Data Processing Agreement
Last updated: 15 April 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between the entity identified in the Accsible account (“Customer”, “Controller”) and Denizcom Ltd, trading as Accsible, registered at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom (“Accsible”, “Processor”), and supplements the Terms of Use and Privacy Policy (together, the “Principal Agreement”).
This DPA applies where and to the extent that Accsible processes Personal Data on behalf of the Customer in the course of providing the Service. It is designed to ensure compliance with Article 28 of the UK GDPR, EU GDPR (Regulation 2016/679), and other applicable data protection legislation.
1. Definitions
In this DPA, unless the context requires otherwise:
- “Data Protection Laws” — the UK GDPR, the EU GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable data protection legislation.
- “Personal Data” — any information relating to an identified or identifiable natural person that is processed by Accsible on behalf of the Customer under the Principal Agreement.
- “Processing” — any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- “Sub-processor” — any third party appointed by Accsible to process Personal Data on behalf of the Customer.
- “Data Subject” — the identified or identifiable natural person to whom the Personal Data relates.
- “End User” — a visitor to the Customer’s website who interacts with the Accsible Widget.
- “Security Incident” — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- “SCCs” — the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) or the UK International Data Transfer Agreement (IDTA), as applicable.
2. Scope & Details of Processing
2.1 Subject Matter
Accsible provides an accessibility widget and SaaS platform. When the Customer integrates the Widget on their website(s), Accsible processes certain Personal Data from End Users on behalf of the Customer.
2.2 Duration
Processing begins when the Customer activates the Widget and continues for the duration of the Principal Agreement. Upon termination, Section 11 of this DPA applies.
2.3 Nature and Purpose of Processing
| Aspect | Detail |
|---|---|
| Purpose | Delivering and operating the accessibility widget; providing usage analytics and accessibility scores to the Customer via the Dashboard; processing feedback submitted by End Users. |
| Nature of processing | Collection, storage, aggregation, analysis, and deletion of Personal Data as necessary to provide the Service. |
2.4 Types of Personal Data
- IP addresses (anonymized for analytics; full IP in security logs for up to 90 days)
- Browser type, version, and user agent string
- Device type and operating system
- Pages visited and timestamps on the Customer’s website
- Accessibility preferences selected by End Users (stored locally on the End User’s device; not transmitted unless feedback is submitted)
- Feedback submissions (name and/or email if voluntarily provided by the End User)
- Aggregated page view metrics
2.5 Categories of Data Subjects
- End Users — visitors to the Customer’s website(s) who interact with the Accsible Widget
- Customer personnel — individuals who access the Accsible Dashboard on behalf of the Customer
3. Obligations of the Customer (Controller)
The Customer shall:
- Ensure it has a lawful basis for Processing Personal Data and for instructing Accsible to process it.
- Provide all required notices and obtain all necessary consents from Data Subjects as required by Data Protection Laws, including informing End Users about the use of the Accsible Widget in the Customer’s own privacy policy.
- Ensure that its instructions to Accsible comply with Data Protection Laws.
- Promptly notify Accsible of any changes in applicable Data Protection Laws that may affect Accsible’s processing obligations.
4. Obligations of Accsible (Processor)
Accsible shall:
- Process Personal Data only on documented instructions from the Customer (including the instructions set out in this DPA and the Principal Agreement), unless required to do so by applicable law — in which case Accsible shall inform the Customer before processing, unless legally prohibited from doing so.
- Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain the technical and organisational security measures described in Section 5.
- Comply with the conditions for engaging Sub-processors set out in Section 6.
- Assist the Customer, by appropriate technical and organisational measures, in fulfilling its obligation to respond to Data Subject requests (Section 7).
- Assist the Customer in ensuring compliance with its obligations under Articles 32–36 of the GDPR (security, breach notification, impact assessments, and prior consultation), taking into account the nature of processing and the information available to Accsible.
- At the Customer’s choice, delete or return all Personal Data upon termination of the Principal Agreement (Section 11).
- Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits and inspections (Section 10).
- Immediately inform the Customer if, in Accsible’s opinion, an instruction from the Customer infringes Data Protection Laws.
5. Security Measures
Accsible implements and maintains the following technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage:
5.1 Technical Measures
- Encryption in transit using TLS/HTTPS for all connections, including CDN delivery, API communication, and Dashboard access.
- Password hashing using salted, one-way cryptographic algorithms.
- Content Security Policy (CSP) headers to mitigate cross-site scripting and injection attacks.
- DDoS protection via Cloudflare.
- Error monitoring (Sentry) configured to mask all text and block all media in session replays.
- IP address anonymization in analytics processing.
- End User accessibility preferences stored in browser local storage (device-side only; not transmitted to servers unless feedback is submitted).
5.2 Organisational Measures
- Role-based access controls; access to Personal Data limited to personnel who require it to perform their duties.
- Confidentiality obligations for all staff and contractors with access to Personal Data.
- Regular security assessments and monitoring of infrastructure.
- Incident response procedures as described in Section 8.
- Retention policies that ensure Personal Data is not kept longer than necessary (see Section 9).
6. Sub-processors
6.1 General Authorisation
The Customer grants Accsible a general written authorisation to engage Sub-processors to carry out specific processing activities on behalf of the Customer. Accsible shall impose data protection obligations no less protective than those in this DPA on each Sub-processor by way of a written contract.
