Data Processing Addendum (DPA)

B2B data processing terms, provided on request

This page summarises our Data Processing Addendum (DPA) for customers who require contractual terms for handling personal data during delivery. LW IT Solutions provides a standard B2B DPA to support procurement, security review, and compliance obligations. The full document is available on request and is intended to be agreed alongside a signed statement of work or services agreement.

In most engagements, you remain the controller and we act as a processor, using personal data only to deliver the services you have asked for and to meet legal requirements. The DPA sets out processing instructions, confidentiality, security measures, use of approved sub-processors, incident notification, and deletion or return of data at the end of the engagement. If you have a preferred template, we can review it.

Get an expert-led assessment with a prioritised remediation backlog.

Request an assessment

Who this is for

This page is for organisations that need to review or agree data processing terms as part of a delivery engagement, procurement process, or supplier onboarding.

Procurement and legal teams requesting a standard DPA
Security and compliance teams conducting supplier assurance
Project owners engaging delivery support involving personal data
Partners who require processor terms for subcontracted delivery

What the DPA covers

The DPA is designed to document processor obligations and practical controls for handling personal data during service delivery.

Scope and purpose of processing linked to the contracted services
Categories of data subjects and personal data (as applicable to the engagement)
Duration of processing and retention or deletion at end of engagement
Confidentiality obligations for personnel and authorised access
Assistance with data protection obligations where relevant and agreed

Roles and processing instructions

The DPA clarifies the roles of each party and the processing instructions that apply to the engagement. Processing is performed only on documented instructions, subject to any legal requirements that may apply.

Controller and processor responsibilities for the engagement
Documented instructions and change control for scope updates
Access controls aligned to least privilege principles
Restrictions on use of personal data for any purpose outside delivery

Security measures

The DPA describes baseline technical and organisational measures used to protect personal data, proportionate to the nature of the services and the risks involved.

Controlled access to systems and customer environments
Use of secure authentication and account management practices
Logging and monitoring appropriate to the service context
Secure handling of credentials and secrets where applicable
Personnel confidentiality commitments and practical access governance

Specific measures vary by engagement and can be documented in the statement of work or security schedule where needed.

Sub-processors

Where sub-processors are used, the DPA sets out the conditions for their appointment and the obligations that must flow down to them. Any sub-processor use is limited to what is necessary to provide the contracted services.

Controls for engaging sub-processors where required
Contractual obligations for confidentiality and security
Change notification approach for material sub-processor updates where applicable

International transfers

If personal data is transferred internationally in connection with delivery, the DPA describes the approach used to support appropriate safeguards. The applicable mechanism depends on the service context and the locations involved.

Assessment of transfer needs based on the engagement
Use of recognised transfer safeguards where required
Documentation of relevant locations and service components where appropriate

Incident and breach notification

The DPA sets out how we handle suspected personal data incidents and how we notify customers when an incident is confirmed and meets the notification threshold set out in the agreement.

Internal incident assessment and escalation
Customer notification process and required information where available
Co-operation on investigation and remediation steps as agreed
Record keeping for incident handling activities

Assistance with data subject requests

Where relevant to the services, the DPA describes the support we can provide to help the controller respond to data subject requests and regulatory queries, within the scope agreed.

Support for identifying relevant processing activity within our scope
Timely communication to enable controller-led responses
Assistance is limited to the services and the data we process for the engagement

End of engagement: deletion or return

The DPA includes provisions for handling personal data at the end of the engagement. Depending on the service, this may involve returning data to the customer, deleting copies held by us, or both, subject to any legal retention requirements.

Defined approach for deletion or return of personal data where applicable
Handling of backups and operational logs in line with retention controls
Confirmation steps that can be agreed for closure and assurance

How to request the DPA

The full DPA is provided on request. Use the contact route that best matches your stage, and include any deadlines so we can prioritise your review.

Tell us whether you want our standard DPA or you have your own template
Share the services in scope and any known data types involved
Provide procurement timelines and any required review steps
Include any specific clauses your organisation requires (for example, audit rights or transfer terms)