Data Processing Agreement (UK GDPR)
Last updated: 7 May 2025
This Data Processing Agreement ("DPA") forms part of the Customer Terms of Service ("Terms") between BankSearch Information Consultancy Ltd ("BankSearch", the "Processor") and the subscribing organisation (the "Customer", the "Controller"). It applies whenever the Customer uploads or otherwise makes Personal Data available to our “Services” including the BankSearch CRM platform.
Why a separate DPA? Keeping GDPR terms in this standalone document lets us update security schedules and sub processor details without reissuing your commercial contract.
1. Interpretation
Capitalised terms not defined here have the meaning given in the Terms. "UK GDPR" means Regulation (EU) 2016/679 as retained in UK law.
2. Roles & Scope
2.1 Controller / Processor. The Customer is the Controller and BankSearch is the Processor when the Customer Data contains Personal Data.
2.2 Purpose. Processing is strictly limited to providing, maintaining and supporting the BankSearch CRM platform (the "Services").
3. Documented Instructions
3.1 BankSearch shall process Personal Data only on documented instructions from the Customer, as set out in Schedule 1 (Description of Processing) and via in product configuration (e.g. field mappings, API tokens).
3.2 Third-Party Integrations via API. When the Customer uses the Services’ API functionality—either by making authenticated requests to our external API endpoints or by providing API keys for third-party services—this constitutes a documented instruction to process and transmit Personal Data to or from those third-party services. Any such third-party services are Customer-authorised processors and are not sub-processors of BankSearch. The Customer is solely responsible for ensuring a lawful basis for such integrations and any Personal Data exchanged.
4. Confidentiality
BankSearch ensures that all personnel authorised to process Personal Data are bound by confidentiality.
5. Security Measures
BankSearch implements the technical and organisational measures described in Schedule 2 –Security Measures.
6. Sub Processors
6.1 The Customer grants general authorisation for BankSearch to engage sub processors listed at {/legal/ sub processors}.
6.2 BankSearch will impose personal data protection obligations equivalent to this DPA and will notify the Customer at least 15 days before adding or replacing a sub-processor, giving the Customer a right to object on reasonable grounds.
7. Assistance to the Controller
7.1 Data Subject Rights. Considering the nature of processing, BankSearch will assist the Customer by appropriate technical and organisational measures to fulfil requests to exercise personal data subject rights. The Controller shall reimburse the Processor for all costs incurred resulting from providing reasonable assistance in dealing with a Data Subject request, where such assistance goes beyond the standard functionality of the Services or requires significant manual effort.
7.2 Data Protection Impact Assessments. BankSearch will provide information reasonably required for DPIAs and prior consultations with supervisory authorities.
8. Personal Data Breach
BankSearch shall notify the Customer without undue delay (and in any event within 24 hours of confirmation) after becoming aware of a Personal Data Breach affecting Customer Data, providing the details required by UK GDPR Art 33.
9. Transfers
Personal Data may be transferred outside the UK only in compliance with UK GDPR Chapter V (e.g. UK International Data Transfer Agreement (UK IDTA) or Addendum to Standard Contractual Clauses (SCCs)). Details of applied safeguards appear in the Sub Processor List.
10. Return / Deletion
Upon termination of the Services, BankSearch will, at the Customer’s option, return or securely delete all Personal Data within 30 days, save for minimal logs retained to demonstrate compliance or as required by law. The Processor may charge a fee (based on its reasonable time and costs) for assisting with return.
11. Audit
Upon written request (maximum once per year) BankSearch will make available all information reasonably necessary to demonstrate compliance with its processing obligations and will allow and contribute to audits conducted by the Customer or its appointed auditor, subject to reasonable notice and confidentiality undertakings. The Processor may charge a fee (based on its reasonable time and costs) for assisting with any audit.
12. Liability
The liability caps and exclusions in the Customer Terms of Service apply equally to this DPA.
13. Term & Termination
This DPA remains in effect until the earlier of:
(a) deletion or return of all Customer Data in accordance with Section 10; and
(b) cessation of the Services.
For the avoidance of doubt, minimal logs retained solely for compliance or legal purposes (as described in §10. Return / Deletion) do not extend the term of this DPA and are subject to continued confidentiality and personal data protection obligations under this Agreement.
14. Governing Law
This DPA is governed by and construed in accordance with the laws of England and Wales.
15. Changes to This Agreement
We may revise these this Data Processing Agreement from time to time. Material changes take effect 15 days after posting here and we may notify users by email or in-app message.
Schedule 1 – Description of Processing (Template)
| Item | Details |
|---|---|
| Subject matter & duration | Provision of the BankSearch CRM SaaS platform for the Subscription Term plus 30-day personal data return window. |
| Nature & purpose | Storage, retrieval, organisation, communication facilitation, analytics and reporting. |
| Categories of data subjects | Customers, prospects, suppliers, staff or other contacts uploaded by the Customer. |
| Categories of personal data | Names, contact details, interaction history, scheduling data, free text notes and any other data fields created by the Customer. |
| Special categories | Not anticipated. If uploaded, the Customer must flag and ensure a suitable lawful basis. |
| Retention | As configured by the Customer and documented in its own retention schedule. |
The Customer may customise this Schedule by written notice privacy@banksearch-consultancy.com (email is sufficient); the version last acknowledged by BankSearch forms part of these documented instructions.
Schedule 2 – Security Measures (Summary)
- Encryption – TLS 1.2+ in transit; AES 256 at rest.
- Access controls – Role based for all privileged accounts; periodic access reviews.
- Logging & monitoring – Centralised log collection.
- Penetration testing – Regular CREST‑accredited testing (annually or as appropriate for risk level); executive summary available under NDA.
- Business continuity & DR – Disaster recovery plans and backup procedures designed to minimise downtime; recovery time and data-loss objectives are defined and regularly reviewed; failover capabilities tested periodically.
- Secure development – OWASP aligned SDLC; automated SCA and SAST in CI pipeline.
- Vendor management – Sub processor due diligence reviews and security questionnaires.
Schedule 3 – PDPL Addendum Reference
If the Customer is subject to the Saudi PDPL, the additional obligations in the {PDPL Addendum} apply and prevail in the event of conflict.