Legal

Data Processing Agreement

How we process personal data on your behalf, in compliance with the UK GDPR and the Data Protection Act 2018.

These terms are provided as a framework and should be reviewed by qualified legal counsel before reliance.

Last updated: 15 February 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the entity identified as the customer ("Controller", "you", or "your") and MissionOpsAI Ltd, a company registered in England and Wales ("Processor", "MissionOpsAI", "we", "us", or "our"), governing the processing of personal data in connection with your use of MissionOpsAI's products and services (the "Services").

This DPA is entered into in accordance with Article 28 of the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018 and supplemented by the Data Protection Act 2018.

1. Definitions

In this DPA, the following terms shall have the meanings set out below. Terms not defined here shall have the meanings given to them in the UK GDPR or in the principal service agreement between the parties.

  • "Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable UK data protection legislation, together with any guidance and codes of practice issued by the Information Commissioner's Office (ICO).
  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data, being the customer.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
  • "International Transfer" means any transfer of Personal Data to a country or territory outside the United Kingdom.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Processor" means MissionOpsAI Ltd, which processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Standard Contractual Clauses" means the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the EU Standard Contractual Clauses, as approved by the ICO under section 119A of the Data Protection Act 2018.

2. Scope and Details of Processing

The Processor shall process Personal Data only to the extent necessary to provide the Services to the Controller, as further described in this section.

2.1 Subject Matter and Duration

The subject matter of the processing is the provision of AI operations, governance, and management services as described in the principal service agreement. Processing shall continue for the duration of the service agreement, unless terminated earlier in accordance with its terms.

2.2 Nature and Purpose

Personal Data may be processed for the following purposes:

  • Providing, operating, and maintaining the Services
  • User authentication, access control, and account management
  • Generating audit logs, activity records, and governance reports
  • Providing customer support and resolving technical issues
  • Ensuring the security and integrity of the Services

2.3 Categories of Data Subjects

Data Subjects may include:

  • The Controller's employees, contractors, and authorised users of the Services
  • Individuals whose data is uploaded to or processed through the Services by the Controller
  • The Controller's customers, clients, or other contacts whose data is processed via the Services

2.4 Types of Personal Data

The types of Personal Data processed may include:

  • Identity data: names, job titles, employee identifiers
  • Contact data: email addresses, telephone numbers
  • Technical data: IP addresses, user agent strings, authentication tokens, session identifiers
  • Usage data: platform activity logs, audit trails, interaction records
  • Any other Personal Data submitted to the Services by or on behalf of the Controller

3. Processor Obligations

In accordance with Article 28 of the UK GDPR, the Processor shall:

  • Lawful instructions: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. Where such a legal requirement exists, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such disclosure on important grounds of public interest.
  • Confidentiality: Ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Security: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the UK GDPR and as further described in Section 4 of this DPA.
  • Sub-processing: Not engage another processor (Sub-processor) without the prior specific or general written authorisation of the Controller, as further described in Section 5 of this DPA.
  • Data Subject rights: Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subjects' rights, as further described in Section 6 of this DPA.
  • Assistance with obligations: Assist the Controller in ensuring compliance with Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor.
  • Deletion or return: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Services, and delete existing copies unless applicable law requires storage of the Personal Data, as further described in Section 9 of this DPA.
  • Audit: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as further described in Section 8 of this DPA.
  • Notification of unlawful instructions: Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the UK GDPR or other applicable data protection provisions.

4. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures shall include, as appropriate:

4.1 Technical Measures

  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Encryption of Personal Data at rest using AES-256 or equivalent
  • Logical access controls with role-based access and the principle of least privilege
  • Multi-factor authentication for administrative access to systems processing Personal Data
  • Regular security testing, including vulnerability scanning and penetration testing
  • Intrusion detection and prevention systems
  • Automated backup and recovery procedures
  • Network segmentation and firewall controls

4.2 Organisational Measures

  • Information security policies and procedures aligned with ISO 27001
  • Regular security awareness training for all personnel with access to Personal Data
  • Background checks for personnel in roles with access to Personal Data, to the extent permitted by law
  • Incident response procedures and a dedicated incident response team
  • Documented change management and access review processes
  • Vendor and supply chain risk assessment procedures

4.3 Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller. The notification shall include:

  • A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned
  • The name and contact details of the Processor's data protection point of contact
  • A description of the likely consequences of the Personal Data Breach
  • A description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.

5. Sub-processors

5.1 General Authorisation

The Controller provides general written authorisation for the Processor to engage Sub-processors for the processing of Personal Data, subject to the conditions set out in this Section 5. A current list of approved Sub-processors is available on request and will be maintained and made accessible to the Controller.

5.2 Notification of Changes

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving the Controller the opportunity to object to such changes. If the Controller objects on reasonable grounds relating to data protection, the Processor shall make reasonable efforts to make available to the Controller a change in the Services or recommend a commercially reasonable change to the Controller's configuration or use of the Services to avoid the processing of Personal Data by the objected-to Sub-processor.

