Legal

Data Processing Agreement

Last updated: December 2025

This Data Processing Agreement ("DPA") forms part of the agreement between DiegoMetrics and organisations using our enterprise services. For questions or to execute a DPA, contact legal@diegometrics.com.

1. Definitions

"Controller" means the entity that determines the purposes and means of processing Personal Data.
"Processor" means the entity that processes Personal Data on behalf of the Controller.
"Personal Data" has the meaning given in applicable Data Protection Laws.
"Data Protection Laws" means UK GDPR, EU GDPR, and other applicable data protection legislation.

2. Roles and Responsibilities

When providing diagnostic services, DiegoMetrics acts as a Processor on behalf of the Customer (Controller). We process Personal Data only on the Customer's documented instructions.

3. Processing Details

3.1 Subject Matter

Provision of organisational diagnostic and analysis services.

3.2 Duration

For the term of the service agreement plus any legally required retention period.

3.3 Nature and Purpose

Collection and analysis of diagnostic responses to generate organisational assessments.

3.4 Types of Personal Data

  • Contact information (name, email, job title)
  • Diagnostic responses
  • Usage data

3.5 Categories of Data Subjects

Customer employees and authorised users completing diagnostics.

4. Processor Obligations

DiegoMetrics shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Assist the Controller with data subject requests
  • Assist with data protection impact assessments where required
  • Delete or return Personal Data upon termination
  • Make available information necessary to demonstrate compliance

5. Sub-processors

DiegoMetrics uses the following sub-processors:

  • Supabase (Database hosting) — EU/US
  • Vercel (Application hosting) — US/EU
  • Stripe (Payment processing) — US/EU
  • OpenAI (AI analysis) — US

We will notify the Controller of any intended changes to sub-processors, allowing reasonable time to object.

6. Security Measures

We implement measures including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Incident response procedures
  • Employee security training

7. Data Breach Notification

We will notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach affecting Controller data.

8. International Transfers

Where Personal Data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses where applicable.

9. Audit Rights

The Controller may audit our compliance with this DPA upon reasonable notice, subject to confidentiality obligations and at the Controller's expense.

10. Liability

Liability under this DPA is subject to the limitations set out in the main service agreement between the parties.

11. Contact

For DPA inquiries or to request execution of a DPA:
Email: legal@diegometrics.com
Data Protection Officer: dpo@diegometrics.com