1. Scope and roles
This DPA is between Customer as controller (or processor appointing a subprocessor) and Dominik Swiniarski, trading as Acta as processor (Acta). It applies to Customer Personal Data processed by Acta to provide the service. Terms such as controller, processor, data subject, personal data, personal data breach and processing have the meanings in the UK GDPR. Applicable Data Protection Law means the UK GDPR, Data Protection Act 2018 and other binding UK data-protection law.
2. Processing instructions
Acta will process Customer Personal Data only on Customer's documented instructions, including this DPA, the Agreement, configured service use and written support instructions, unless UK law requires processing. If law permits, Acta will tell Customer before that processing. Acta will immediately inform Customer if, in Acta's opinion, an instruction infringes Applicable Data Protection Law and may pause the affected processing.
3. Personnel and security
Acta ensures that persons authorised to process Customer Personal Data are bound by confidentiality and access it only as necessary. Taking account of the state of the art, implementation costs, processing and risk, Acta will maintain appropriate Article 32 measures, including the measures in Schedule 2, and will regularly assess their effectiveness. Customer is responsible for secure configuration, authorised senders, workspace roles, endpoint security and lawful forwarding.
4. Subprocessors
Customer gives general written authorisation for subprocessors needed to provide the service. Current core categories include AI processing (OpenAI), inbound email delivery (Postmark), hosting/database/backup infrastructure and malware-scanning services where configured. Acta will make the current list available through Support and give at least 15 days' notice before adding or replacing a subprocessor where reasonably practicable. Customer may object on reasonable data-protection grounds during that period. The parties will seek a practical resolution; if none is available, Customer may terminate the materially affected feature. Acta imposes data-protection obligations offering materially equivalent protection and remains responsible for its subprocessors as required by Article 28.
5. International transfers
Acta will not make a restricted transfer without a lawful mechanism. Where required this may include UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to approved standard contractual clauses, or another Article 46 safeguard, together with a transfer risk assessment and supplementary measures where appropriate. Acta will provide relevant safeguard information on request, subject to confidentiality.
6. Assistance
- Taking account of the nature of processing, Acta will assist Customer with appropriate technical and organisational measures to respond to data-subject rights requests.
- Acta will assist Customer with security, breach notification, data-protection impact assessments and prior consultation under Articles 32 to 36, taking account of the information available to Acta.
- If Acta receives a request concerning Customer Personal Data, it will not respond as controller unless authorised or legally required, and will refer it to Customer where appropriate.
- Reasonable assistance included in ordinary service use is included in fees. Exceptional, customer-specific work may be charged at an agreed reasonable rate unless caused by Acta's breach.
7. Personal data breaches
Acta will notify Customer without undue delay after becoming aware of a Customer Personal Data breach and, where feasible, aims to send an initial notice within 24 hours. Notice will include available information needed under Article 33(3), with updates as investigation continues. Acta's notice is not an admission of fault. Customer is responsible for notifications it must make as controller.
8. Return, deletion and audit
At Customer's choice on termination, Acta will delete or return Customer Personal Data and delete copies, unless law requires storage. Operational deletion may be followed by expiry from encrypted backups under the documented backup cycle. Acta will provide information reasonably necessary to demonstrate Article 28 compliance and allow audits, including inspections, by Customer or an independent auditor bound by confidentiality. Audits require reasonable notice, must avoid unnecessary disruption and normally occur no more than annually unless a breach, regulator or reasonable evidence justifies more. Existing independent reports and documentation should be used first.
Schedule 1: processing details
- Subject matter: provision, security, support and administration of Acta's forwarded-email triage and workspace service.
- Duration: the Agreement plus the deletion and backup-expiry period.
- Nature and purpose: receiving authorised forwarded email; quarantine and malware screening; extraction, classification and AI-assisted prioritisation; generating action cards and briefs; user support; security, backup and recovery.
- Data subjects: Customer users, staff, executives, clients, suppliers, correspondents and other people identified in submitted content.
- Personal data: names, business contact details, account/role data, message headers and content, attachments, actions, preferences, support records, security logs and technical identifiers.
- Sensitive data: not intentionally required. Customer must not submit special-category or criminal-offence data without a valid condition and safeguards.
- Frequency: as initiated by authorised forwarding and service use.
- Controller rights: Customer may issue lawful instructions, configure access and retention, request assistance, audit compliance and require return/deletion under this DPA.
Schedule 2: technical and organisational measures
- TLS for service transport and authenticated inbound webhooks.
- Encrypted authoritative database records, encrypted durable jobs, encrypted backups with a separate key, integrity verification and documented restore testing.
- Role-based workspace access; separate platform-admin designation; password re-verification for privileged administration; short privileged-access lifetime; confirmation for high-risk mutations; audit records.
- Long random intake routing secrets, sender allowlists, rate monitoring, encrypted quarantine, blocked attachment types, malware signatures and optional external malware scanning. Attachments default to quarantine pending review.
- Secure session cookies, same-origin request controls, security headers, request-size limits and login throttling.
- Data minimisation, retention controls, account deletion, privacy-request handling and incident/recovery procedures.
- Supplier due diligence, confidentiality restrictions, least privilege, logging and periodic security review.
9. Order of precedence and law
This DPA prevails over conflicting Agreement terms for processing Customer Personal Data. The liability provisions in the SaaS Agreement apply to this DPA to the extent permitted by law. The law and jurisdiction provisions of the SaaS Agreement apply.