audit the Processor’s compliance with this DPA on 30 days’ prior notice, once annually, or following a material incident, material change, or supervisory authority request.
The Processor may satisfy audit requests by providing independent assurance reports (including ISO 27001 certification, Statement of Applicability, SOC 2 reports where available), completed questionnaires, and remote or on-site evidence, while preserving the confidentiality of other customers.
11. International Transfers (Chapter V)
Where Personal Data is transferred outside the United Kingdom or European Economic Area, the Processor shall ensure that an appropriate transfer mechanism is in place, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, an adequacy decision, or another lawful transfer mechanism recognised under applicable data protection law. The Processor shall conduct a documented Transfer Risk Assessment (TRA) where required and shall make relevant information available to the Controller upon reasonable request.
The Controller retains the right to object to any new Sub-processor on reasonable data protection grounds in accordance with Clause 8.
12. Processing Locations
The Processor may Process Personal Data in the United Kingdom, European Economic Area and any other jurisdiction in which the Processor or its authorised Sub-processors operate, provided that any international transfer of Personal Data is carried out in accordance with applicable data protection law and the requirements of Clause 11.
13. Return & Deletion (Art. 28(3)(g))
Upon termination or expiry of the Services, or upon written instruction, the Processor shall return or securely delete Personal Data and, on request, provide written certification within 30 days.
Backups shall be overwritten and rendered unrecoverable within 90 days, unless longer retention is required by law. Where retention is legally required, Personal Data shall be isolated and deleted once the requirement ceases. Data exports shall be provided in standard, commonly used formats where reasonably practicable.
14. Liability & Indemnity
Each Party shall indemnify the other for direct damages arising from its breach of this DPA or applicable data protection law, to the extent caused by its acts or omissions.
The Processor’s total aggregate liability under this DPA shall not exceed two (2) times the annual fees paid by the Controller under the Services Agreement, except where such limitation is prohibited by law or does not apply to breaches of confidentiality, non-compliance with data protection law, or damages caused by gross negligence or wilful misconduct.
15. Law & Jurisdiction
This DPA is governed by the laws of England & Wales, and the courts of England & Wales shall have exclusive jurisdiction.
16. Entire Agreement; Variation; Severability
This DPA supersedes all prior data processing terms between the Parties. Any variation must be in writing and signed by authorised representatives of both Parties. If any provision is held invalid or unenforceable, the remainder shall remain in full force and effect.
Appendix A — Processing Details & Security Measures
Subject matter & purpose
Provision of the Services (mail‑handling, digitisation, forwarding, storage, hosting, support, communications and related operations) under Controller instructions.
Categories of data subjects
Controller’s end‑users/account holders; employees/contractors; senders/recipients whose details appear in items handled through the Services; other individuals whose data is included in Controller content.
Types of Personal Data
Identification and contact data; account/usage metadata; images/documents and extracted metadata; correspondence; technical logs/identifiers. Special‑category data is not intentionally processed unless expressly agreed in writing and covered by the Controller’s DPIA and UK Postbox’s Appropriate Policy Document (APD).
Duration
For the term of the Services and until return/deletion per Section 12 (and backup expiry).
Processing locations
The Processor shall primarily Process Personal Data within the United Kingdom and European Economic Area. Where the Processor or its authorised Sub-processors transfer Personal Data outside these jurisdictions, such transfers shall be subject to the safeguards set out in Clause 11. The Processor shall provide notice of any material changes to Processing locations through its Sub-Processor Register and Trust Centre.
Authorised Sub‑processors
A current list is maintained in our Trust Centre. Changes are subject to ≥14‑day notice and Controller objection rights (see Section 7).
Technical & organisational measures (minimum)
- Access control: unique IDs; MFA for admin/remote access; least privilege; timely de‑provisioning.
- Encryption: TLS 1.2+ in transit; AES‑256‑equivalent at rest; key management with rotation/separation of duties.
- Vulnerability management: routine scanning; patch SLAs — critical ≤ 7 days, high ≤ 14 days.
- Penetration testing: at least annually for internet‑facing scope; remediation tracked to closure.
- Logging & monitoring: centralised, tamper‑resistant logs; 90 days hot / 12 months cold retention; alerting for anomalous access.
- Resilience/BCDR: encrypted backups; tested recovery with appropriate RTO/RPO; documented runbooks.
- Personnel & training: role‑appropriate vetting; signed confidentiality; annual privacy/security training.
- Physical security: controlled facilities; visitor management; CCTV/access logs; secure asset disposal.
- Incident response: 24×7 security contact; breach notice within 24h of confirmation; coordinated communications with Controller.
- Assurance: provide ISO 27001 certificate/SoA, SOC 2 (if available) or equivalent evidence; complete security questionnaires on request.
UK Postbox Limited
13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom
Support: support@ukpostbox.com
Security: security@ukpostbox.com
Legal notices: legal@ukpostbox.com
Data protection: dpo@ukpostbox.com
Complaints: complaints@ukpostbox.com
Accessibility: accessibility@ukpostbox.com
Website: www.ukpostbox.com
Registered in England and Wales Company Number: 06723381
MLR registration no: XLML00000192390
ICO registration no: ZA038907