Article 28 GDPR — DM Digital as Processor
This Data Processing Addendum (the “DPA”) applies whenever DM Digital processes personal data on behalf of a Client in the course of providing hosting, maintenance or website services. It forms part of the DM Digital Terms & Conditions (the “Terms”) and, together with the signed Statement of Work (the “SOW”), records the parties’ obligations under Article 28 of Regulation (EU) 2016/679 (the “GDPR”) and the Data Protection Act 2018.
Terms used in this DPA have the meanings given in Article 4 GDPR (controller, processor, personal data, processing, personal data breach, sub-processor, data subject, etc.) unless the context requires otherwise.
Where DM Digital processes personal data on behalf of the Client in the course of providing hosting, maintenance or website services (including personal data submitted by visitors through forms, comments or accounts), the Client is the data controller and DM Digital is the data processor.
The subject-matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in the SOW. By way of default and in the absence of further detail in the SOW:
(a) Subject-matter: the provision of website design, hosting and maintenance services by DM Digital to the Client.
(b) Duration: for the term of the engagement and for any retention period required by applicable law.
(c) Nature and purpose: hosting and operating the Client’s website and supporting services (e.g. contact-form processing, error logging, backups, performance monitoring).
(d) Types of personal data: identification data (name, email, phone), contact-form submissions, browsing telemetry, account credentials where applicable, and any other personal data the Client directs DM Digital to process.
(e) Categories of data subjects: visitors to and users of the Client’s website, including prospective customers, customers and any other persons whose personal data the Client submits or causes to be submitted via the website.
Domain Name System (DNS) services are not provided by DM Digital as a sub-processor. The Client owns and operates its own DNS account (with the registrar of its choice). Where DM Digital is granted administrative access to manage DNS records on the Client’s behalf, DM Digital acts as the Client’s administrative agent only, not as a processor in respect of the DNS service itself. Accordingly, the DNS registrar is not listed in Schedule 2.
DM Digital will:
(a) process personal data only on the documented instructions of the Client (including as set out in the Terms, this DPA and the SOW), except where required to do so by EU or Member State law to which it is subject;
(b) ensure that personnel authorised to process personal data are bound by confidentiality obligations;
(c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, having regard to Article 32 GDPR (including the measures set out in Schedule 1);
(d) assist the Client, taking into account the nature of the processing and the information available, in meeting its obligations under Articles 32 to 36 GDPR; and
(e) make available to the Client all information necessary to demonstrate compliance with Article 28 GDPR.
The Client gives general written authorisation for DM Digital to engage sub-processors (such as hosting providers, email-delivery providers and analytics providers). The current list of sub-processors is at Schedule 2.
DM Digital will give the Client at least thirty (30) days’ written notice of any intended addition or replacement of a sub-processor, during which the Client may object on reasonable, documented data-protection grounds. Where the Client objects, the parties will discuss the objection in good faith and, if it cannot be resolved, the Client may terminate the affected service on thirty (30) days’ notice. DM Digital will impose on each sub-processor data-protection obligations equivalent to those in this DPA.
DM Digital will not transfer personal data outside the European Economic Area unless an appropriate transfer mechanism is in place (such as a UK or EU adequacy decision, the European Commission’s Standard Contractual Clauses, or another lawful transfer mechanism), and the Client authorises DM Digital to enter into such mechanisms on its behalf where necessary.
DM Digital will notify the Client without undue delay (and in any event within forty-eight (48) hours) after becoming aware of any personal data breach affecting personal data processed under this DPA, providing the information reasonably necessary to enable the Client to meet its own breach-notification obligations under Articles 33 and 34 GDPR.
DM Digital will assist the Client, by appropriate technical and organisational measures, in responding to requests by data subjects to exercise their rights under Chapter III of the GDPR. Where a request is received directly by DM Digital, DM Digital will forward it to the Client without responding to the data subject (other than to acknowledge receipt and direct them to the Client).
On termination or expiry of the engagement, DM Digital will, at the Client’s choice, return or securely delete all personal data processed on the Client’s behalf and certify the same in writing, except to the extent retention is required by applicable law.
DM Digital will allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client, no more than once per calendar year and on no less than thirty (30) days’ written notice (except where required earlier by a regulator), at the Client’s cost. The parties may agree alternative arrangements (such as the provision of third-party audit reports or self-assessment questionnaires) to satisfy this obligation.
