Version 2026.05.2 · Effective 2026-05-27
Data Processing Addendum
Controller-to-processor terms incorporated by reference into the Terms of Service. UK GDPR Article 28 compliant.
1. Parties
This Addendum forms part of the Terms of Service between you ("Customer", controller) and deckshare Ltd ("Supplier", processor) for all personal data we process on your behalf.
2. Subject matter and duration
We process personal data only to provide the deckshare.ai service for the duration of your subscription, plus a 30-day deletion window thereafter (except as required by law).
3. Nature, purpose, categories
We process the personal data described in section 2 of the Privacy Notice for the purposes described in section 3 of the same.
4. Supplier obligations
The Supplier shall:
- Process personal data only on documented instructions from the Controller.
- Ensure persons authorised to process personal data are bound by confidentiality.
- Implement appropriate technical and organisational measures (encryption in transit and at rest, least-privilege access, hash-chained audit logging, signed releases, SOC 2 readiness in progress).
- Assist the Controller with data-subject requests within five business days.
- Notify the Controller of personal-data breaches within 72 hours of awareness.
- Delete or return personal data after the end of the engagement, at Controller's choice.
- Make available all information necessary to demonstrate compliance with Article 28.
5. Subprocessors
Authorised subprocessors are listed at /legal/subprocessors. We give 30 days' prior notice of additions. If you reasonably object on data-protection grounds, you may terminate the affected portion of the service with refund of any prepaid fees.
6. International transfers
Where transfer of personal data outside the UK or EEA is necessary, we rely on the UK Extension to the EU-US Data Privacy Framework, the UK International Data Transfer Addendum, or EU Standard Contractual Clauses, in that order. The DUAA 2025 risk-based adequacy assessment applies to any new recipient country.
7. Audit
Once per calendar year, on 30 days' notice, the Controller may audit the Supplier's compliance with this Addendum, either by reviewing SOC 2 / ISO 27001 reports or by a mutually-agreed third-party auditor at Controller's cost.
8. Standard contractual clauses
Where the EU SCCs (Module 2: controller-to-processor) apply, they are incorporated by reference. The UK Addendum (IDTA) applies to UK-restricted transfers.
9. Order of precedence
In the event of conflict, this Addendum prevails over the Terms of Service with respect to data-protection matters only.