AgendaScope Data Processing Agreement Policy

Data Processing Agreement Policy

AgendaScope Ltd
Company Number: 13032058
Registered Office: 20-22 Wenlock Road, London, England, N1 7GU

Last Updated: 28/08/25
Version: 1.0

1. Introduction

This Data Processing Agreement ("DPA") applies to all customers ("Data Controllers") who use AgendaScope Ltd's services ("Services") where personal data is processed on their behalf. By using our Services, customers agree to the terms set out in this DPA, which forms part of our Terms of Service.

2. Our Role as Data Processor

AgendaScope acts as a Data Processor when handling personal data on behalf of customers who remain the Data Controllers. We process personal data solely to provide our Services and in accordance with customer instructions and applicable data protection law.

3. What Data We Process

3.1 Categories of Personal Data

• Identity data: Names, usernames, job titles, company information

• Contact data: Email addresses, telephone numbers, postal addresses

• Meeting data: Calendar entries, meeting content, participant lists, scheduling preferences

• Technical data: IP addresses, browser type, device information, usage logs

• Communication data: Messages, feedback, support requests

3.2 Data Subjects

Personal data may relate to:

• Customer employees and authorised users

• Meeting participants and invitees

• Third parties whose information is processed through the Services

4. How We Process Data

4.1 Purpose and Legal Basis

We process personal data to:

• Provide our decision management platform and services

• Maintain user accounts and authentication

• Deliver customer support

• Monitor service performance and security

• Comply with legal obligations

4.2 Processing Activities

• Storing and organising decisions and related records

• Sending invitations and notifications

• Providing search and reporting functionality

• Analysing usage patterns for service improvement

• Maintaining security and preventing unauthorised access

5. Data Security

We implement robust technical and organisational measures including:

• Encryption: All data encrypted in transit using industry standard protocols (e.g. TLS)

• Access controls: Role-based permissions and multi-factor authentication

• Infrastructure security: Secure hosting with regular vulnerability assessments

• Monitoring: 24/7 security monitoring and incident response procedures

• Backup and recovery: Regular automated backups with tested recovery procedures

• Staff training: Regular data protection and security awareness training

6. Sub-processors

We may use carefully selected sub-processors to help deliver our Services. We:

• Maintain a current list of sub-processors available on request

• Ensure all sub-processors meet equivalent data protection standards

• Remain fully responsible for sub-processor compliance

7. International Transfers

Personal data is primarily processed within the United Kingdom. Where transfers outside the UK are necessary, we ensure:

• Transfers only occur to countries with adequate protection or using approved safeguards

• Standard Contractual Clauses or other appropriate mechanisms are in place

• Customer notification of any new transfer arrangements

8. Data Subject Rights

We assist customers in responding to data subject requests including:

• Access requests: Helping locate and provide personal data

• Correction requests: Updating inaccurate information

• Deletion requests: Removing data when legally required

• Portability requests: Providing data in structured formats

• Restriction requests: Limiting processing where appropriate

Customers should direct data subject requests to us promptly to ensure timely responses.

9. Data Breach Response

In the event of a personal data breach, we will:

• Notify customers within 5 working days of becoming aware of the breach

• Provide sufficient detail for customers to assess notification requirements

• Cooperate fully in breach investigation and mitigation

• Implement measures to prevent future occurrences

• Document all breaches for regulatory compliance

10. Data Retention and Deletion

• Active accounts: Data retained while accounts remain active and for service provision

• Inactive accounts: Data retained for 3 months after account closure unless deletion requested

• Legal requirements: Some data retained longer where required by law

• Deletion certification: Written confirmation provided upon request

Upon service termination, we will delete or return personal data within 60 days unless legal retention applies.

11. Customer Obligations

Customers must:

• Provide clear processing instructions

• Ensure lawful basis for data collection and sharing

• Inform data subjects about our processing activities

• Respond promptly to data subject requests

• Notify us of any restrictions or special requirements

12. Audit and Compliance

• Annual compliance reviews: We conduct regular assessments of our data protection practices

• Audit cooperation: We assist with customer audits subject to reasonable notice and confidentiality

• Documentation: We maintain records demonstrating compliance with this DPA

• Regulatory cooperation: We work with supervisory authorities as required

13. Liability

We are liable for damages caused by our processing activities that violate UK GDPR or this DPA. Each party remains liable for its own data protection obligations.

14. Updates to This Policy

We may update this DPA to reflect:

• Changes in data protection law

• Service enhancements or modifications

• Regulatory guidance or requirements

Customers will receive 30 days' notice of material changes affecting their rights or obligations.

15. Contact Information

For questions about this DPA or data protection matters:

Data Protection Officer
AgendaScope Ltd
Email: support@agendascope.com
Address: 20-22 Wenlock Road, London, England, N1 7GU

Supervisory Authority

Information Commissioner's Office (ICO)
Website: ico.org.uk

This Data Processing Agreement is effective from 28/08/25 and applies to all use of AgendaScope Services.