Data Processing Agreement
Last updated: July 2026 (v23.0)
This DPA applies automatically wherever Hybytes Ltd ("Processor") processes personal data on behalf of a customer ("Controller") in providing Swiip. It forms part of the Terms; acceptance of the Terms constitutes execution of this DPA by both parties, and it prevails over the Terms for data-protection matters. It reflects Article 28 UK GDPR and Article 28 EU GDPR.
6.1 Annex I — Details of processing
Subject matter and duration: provision of Swiip for the subscription term plus the deletion window. Nature and purpose: hosting, storing, processing and displaying customer content and audience interactions; engagement analytics for the Controller. Categories of data: customer account and user details; personal data included in Swiips or collected from audiences (names, emails, form submissions, engagement data). Categories of data subjects: customer staff and users; customer audiences and end users. Special category data: none intended; the Controller must not include it without prior written agreement.
What we hold — and what we do not
Under this framework we process only:
- (a) the customer's account and billing data;
- (b) the content the customer creates and publishes on Swiip (their Swiips/Wraps and any data they choose to include in them); and
- (c) audience engagement data generated when their published Swiips are viewed.
We do not hold, and we do not have access to, the customer's private communications, personal chats, messages, email correspondence or mailboxes, or internal correspondence, or any personal data outside the Swiip service. Where we hold an email address, it is held only as a contact identifier for the account or audience — not the content of any email correspondence.
6.2 Processor obligations
- Process only on the Controller's documented instructions (these Terms, the Controller's use of service controls, and written instructions), including for international transfers, unless required by law — in which case we inform the Controller before processing unless the law prohibits it, and we inform the Controller if an instruction appears to infringe data-protection law.
- Ensure persons authorised to process are under confidentiality obligations.
- Implement the technical and organisational measures in Annex II (Article 32).
- Engage sub-processors only under written terms imposing equivalent obligations; maintain the public list (Section 9); give at least 30 days notice of additions or replacements, during which the Controller may object on reasonable data-protection grounds — if unresolved, the Controller may terminate the affected service with a pro-rata refund of prepaid unused fees. The Processor remains liable for its sub-processors.
- Taking into account the nature of processing, assist the Controller with data-subject requests, and with security, breach notification, impact assessments and prior consultation (Articles 32-36).
- Notify the Controller of a personal-data breach without undue delay and in any event within 72 hours of awareness, with the information Article 33(3) requires as it becomes available.
- At the end of the service, delete or return personal data at the Controller's choice within the deletion window, and delete remaining copies, save where law requires storage.
- Make available information necessary to demonstrate compliance and allow and contribute to audits (including inspections) by the Controller or its mandated auditor — at most annually except following a breach, on 30 days notice, during business hours, under confidentiality, and at the Controller's cost; SOC/assurance reports and questionnaire responses satisfy audit requests where reasonably sufficient.
6.3 International transfers
Transfers outside the UK rely on adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU SCCs; transfers outside the EEA rely on adequacy decisions or the EU Standard Contractual Clauses (Module 2 controller-to-processor, or Module 3 processor-to-processor for sub-processors), which are incorporated by reference and completed with Annex I and II of this DPA, with transfer risk assessments and supplementary measures where required.
6.4 US state law service-provider terms
To the extent US state privacy laws (including the CCPA as amended) apply to personal information we process for the Controller, we act as a "service provider"/"processor": we process it only for the business purposes in Annex I; we do not sell or share it, retain, use or disclose it outside the direct business relationship, or combine it with personal information from other sources except as the law permits; we provide the same level of protection as the law requires, notify the Controller if we can no longer do so, and permit the Controller to take reasonable steps to stop unauthorised use.
6.5 Australian Privacy Act
Where the Controller is subject to the Privacy Act 1988 (Cth), we handle the personal information consistently with the applicable Australian Privacy Principles, assist with access and correction requests, and notify the Controller without undue delay of an eligible data breach so the Controller can meet its NDB obligations.
6.6 Annex II — Technical and organisational measures
Encryption of data in transit (TLS 1.2+) and at rest; least-privilege, role-based access with MFA and joiner-mover-leaver reviews; logical tenant separation and environment separation (production/non-production); secure development lifecycle with code review, dependency and vulnerability scanning in CI/CD; hardening and patch management; automated backups with periodic restore testing; centralised logging, monitoring and alerting; incident response runbooks with defined roles; endpoint protection and device management; personnel vetting proportionate to role, confidentiality and security training; supplier security assessment; physical security inherited from AWS data centres; business-continuity and disaster-recovery arrangements with defined recovery objectives; pseudonymisation or aggregation where appropriate.
6.7 Liability and order of precedence
Liability under this DPA is subject to the limitations in Terms Section 2.19, except where data-protection law does not permit limitation. For data-protection matters this DPA prevails over the Terms; the SCCs/IDTA prevail over this DPA where they apply.