Data Processing Agreement (DPA)

Governing the Processing of Personal Data Between the Controller and PawPal

Last Updated: 17-11-2025

This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Terms and Conditions or any other agreement between:

(1) The Customer (“Controller”) – the business using PawPal to deliver pet-care services to its clients;
and
(2) PawPal (“Processor”) – provider of pet-care business management software.

Both parties agree to comply with this DPA when PawPal processes personal data on behalf of the Controller under UK GDPR and the Data Protection Act 2018.

Shape

1. Definitions

  • “Data Protection Laws” means the UK GDPR, Data Protection Act 2018, and all applicable privacy regulations.
  • “Personal Data” means any information relating to an identified or identifiable individual.
  • “Processing” means any operation performed on Personal Data.
  • “Sub-processor” means a third party engaged by PawPal to process Personal Data.
  • “Services” means the PawPal platform and related services.

2. Roles of the Parties

  • The Controller determines the purposes and means of processing Personal Data belonging to its customers (pet owners), contacts, and staff.
  • PawPal acts as Processor, processing data only on documented instructions from the Controller.

Nothing in this DPA transfers ownership of Personal Data to PawPal.
The Controller remains fully responsible for the accuracy, lawfulness, and integrity of the data it submits.

3. Categories of Personal Data

PawPal may process the following categories on behalf of the Controller:

3.1 Customer Data (Pet Owners)

  • Name
  • Address
  • Email
  • Phone number
  • Emergency/vet contacts

3.2 Pet Data

  • Pet name
  • Species/breed
  • Vaccination details
  • Notes, photos, inspection reports

3.3 Booking & Operational Data

  • Appointment details
  • Payment references
  • Internal notes
  • Activity logs

3.4 Staff Data (Controller’s employees)

  • Names
  • Contact details
  • Scheduling and usage data

3.5 Technical Data

  • IP address
  • Device information
  • Log files

No special-category data is intended to be processed unless the Controller uploads it.
The Controller is responsible for ensuring it has a lawful basis for any such uploads.

4. Purpose and Nature of Processing

PawPal processes Personal Data solely for delivering the Services, including:

  • Account creation
  • Booking management
  • Pet record management
  • Messaging and notifications
  • Analytics and reporting
  • Security and fraud prevention
  • System maintenance and technical support

PawPal will not use the data for marketing, profiling, selling, or any purpose beyond service provision.

5. Processor Obligations (PawPal)

PawPal agrees to:

5.1 Follow Instructions

Process Personal Data only on written instructions from the Controller.

5.2 Confidentiality

Ensure staff and contractors are under confidentiality obligations.

5.3 Security Measures

Implement appropriate technical and organisational measures, including:

  • Encrypted data storage
  • Encrypted transmission (HTTPS/TLS)
  • Access controls and authentication
  • Backups
  • Monitoring and audit logs
  • Least-privilege access

5.4 Sub-processors

PawPal may use sub-processors such as:

  • Hosting providers
  • Email delivery tools
  • Payment processors
  • Analytics services

PawPal will:

  • Ensure sub-processors follow equivalent data protection obligations
  • Provide the Controller with notice of new sub-processors
  • Allow objections where reasonable

A current list of sub-processors is available on request.

5.5 Data Breach Notification

If a Personal Data Breach occurs:

  • PawPal will notify the Controller without undue delay
  • Provide details and mitigation steps
  • Assist the Controller with reporting obligations

5.6 Assistance

PawPal will assist the Controller with:

  • Responding to data subject rights
  • Conducting DPIAs (where required)
  • Ensuring compliance with UK GDPR obligations

5.7 No Transfers Without Safeguards

Personal Data may be transferred outside the UK only if:

  • UK-approved Standard Contractual Clauses are in place, or
  • The destination has an adequacy regulation

5.8 Return or Deletion

Upon termination or on request, PawPal will:

  • Delete Personal Data
    OR
  • Return Personal Data to the Controller

Backups may be retained for required retention periods, then securely deleted.

6. Controller Obligations

The Controller agrees to:

  • Ensure all Personal Data is collected lawfully
  • Provide fair processing notices to its customers
  • Ensure it has a valid legal basis to process data (e.g., contract, consent)
  • Not upload unlawful, excessive, or unnecessary data
  • Maintain secure access to its PawPal accounts
  • Obtain consent for any special-category data
  • PawPal is not responsible for the Controller’s compliance failures.

7. Data Subject Rights

PawPal will assist the Controller in responding to:

  • Access requests
  • Correction requests
  • Deletion requests
  • Objections
  • Portability requests

PawPal will not respond directly to data subjects unless instructed by the Controller or required by law.

8. Records & Audits

PawPal will:

  • Maintain records of processing activities
  • Allow audits, subject to reasonable notice and confidentiality conditions
  • Provide documentation to demonstrate compliance

Audits may not damage system security or disrupt service availability.

9. Liability

Liability limitations follow those in the main Terms & Conditions.
Nothing limits liability for:

  • Data protection breaches caused by negligence
  • Wilful misconduct
  • Fraud
  • Any liability that cannot legally be limited

10. Term & Termination

This DPA remains in effect as long as PawPal processes Personal Data on behalf of the Controller.

Upon termination of the Services:

  • Personal Data will be deleted or returned (per Section 5.8)
  • Logs and backups will be deleted within standard retention periods

11. Changes to This DPA

PawPal may update this DPA to reflect:

  • Legal changes
  • Security improvements
  • Operational requirements
  • Material changes will be notified in advance.

12. Governing Law

This Agreement is governed by the laws of England and Wales.
Any disputes will be resolved through binding arbitration, unless statutory rights require otherwise.

13. Contact

For privacy or data protection matters, contact:

Email: info@pawpal.uk
Website: https://pawpal.uk