GDPR Policy & Data Processing Agreement
Last Updated: August 2025
Data Dwell Limited
Company Registration Number: 10439092
10 John Street, London, WC1N 2EB, United Kingdom
This GDPR Policy and Data Processing Agreement ("Policy") describes how Data Dwell Limited ("Data Dwell", "we", "us", or "our") processes personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and other applicable data protection laws.
This Policy applies when Data Dwell acts as a data processor on behalf of our customers ("Controllers") who use our digital asset management platform and related services (the "Service").
For the purposes of this Policy:
- "Controller" means the natural or legal person which determines the purposes and means of the processing of personal data
- "Processor" means the natural or legal person which processes personal data on behalf of the Controller
- "Data Subject" means an identified or identifiable natural person
- "Personal Data" means any information relating to a Data Subject
- "Processing" means any operation performed on Personal Data, whether or not by automated means
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data
- "Data Protection Laws" means GDPR, UK GDPR, and any other applicable data protection legislation
3.1 Data Processing Relationship
- Customer as Controller: Our customers act as the data controller for Personal Data uploaded to or processed through the Service
- Data Dwell as Processor: We act as a data processor when processing Personal Data on behalf of our customers
- Data Dwell as Controller: In limited instances (such as account management and billing), we act as a data controller. In these cases, our Privacy Policy applies
3.2 Controller Responsibilities
The Controller warrants and undertakes that:
- It has obtained all necessary consents, legal bases, and authorisations for processing Personal Data
- It will provide clear, lawful instructions for processing
- It will comply with all applicable Data Protection Laws
- It will inform Data Dwell of any special categories of Personal Data
- It will notify Data Dwell of any changes to the types of Personal Data being processed
4.1 Categories of Personal Data
Data Dwell processes the following categories of Personal Data:
- Identity Data: Name, job title, username
- Contact Data: Email address, phone number, company name
- Technical Data: IP address, browser type and version, operating system, device information
- Usage Data: System activities, access logs, user behaviour analytics
- Content Data: Files uploaded to the Service, including any Personal Data contained within
4.2 Categories of Data Subjects
- End Users of the Controller's account
- Controller's employees and contractors
- Controller's customers, suppliers, and subcontractors
- Any individuals whose data is contained within uploaded Content
- Individuals collaborating with End Users
4.3 Processing Operations
- Storage and hosting of data
- File preview generation and transcoding
- EXIF data extraction from files
- File manipulation and combination
- Usage analytics and reporting
- System performance monitoring
- Technical support services via Linear.app
- Newsletter distribution via Reply.io (where requested)
- Live chat support via Chatlio and Slack
- Accounting and billing processing via Xero
4.4 Duration of Processing
Personal Data will be processed for the duration of the agreement between Data Dwell and the Controller, unless otherwise instructed or required by law.
As a Processor, Data Dwell processes Personal Data based on:
- Contract Performance: To provide the Service as contracted
- Legal Obligations: To comply with applicable laws
- Legitimate Interests: For security, fraud prevention, and service improvement (where applicable)
- Controller Instructions: As lawfully instructed by the Controller
6.1 Rights Under GDPR
Data Subjects have the following rights:
- Right of access to their Personal Data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object to processing
- Rights related to automated decision-making
6.2 Handling Data Subject Requests
- Data Dwell will promptly inform the Controller of any requests received directly from Data Subjects
- We will assist the Controller in responding to Data Subject requests at the Controller's cost
- We will not respond directly to Data Subjects unless authorised by the Controller
7.1 Technical and Organisational Measures
Data Dwell implements appropriate measures including:
- Encryption: Data encrypted in transit (TLS/SSL) and at rest
- Access Controls: Role-based access controls and multi-factor authentication
- Pseudonymisation: Where appropriate and feasible
- Resilience: Redundant systems and regular backups
- Recovery: Disaster recovery and business continuity procedures
- Testing: Regular security assessments and penetration testing
- Monitoring: 24/7 security monitoring and threat detection
7.2 Security Standards
- ISO 27001 certification (where applicable)
- Regular security audits and assessments
- Secure development lifecycle practices
- Vulnerability management program
- Anti-virus and anti-malware protection
- Regular security updates and patches
7.3 Personnel Security
- Confidentiality agreements for all personnel
- Regular security training and awareness programs
- Background checks where appropriate
- Limited access on a need-to-know basis
8.1 Authorised Sub-Processors
The Controller consents to Data Dwell's use of the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|
| Amazon Web Services | All data storage, transcoding, preview generation, file creation | Ireland, Germany, UK, United States* |
| Attio | Customer relationship management | European Union |
| PostHog | Customer behavioral data storage and processing | European Union |
| Reply.io | Newsletter distribution to Customer Users | United States* |
| Linear.app | Support request processing and management | European Union |
| Chatlio | Live chat support (preloaded with user email and name) | United States* |
| Slack | Internal support communications (receives data from Chatlio) | United States* |
| Xero | Accounting and financial data processing (via AWS US servers) | United States* |
*Appropriate safeguards in place for international transfers
8.2 Changes to Sub-Processors
- Data Dwell maintains an updated list of sub-processors
- Controllers will be notified of any intended changes with reasonable notice
- Controllers have the right to object to new sub-processors
- If objection cannot be resolved, the Controller may terminate the affected services
8.3 Sub-Processor Requirements
Data Dwell ensures all sub-processors:
- Are bound by written agreements with equivalent data protection obligations
- Implement appropriate security measures
- Only process Personal Data according to our instructions
- Are regularly assessed for compliance
9.1 Transfer Mechanisms
When Personal Data is transferred outside the EEA/UK, Data Dwell ensures appropriate safeguards through:
- Standard Contractual Clauses (SCCs): EU Commission-approved or UK-approved clauses
- Adequacy Decisions: Transfers to countries with adequate protection
- Supplementary Measures: Additional technical and organisational measures where required
9.2 Transfer Locations
Processing may occur in:
- United Kingdom
- European Economic Area (Ireland, Germany, Sweden)
- United States (with appropriate safeguards via AWS, Reply.io, Chatlio, Slack, and Xero)
9.3 Transfer Impact Assessments
Data Dwell conducts assessments to ensure transfers comply with the Schrems II ruling and provides appropriate supplementary measures.
