Legal
Data Processing Agreement
The standard terms under which Decyb Technology LLP processes personal data on behalf of clients.
Last updated: July 7, 2026
1. Purpose & Scope
This Data Processing Agreement ("DPA") describes the standard terms under which Decyb Technology LLP ("Processor") processes personal data on behalf of a client ("Controller") in the course of delivering software development and digital services. A signed, project-specific DPA is available on request and takes precedence over this page.
2. Roles
- The client is the Controller — you determine the purposes and means of processing the personal data inside your product or systems.
- Decyb is the Processor — we process that data only on your documented instructions, to build, operate, or support the agreed deliverables.
3. Our Obligations as Processor
- Process personal data only on the Controller's documented instructions.
- Ensure everyone authorized to process the data is bound by confidentiality.
- Apply appropriate technical and organizational measures (encryption in transit and at rest, access controls, least privilege, secrets management, dependency scanning).
- Assist the Controller with data-subject requests and GDPR Articles 32–36 obligations.
- Delete or return all personal data at the end of the engagement, at the Controller's choice.
- Make available information necessary to demonstrate compliance and allow audits.
4. Sub-processors
We engage sub-processors (e.g., cloud hosting, email delivery, payment processing) only under written agreements imposing equivalent data-protection obligations. A current list is available on request; we give prior notice of any intended changes, giving the Controller the opportunity to object.
5. International Transfers
Where processing involves transfers outside the EEA/UK, we rely on adequacy decisions or Standard Contractual Clauses (SCCs) as required by the GDPR.
6. Personal Data Breaches
We notify the Controller without undue delay after becoming aware of a personal data breach affecting their data, and provide the information needed to meet the Controller's own notification obligations (including the 72-hour authority notification window).
7. Security by Design
Systems we build follow privacy by design and by default: data minimization, purpose limitation, hashed or encrypted storage of sensitive fields, and role-based access. See our Engineering Quality page for the full standard.
8. Requesting a Signed DPA
To put a signed DPA in place for your project, email [email protected] with the subject "DPA Request" — or ask your point of contact. We can work from our standard template or review yours.