Last updated 8 July 2026
Data Protection Agreement
This Data Protection Agreement (DPA) is offered by Captivated Ltd to business customers and partners (each a Customer) where Captivated Ltd processes personal data on the Customer's behalf as a processor. It supplements the main agreement between the parties and is intended to help both parties meet their obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where Captivated Ltd processes personal data on a Customer's behalf, the Customer acts as controller and Captivated Ltd acts as processor.
Subject matter and duration
The subject matter is the processing of personal data by Captivated Ltd to provide the services described in the main agreement. Processing continues for the duration of that agreement and any period reasonably required to return or delete the data afterwards.
Nature and purpose
Personal data is processed only to provide, support and maintain the agreed services, and for no other purpose, unless required by law.
Types of personal data and data subjects
The categories of personal data and of data subjects depend on the services and are set out in the main agreement or an accompanying schedule. They typically include contact and business details of the Customer's own staff, customers or contacts.
Processor obligations under Article 28
In line with Article 28 UK GDPR, Captivated Ltd will:
- process personal data only on the Customer's documented instructions, including as to international transfers, unless required to do otherwise by law;
- ensure that persons authorised to process the data are bound by confidentiality;
- implement appropriate technical and organisational security measures;
- assist the Customer, so far as reasonably possible, with data subject requests and with the Customer's obligations on security, breach notification and impact assessments;
- make available information necessary to demonstrate compliance with Article 28.
Sub-processors
The Customer authorises Captivated Ltd to appoint sub-processors, provided that each is bound by data protection obligations equivalent to those in this DPA. We will inform the Customer of any intended change to sub-processors and give the Customer the opportunity to object on reasonable grounds.
Security
We maintain technical and organisational measures appropriate to the risk, taking into account the nature of the data and the potential harm from unauthorised or unlawful processing, loss or damage.
Data subject requests
Taking into account the nature of the processing, we will assist the Customer by appropriate measures to respond to requests from data subjects exercising their rights under UK GDPR.
Breach notification
We will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and provide reasonable information to help the Customer meet its own notification obligations.
Deletion or return
On termination of the services, we will, at the Customer's choice, delete or return the personal data and delete existing copies, unless retention is required by law.
Audits
We will make available information reasonably necessary to demonstrate compliance and will allow for and contribute to audits, including inspections, conducted by the Customer or an appointed auditor on reasonable notice and subject to appropriate confidentiality.
International transfers
Where processing involves transfers of personal data outside the United Kingdom, we will ensure an appropriate safeguard recognised under UK data protection law is in place, such as UK adequacy regulations or the International Data Transfer Agreement.
Contact
To request a signed copy of this DPA or to discuss its terms, email leon@captivated.online. See also our Website Privacy notice.