Data Processing Agreement
UK GDPR Article 28 · Last updated [date]
This DPA forms part of the agreement between NarraSight Ltd, incorporated in Scotland (company number to be confirmed), registered office [registered office address], Glasgow ("Processor", "NarraSight"), and the customer identified in the Order Form ("Controller", "Customer"). On data-protection matters, this DPA prevails over the main agreement.
1. Definitions
"UK GDPR", "controller", "processor", "sub-processor", "personal data", "processing", "data subject" and "personal data breach" have the meanings in the UK GDPR and the Data Protection Act 2018. "Customer Personal Data" means personal data in the page content, images and CMS data the Customer submits to the service. "Applicable Data Protection Law" includes the UK GDPR, the DPA 2018, and the EU GDPR where EEA data subjects are concerned.
2. Subject-matter, duration, nature & purpose
NarraSight processes Customer Personal Data solely to provide the service: ingesting page content and images, generating alt text and accessibility descriptions via a third-party large language model, and writing them back to the Customer's CMS. Processing lasts for the term of the agreement plus the limited deletion/return period (clause 9). NarraSight does not use Customer Personal Data for any other purpose, and in particular does not use it to train, fine-tune or improve any model (clause 4.5).
3. Types of data & data subjects
The Customer determines what it submits. Personal data may incidentally appear in images (faces, identifiable individuals, names, text within images) and page content. Data subjects may include the Customer's visitors, customers, staff or third parties featured in its content. The Customer must not submit special-category (Article 9) or criminal-offence (Article 10) data without a valid condition/basis and prior written notice.
4. Processor obligations
- 4.1 Documented instructions — NarraSight processes only on the Customer's documented instructions (this DPA, the agreement, and the service's configuration), unless required otherwise by law (with prior notice where permitted).
- 4.2 Instruction conflict — NarraSight notifies the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
- 4.3 Confidentiality — persons authorised to process the data are under an appropriate duty of confidence.
- 4.4 Security (Article 32) — appropriate technical and organisational measures per Annex 2 (SSRF resolve-and-pin fetcher, tenant isolation, encryption in transit and at rest, append-only audit logs, access control, spend caps and rate limiting, error monitoring with PII scrubbing).
- 4.5 No training on Customer data — NarraSight does not use Customer Personal Data to train any model and contractually requires its model sub-processor not to train on it.
5. Assistance to the Controller
NarraSight assists with data-subject requests (Articles 12–23) — locating, exporting or deleting records for an identified data subject where technically feasible — and with the Customer's Articles 32–36 duties. It notifies the Customer without undue delay after becoming aware of a personal data breach and provides the information the Customer needs for its own 72-hour notification.
6. Sub-processors
The Customer grants general authorisation to engage sub-processors, listed at Sub-processors. NarraSight gives at least [30] days' notice of additions/replacements so the Customer may object on reasonable data-protection grounds, imposes equivalent obligations on each sub-processor by written contract, and remains fully liable for their performance.
7. Audit
NarraSight makes available the information necessary to demonstrate Article 28 compliance and allows audits. In the first instance this is satisfied by security documentation and, when available, third-party reports (e.g. SOC 2 / ISO 27001); on-site inspection on reasonable notice, no more than [once per year] save where a breach or supervisory authority requires.
8. International transfers
NarraSight does not transfer Customer Personal Data outside the UK/EEA except as identified in Sub-processors and subject to an appropriate safeguard (UK IDTA/Addendum, EU SCCs, or the UK-US Data Bridge), with a transfer risk assessment for each restricted transfer.
9. Deletion or return
On termination, NarraSight deletes or returns all Customer Personal Data (Customer's choice) and deletes copies within [30] days, unless law requires storage; it certifies deletion on request. Audit and write-back logs are retained only as long as necessary for accountability and legal defence.
10. Warranties & liability
The Customer warrants it has a lawful basis (and any Article 9 condition/Article 10 basis), has provided required privacy information and obtained any consents, and is entitled to submit the content. Liability follows the main agreement [limits to be set], save for liability that cannot lawfully be limited.
11. Governing law
Governed by the law of Scotland; the parties submit to the Scottish courts (forum to be confirmed). Annexes: Annex 1 (details of processing), Annex 2 (technical & organisational measures), Annex 3 (sub-processors).