5.3 Sub-processor Obligations

Where the Processor engages a Sub-processor, the Processor shall:

  • Enter into a written contract with the Sub-processor imposing data protection obligations no less onerous than those set out in this DPA
  • Ensure the Sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures
  • Remain fully liable to the Controller for the performance of the Sub-processor's obligations
  • Conduct appropriate due diligence on the Sub-processor's data protection practices

6. Data Subject Requests

The Processor shall promptly notify the Controller upon receiving a request from a Data Subject to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction of processing, data portability, and the right to object.

The Processor shall not respond to any Data Subject request directly unless expressly authorised by the Controller or required by applicable law. Where required by law to respond, the Processor shall notify the Controller of the legal requirement before responding, unless prohibited by law from doing so.

The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests, taking into account the nature of the processing. This assistance may include:

  • Providing the Controller with the ability to access, retrieve, correct, or delete Personal Data through the Services
  • Providing relevant information about the processing to enable the Controller to respond to requests
  • Implementing technical measures to facilitate the exercise of Data Subject rights

Where reasonable assistance requires significant effort beyond standard platform functionality, the Processor may charge a reasonable fee based on the Processor's administrative costs.

7. International Transfers

MissionOpsAI operates sovereign infrastructure hosted within the United Kingdom. Personal Data processed under this DPA shall be stored and processed within the United Kingdom unless otherwise agreed in writing with the Controller.

The Processor shall not transfer Personal Data to any country or territory outside the United Kingdom unless:

  • The transfer is to a country or territory that has been deemed to provide an adequate level of data protection by the Secretary of State under section 17A of the Data Protection Act 2018
  • Appropriate safeguards are in place, such as the ICO-approved International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses
  • A derogation under Article 49 of the UK GDPR applies, and the Controller has provided prior written consent

Where an International Transfer is necessary, the Processor shall promptly inform the Controller and ensure that appropriate transfer mechanisms and supplementary measures are in place before the transfer occurs.

8. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the UK GDPR.

The Controller, or an independent third-party auditor appointed by the Controller, may conduct audits of the Processor's data processing activities, subject to the following conditions:

  • Notice: The Controller shall provide at least 30 days' prior written notice of its intention to conduct an audit, unless a Personal Data Breach or regulatory investigation necessitates a shorter notice period
  • Scope: Audits shall be limited to the processing of Personal Data under this DPA and shall not extend to the data of other customers or the Processor's proprietary systems beyond what is necessary to verify compliance
  • Frequency: The Controller may conduct no more than one audit per 12-month period, unless required by a supervisory authority or following a Personal Data Breach
  • Confidentiality: The Controller and any auditor shall enter into appropriate confidentiality obligations and shall not access, copy, or disclose any data belonging to the Processor or its other customers
  • Conduct: Audits shall be conducted during normal business hours and in a manner that minimises disruption to the Processor's operations
  • Costs: The Controller shall bear the costs of any audit it initiates, except where the audit reveals material non-compliance by the Processor, in which case the Processor shall bear reasonable audit costs

The Processor may satisfy audit requests by providing relevant certifications (such as ISO 27001), third-party audit reports (such as SOC 2), or other evidence of compliance, provided the Controller accepts such evidence as sufficient.

9. Data Deletion and Return

Upon termination or expiry of the service agreement, the Processor shall, at the Controller's written election:

  • Return: Return all Personal Data to the Controller in a commonly used, machine-readable format within 30 days of receiving the Controller's written request; or
  • Delete: Securely delete all Personal Data, including all copies, backups, and archives, within 90 days of termination, and certify such deletion in writing upon request

If the Controller does not provide written instructions within 30 days of termination, the Processor shall securely delete all Personal Data in accordance with the deletion timeframe above.

The Processor may retain Personal Data to the extent required by applicable law, provided that:

  • Retention is limited to the minimum data necessary and the minimum period required by law
  • The Processor continues to apply the protections of this DPA to any retained data
  • The Processor informs the Controller of any such legal retention requirement

10. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the principal service agreement between the parties.

The Processor shall be liable for damages caused by processing only where it has not complied with obligations of the UK GDPR specifically directed at processors, or where it has acted outside of or contrary to the lawful instructions of the Controller.

Where both the Controller and Processor are involved in processing that causes damage to a Data Subject, and where both are responsible for the damage, each party shall be liable for the entire damage in order to ensure effective compensation of the Data Subject, in accordance with Article 82 of the UK GDPR. Where a party has paid full compensation, it is entitled to claim back the portion corresponding to the other party's share of responsibility.

11. Term and Termination

This DPA shall come into effect on the date the Controller first uses the Services and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. The obligations of the Processor regarding data deletion or return under Section 9, and confidentiality obligations, shall survive termination of this DPA.

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Nothing in this DPA shall prevent a Data Subject from bringing proceedings before the courts of the jurisdiction in which they are habitually resident, or before the ICO, in accordance with their rights under Applicable Data Protection Law.

13. Contact

For any questions, requests, or notifications relating to this Data Processing Agreement, please contact: