Data Processing Agreement (DPA)

Effective Date: 28th June 2025
Between:
(1) The Client (the "Controller")
(2) The Powerful Group Limited, trading as Powerful Digital Marketing, Company No. 09629669, with its registered address at 7A High Street, High Barnet, Greater London, EN5 5UE (the "Processor")

1. Purpose

This Data Processing Agreement ("Agreement") sets out the terms on which The Powerful Group Limited will process personal data on behalf of the Client, in compliance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.

• Processing: Any operation or set of operations performed on personal data, including collection, storage, access, and deletion.

• Data Subject: The individual whose data is being processed.

• Controller: The party that determines the purpose and means of processing personal data (i.e., the Client).

• Processor: The party processing data on the controller’s behalf (i.e., The Powerful Group Limited).
  

3. Scope of Processing

3.1 The Processor shall process personal data solely for the purpose of providing services under the contract, which may include (as applicable):

• Managing and analysing marketing campaigns (Powerful Clicks)

• Accessing customer messages and profiles (Powerful Social)

• Handling chatbot conversations and storing replies (Powerful Bots)

• Access to analytics and CRM data

3.2 The categories of data subjects may include:

• Website visitors

• End customers

• Social media users

• Prospective leads

3.3 The types of personal data may include:

• Name, email address, phone number

• IP address, social media handles

• Chat messages or website enquiry data

• Marketing interaction data
  

4. Processor Obligations

The Processor agrees to:

a) Process personal data only on documented instructions from the Controller
b) Ensure all staff handling data are bound by confidentiality obligations
c) Implement appropriate technical and organisational security measures
d) Assist the Controller in responding to Data Subject requests (e.g., access, deletion)
e) Notify the Controller without undue delay in the event of a data breach
f) Delete or return all personal data at the end of the engagement, unless required to retain it by law
g) Maintain a record of all categories of processing carried out on behalf of the Controller

5. Subprocessors

5.1 The Controller agrees that the Processor may use the following subprocessors to provide parts of the service (subject to appropriate contractual safeguards):

• Google Workspace

• Notion, Airtable, or similar productivity tools

• Meta (Facebook/Instagram), TikTok, LinkedIn, Google Ads

• Secure third-party automation and analytics platforms

5.2 The Processor shall inform the Controller of any intended changes concerning additional subprocessors and give the Controller the opportunity to object.

6. International Transfers

If personal data is transferred outside the UK or EEA, the Processor shall ensure such transfers comply with Chapter V of the UK GDPR, using appropriate safeguards such as:

• Standard Contractual Clauses (SCCs)

• International Data Transfer Agreement (IDTA)

• Transfer to countries with an adequacy decision
  

7. Audit Rights

The Processor shall make available to the Controller, upon reasonable request, information necessary to demonstrate compliance and allow for audits (subject to confidentiality and notice).

8. Data Breach Notification

In the event of a personal data breach, the Processor shall:

• Notify the Controller within 48 hours

• Provide all available details about the nature, scope, and potential impact

• Cooperate in managing and mitigating the breach
  

9. Duration and Termination

This Agreement remains in effect for as long as the Processor processes personal data on behalf of the Controller.
Upon termination of the underlying contract, the Processor shall return or securely delete all personal data, unless required to retain it by law.

10. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of England and Wales.