Each party’s liability under or in connection with this DPA is subject to the Limitation of Liability provisions in §13 of the Terms, except to the extent that the relevant liability arises from a breach of obligations that cannot lawfully be limited under the GDPR or other applicable law.
If there is any conflict between the Terms, this DPA and the SOW in relation to data protection matters, the DPA prevails over the Terms and the SOW. Otherwise, the Terms prevail over this DPA and the SOW.
DM Digital may update this DPA from time to time, including to reflect changes in applicable data-protection law or guidance from the Irish Data Protection Commission or European Data Protection Board. DM Digital will give the Client not less than thirty (30) days’ written notice of any material change. If the Client objects to a material change on reasonable, documented data-protection grounds, the Client may terminate the affected ongoing services on thirty (30) days’ written notice without further charge.
DM Digital implements and maintains the technical and organisational measures set out below, which DM Digital may update from time to time to reflect changes in good security practice provided the level of security is not materially reduced.
Role-based access control to all systems holding personal data; multi-factor authentication for administrative and remote access; password complexity and rotation policies; principle of least privilege applied to staff and sub-processors.
TLS 1.2 or higher for personal data in transit; at-rest encryption for backups and any storage of personal data outside ephemeral processing environments.
Hosting on infrastructure that maintains current security certifications (e.g. ISO/IEC 27001 or SOC 2 Type II); regular patching of operating systems, CMS platforms and plugins; web application firewall on production environments; malware scanning.
Regular automated backups with documented retention; periodic restore testing; documented disaster-recovery procedures.
Centralised logging of access to systems holding personal data; alerting on anomalous activity; retention of access logs for a period sufficient to support breach investigation.
Confidentiality undertakings from all DM Digital personnel with access to personal data; data-protection and security awareness briefing on onboarding.
Written contracts with all sub-processors imposing data-protection obligations equivalent to this DPA; periodic review of sub-processor security posture; maintenance of the sub-processor list at Schedule 2.
Documented incident-response procedure including triage, containment, root-cause analysis and notification; tested at least annually.
The table below lists the sub-processors engaged by DM Digital as at the date of this DPA. Updates to this list will be communicated to the Client in accordance with §3.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Replit, Inc. (Replit Deployments) | Website hosting infrastructure — code execution, file storage, runtime and native version control. | United States | EU SCCs via Replit DPA |
| Drag Apps, Inc. (Resend) | Transactional email delivery for contact forms and system notifications. | United States | EU SCCs via Resend DPA |
| Google LLC (Google Analytics 4) | Website analytics — engaged only where the Client enables analytics on its site. Consent management remains the Client’s responsibility. | United States | EU SCCs via Google Ads Data Processing Terms |
| Application error / performance monitoring provider — to be confirmed | Capture of runtime errors and performance telemetry on the Client’s website. | To be confirmed | Notified to the Client before engagement |
| Uptime monitoring provider — to be confirmed | External availability monitoring of the Client’s website. | To be confirmed | Notified to the Client before engagement |
Notes:
(a) DM Digital relies on its hosting provider’s native version control for code-level resilience and does not engage a separate code-hosting or backup sub-processor for client-visitor personal data.
(b) Application error monitoring and external uptime monitoring providers will be selected from reputable vendors with appropriate data-protection terms. The Client will be notified of the chosen providers in writing before they begin processing personal data on the Client’s behalf.
(c) Domain Name System (DNS) services are not included in this Schedule — see §1 for the agency-of-the-Client treatment of DNS administration.
Where the SOW or a related schedule sets out processing particulars specific to the engagement, those particulars override the defaults in §1 of this DPA. The template below may be completed and signed alongside the SOW to record the agreed particulars.
| Subject-matter of processing | [describe] |
| Duration of processing | [describe] |
| Nature and purpose of processing | [describe] |
| Types of personal data | [describe — e.g. name, email, phone, contact-form free-text, IP address] |
| Categories of data subjects | [describe — e.g. website visitors, customers, members] |
| Special-category data? | [Yes / No — describe if Yes] |
| Retention period | [describe — default: duration of engagement plus statutory backup-cycle clearance] |
| Client-specific instructions (if any) | [describe] |