Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Terms of Service between Where Beagles Dare Ltd(“Vidual”, “we”, “processor”) and the customer identified in those Terms (“you”, “controller”). It applies to any personal data contained within your Vidual Spaces workspace and processed by us on your behalf in the course of providing the service.

This DPA satisfies Article 28 of the UK GDPR and the EU GDPR (Regulation 2016/679) and, where the parties are not separately executing a customer-specific DPA, governs the processor terms between us. Defined terms used here have the meaning given to them by the UK GDPR / EU GDPR unless stated otherwise.

Subject matter. The processing of personal data contained in the files, metadata and other content you upload to your Vidual Spaces workspace.

Duration. For as long as your workspace is active, plus the retention period set out in section 9 of the Privacy Policy (90 days for cancelled workspaces; 30 days for files deleted from active workspaces).

Nature and purpose. Hosting, storing, transmitting, backing up, format-converting, generating previews and thumbnails, indexing for search, generating embeddings and entity-detection metadata, and otherwise processing content as necessary to deliver the Vidual Spaces service to you and the people you choose to share with.

Categories of data subjects. The individuals whose personal data is contained within content you upload — typically your staff, your clients, your contractors, and the subjects of any creative work stored in the workspace.

Categories of personal data. Determined by you. Typically: names, contact details, professional roles, images, video and audio recordings, written content, and any other personal data embedded in the files you choose to upload. You should not upload special-category data (Article 9 UK GDPR) unless you have established an appropriate lawful basis for doing so.

We will:

• Documented instructions. Process the personal data only on your documented instructions. Your use of the Vidual Spaces service, together with the Terms of Service and the Privacy Policy, constitutes your documented instructions. If we believe an instruction violates applicable data-protection law, we will notify you promptly and may decline to perform until the conflict is resolved.
• Confidentiality. Ensure that personnel authorised to process the personal data are under appropriate statutory or contractual confidentiality obligations.
• Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex 2 below.
• Sub-processors. Engage sub-processors only as set out in section 3 below.
• Data-subject requests. Assist you, by appropriate technical and organisational measures and so far as reasonably possible, to respond to requests from data subjects exercising their rights under UK / EU GDPR (access, rectification, erasure, restriction, portability, objection).
• Regulatory assistance. Provide reasonable assistance with data-protection impact assessments and prior consultation with the supervisory authority where you are required to undertake them.
• Breach notification. Notify you without undue delay (and in any event within 48 hours of becoming aware) of any personal-data breach affecting your content. Our notice will include the information you reasonably need to comply with your own breach-notification obligations.
• Return or deletion. On termination of your workspace, delete or return the personal data as set out in section 9 of the Privacy Policy.
• Records. Maintain records of processing activities as required by Article 30(2) UK GDPR.

You give us general authorisation to engage sub-processors for the purposes set out in section 1 above. Our current sub-processors are listed in section 6 of the Privacy Policy and reproduced for reference in Annex 3 below.

We will notify you of any new sub-processor at least 30 days before they begin processing your data. You may object to a new sub-processor by writing to legal@vidualspaces.com within those 30 days, on reasonable data-protection grounds. Where we cannot accommodate your objection, you may terminate the affected subscription with a pro-rata refund for the unused portion of the current billing cycle.

We remain responsible to you for the performance of any sub-processor we engage. Each sub-processor is bound by a written contract imposing data-protection obligations substantially the same as those binding us under this DPA.

Your file content is stored in the data-residency jurisdiction you select at signup (EU by default; UK and US available). Where any transfer of personal data takes place outside the UK or EEA, we rely on the transfer mechanisms described in section 4 of the Privacy Policy— typically the EU–US Data Privacy Framework (and the UK extension to it) where applicable, the European Commission’s Standard Contractual Clauses, and the UK International Data Transfer Addendum issued by the Information Commissioner.

By entering into this DPA, where required for the operation of the service, the parties are deemed to have entered into the Standard Contractual Clauses (Module Two: Controller to Processor) and the UK IDTA, with each party signing in the capacity stated above, the optional docking clause selected, and the technical and organisational measures in Annex 2 of this DPA forming Annex II to those clauses.

On reasonable written notice, no more than once in any twelve-month period (unless required following a breach or by the supervisory authority), you may audit our compliance with this DPA. We will respond to a reasonable written audit questionnaire, and where you have a legitimate reason for a further audit we will allow an on-site inspection at a mutually agreed time, at your expense, on appropriate confidentiality terms.

We may, in lieu of an on-site audit, provide third-party audit reports (such as SOC 2 reports from our infrastructure sub-processors) that reasonably address the matters you would otherwise have audited.

The limitation of liability in section 14 of the Terms of Serviceapplies to claims under this DPA, except where applicable data-protection law requires otherwise. Nothing in this DPA excludes or limits the parties’ respective liability to data subjects under Article 82 UK GDPR or Article 82 EU GDPR.

This DPA is governed by the laws of England and Wales. If there is any conflict between this DPA and the Terms of Service in respect of the processing of personal data, this DPA prevails. If there is any conflict between this DPA and the Standard Contractual Clauses or UK IDTA incorporated under section 4, those clauses prevail.

The details of processing — subject matter, duration, nature, purpose, categories of data subjects, and categories of personal data — are set out in section 1 above.

We implement and maintain the following measures to protect personal data we process on your behalf:

• Encryption. File content is encrypted at rest by our storage provider (Cloudflare R2). All network connections to and from the service are encrypted in transit using TLS 1.2 or later.
• Access control. Production system access is limited to a small number of named staff, requires multi-factor authentication, and is logged. Customer workspace data is logically isolated per tenant; staff access to customer content is restricted to documented support scenarios and is auditable.
• Network and infrastructure security.We rely on our infrastructure sub-processors’ certifications (Cloudflare R2, Railway) for network-level controls including DDoS mitigation, firewalling, and intrusion detection.
• Authentication. Passwordless sign-in via short-lived single-use email links is the default; optional passkey authentication is available. Sessions are bound to the issuing browser and tenant.
• Backups. Database backups are taken regularly and tested for restorability. Backup data inherits the security controls of the production environment.
• Logging and monitoring. Security-relevant events (authentication, permission changes, exports, administrative actions) are logged for the retention period set out in section 9 of the Privacy Policy.
• Personnel. Staff with access to personal data are bound by written confidentiality undertakings. Access is removed promptly on role change or departure.
• Incident response. We maintain a documented incident-response process covering detection, containment, customer and regulator notification, and post-incident review.
• Sub-processor diligence. Sub-processors are selected on the basis of, and contractually required to maintain, security measures substantially equivalent to those described here.

Our current sub-processors are listed in section 6 of the Privacy Policy. That list is the authoritative version and is updated as sub-processors change. Notification of new sub-processors is given as described in section 3 of this DPA.

Where Beagles Dare Ltd
Unit 6 Heritage Business Centre, Belper, Derbyshire, DE56 1SW, United Kingdom
Registered in England and Wales · Company No. 11038022
VAT No. 307323727