/ Legal & compliance
Data Processing Addendum
Clear information about how Secremedy operates, protects data, and works with customers.
Effective 14 July 2026
1. Scope and roles
This DPA forms part of each Order where Secremedy Ltd processes personal data on a customer’s behalf. The customer is controller and Secremedy is processor unless the Order states otherwise.
2. Processing details
Subject and purpose: delivery, support and security of the contracted cybersecurity services. Duration: the Order plus the agreed deletion period. Data: business contact, account, device, log, vulnerability, support and incident data in scope. People: customer personnel, users, clients and other people represented in customer systems.
3. Documented instructions
We process data only on documented instructions, including lawful transfer instructions, unless law requires otherwise. We will notify the customer if an instruction appears to infringe data protection law.
4. Confidentiality and security
Authorised personnel are bound by confidentiality. We maintain risk-appropriate controls including least privilege, access authentication, encryption where appropriate, patching, logging, secure disposal, incident response and personnel awareness.
5. Subprocessors
The customer gives general authorisation for the listed subprocessors. We will give reasonable prior notice of material changes and contract for equivalent data protection obligations. We remain responsible for their processing to the extent required by law.
6. Assistance
Taking account of the processing, we will reasonably assist with data-subject requests, security, breach notification, DPIAs, prior consultation and compliance information. Additional work outside the service may be chargeable at agreed rates.
7. Personal data breaches
We will notify the customer without undue delay after becoming aware of a personal data breach affecting customer data and provide available information reasonably needed for its assessment and notifications.
8. Return, deletion and audit
At the customer’s choice, we return or delete customer personal data after services end, unless law requires retention. We provide information reasonably needed to demonstrate compliance and allow proportionate audits on reasonable notice, subject to confidentiality and security safeguards.
9. International transfers
Restricted transfers use a lawful mechanism. Where required, the applicable EU Standard Contractual Clauses and/or UK IDTA or UK Addendum are incorporated, with the Order supplying the parties, modules, processing details and safeguards.