10.1 Breach Notification
Data Dwell will notify the Controller without undue delay upon becoming aware of a Personal Data Breach
Notification will include:
- Nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records concerned
- Likely consequences of the breach
- Measures taken or proposed to address the breach
10.2 Breach Assistance
We will assist the Controller in:
- Investigating the breach
- Complying with notification obligations
- Implementing remedial measures
- Communicating with Data Subjects (if required)
11.1 Retention Period
- Personal Data is retained for the duration of the service agreement
- Upon termination, data is retained for 30 days to allow for export
- After the retention period, all Personal Data is securely deleted
11.2 Deletion Methods
- Secure overwriting of storage media
- Physical destruction of hardware where necessary
- Verification of deletion completion
- Deletion certificates available upon request
11.3 Legal Retention Requirements
Data may be retained longer if required by law, legal proceedings, or legitimate business purposes.
12.1 Audit Rights
- Controllers may audit Data Dwell's compliance once per 12-month period
- Audits must be conducted with 30 business days' notice
- Audits are at the Controller's expense
- Auditors must sign confidentiality agreements
- Data Dwell may provide compliance certifications in lieu of audits
12.2 Compliance Demonstration
Data Dwell maintains:
- Records of processing activities
- Security documentation
- Compliance certificates and attestations
- Data Protection Impact Assessments (where applicable)
13.1 Processing Instructions
- Data Dwell processes Personal Data only on documented instructions from the Controller
- The Service agreement constitutes the Controller's initial instructions
- Additional instructions must be provided in writing
13.2 Unlawful Instructions
If Data Dwell believes an instruction violates Data Protection Laws:
- We will immediately inform the Controller
- We may suspend processing pending clarification
- We will document our concerns and the Controller's response
14.1 Liability Allocation
- Each party remains liable for its own compliance with Data Protection Laws
- Data Dwell's liability is limited as set out in the Service agreement
- The Controller indemnifies Data Dwell against claims arising from the Controller's instructions or breach of Data Protection Laws
14.2 Insurance
Data Dwell maintains appropriate insurance coverage for data protection liabilities.
Data Dwell will:
- Cooperate with supervisory authorities as required
- Assist the Controller in responding to regulatory inquiries
- Provide information necessary for demonstrating compliance
- Implement recommendations from authorities where applicable
Where required, Data Dwell will assist the Controller in conducting Data Protection Impact Assessments, including:
- Providing information about processing operations
- Identifying and assessing risks
- Recommending mitigation measures
- Supporting consultation with supervisory authorities
Data Dwell implements privacy by design principles:
- Data minimisation in system design
- Privacy-enhancing technologies
- Default privacy settings
- Regular privacy reviews
- Privacy considerations in new feature development
18.1 Processing Restrictions
Data Dwell does not intentionally process special categories of Personal Data (health, racial/ethnic origin, political opinions, religious beliefs, etc.) unless:
- Specifically notified by the Controller
- Appropriate safeguards are implemented
- Legal basis for processing exists
18.2 Children's Data
The Service is not intended for children under 16. Controllers must ensure appropriate consents for any children's data.
19.1 Updates
This Policy may be updated to reflect:
- Changes in Data Protection Laws
- Regulatory guidance
- Industry best practices
- Service modifications
19.2 Notification
Material changes will be notified with at least 30 days' notice unless urgent changes are required by law.
Data Protection Officer
Name: Skarpi Steinthorsson
Email: privacy@datadwell.com
Postal Address: 10 John Street, London, WC1N 2EB, United Kingdom
General Enquiries
Email: privacy@datadwell.com
Website: https://www.datadwell.com
Supervisory Authority
UK: Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113
EU: Relevant national data protection authority based on establishment
By using the Service, Controllers acknowledge that they have read, understood, and agree to be bound by this GDPR Policy and Data Processing Agreement. This Policy forms part of the overall agreement between Data Dwell and the Controller.
Document Version: 1.0
Effective Date: August 2025
Review Date: August 2026