6.2 Current Sub-processors
The following Sub-processors are engaged as of the date of this DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | CDN, DDoS protection, content delivery for Widget and API | Global (headquartered in USA); EU/UK data processing under SCCs |
| Functional Software, Inc. (Sentry) | Error monitoring and performance diagnostics | USA; processing under SCCs |
| Google LLC (Google Analytics) | Aggregated website traffic analytics (consent-based only) | USA; processing under SCCs and EU-US Data Privacy Framework |
| Stripe, Inc. | Payment processing and subscription management | USA; PCI DSS Level 1 certified; processing under SCCs |
6.3 Changes to Sub-processors
Accsible shall notify the Customer by email at least 30 days before adding or replacing a Sub-processor. The notification shall include the Sub-processor’s name, the processing it will perform, and its location.
If the Customer has a reasonable objection to a new Sub-processor based on data protection grounds, the Customer shall notify Accsible in writing within 14 days of receiving the notification. The parties shall discuss the concern in good faith. If the parties cannot resolve the objection within 30 days, the Customer may terminate the affected Service by providing written notice, and Accsible shall refund any prepaid fees for the unused portion of the subscription term.
7. Data Subject Rights
Accsible shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures to fulfil its obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object
If Accsible receives a request directly from a Data Subject regarding the Customer’s data, Accsible shall promptly redirect the Data Subject to the Customer and notify the Customer of the request, unless legally prohibited from doing so. Accsible shall not respond to such requests directly unless instructed by the Customer or required by law.
8. Security Incident Notification
8.1 Notification
Accsible shall notify the Customer of any confirmed Security Incident without undue delay and in any event within 48 hours of becoming aware of it. Notification shall be sent to the email address associated with the Customer’s account (or an alternative address designated by the Customer for this purpose).
8.2 Content of Notification
The notification shall include, to the extent available at the time:
- A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and data records concerned.
- The name and contact details of the point of contact at Accsible.
- A description of the likely consequences of the incident.
- A description of the measures taken or proposed to address the incident, including measures to mitigate its effects.
8.3 Ongoing Obligations
Accsible shall provide further information as it becomes available and shall cooperate with the Customer’s reasonable requests to investigate, remediate, and mitigate the effects of the Security Incident. Accsible shall also assist the Customer in meeting its own breach notification obligations to supervisory authorities and Data Subjects under Articles 33 and 34 of the GDPR.
8.4 Record Keeping
Accsible shall maintain a record of all Security Incidents, including the facts surrounding the incident, its effects, and the remedial action taken.
9. Data Retention
Accsible retains Personal Data processed under this DPA as follows:
- Security logs (full IP addresses): Up to 90 days, then permanently deleted.
- Aggregated analytics data: Anonymized on a monthly basis; individual session data is not retained.
- End User feedback submissions: Retained for the duration of the Principal Agreement; deleted within 30 days of termination.
- Error monitoring data (Sentry): Up to 90 days.
- Widget usage metrics: Aggregated and anonymized; no individual-level data retained beyond processing.
Accsible shall not retain Personal Data longer than is necessary for the purposes of providing the Service or as required by applicable law.
10. Audits & Compliance
10.1 Information
Accsible shall make available to the Customer, on reasonable request, all information reasonably necessary to demonstrate compliance with its obligations under this DPA and Article 28 of the GDPR.
10.2 Audit Rights
The Customer (or an independent third-party auditor appointed by the Customer) may conduct an audit of Accsible’s processing activities and security measures, subject to the following conditions:
- The Customer shall provide at least 30 days’ written notice of an audit request.
- Audits shall be conducted during normal business hours (Monday–Friday, 09:00–18:00 GMT) and shall not unreasonably disrupt Accsible’s operations.
- The Customer may conduct no more than one audit per 12-month period, unless required by a supervisory authority or following a confirmed Security Incident.
- The auditor shall be bound by confidentiality obligations no less protective than those in the Principal Agreement.
- Accsible may satisfy an audit request by providing a current SOC 2 Type II report, ISO 27001 certificate, or equivalent independent certification, if available.
10.3 Cooperation
Accsible shall cooperate with the Customer and any supervisory authority that requires access to Accsible’s facilities or records in connection with this DPA.
11. Data Return & Deletion
Upon termination or expiry of the Principal Agreement, the Customer may request, within 30 days, that Accsible:
- Return all Personal Data in a structured, commonly used, and machine-readable format; or
- Delete all Personal Data and confirm deletion in writing.
If the Customer does not make a request within 30 days of termination, Accsible shall permanently delete all Personal Data, except to the extent that retention is required by applicable law (e.g., billing records for tax compliance). Where retention is legally required, Accsible shall isolate and protect the data and limit processing to the purpose mandated by law.
12. International Transfers
Accsible is established in the United Kingdom. Where Personal Data is transferred to Sub-processors located outside the UK or EEA, Accsible ensures that appropriate safeguards are in place, including:
- UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
- EU Standard Contractual Clauses (SCCs) — Commission Decision 2021/914
- Adequacy decisions by the UK Secretary of State or European Commission
- Where applicable, additional supplementary measures as recommended by the ICO or EDPB
A copy of the relevant transfer mechanism shall be made available to the Customer upon written request.
13. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement (Terms of Use), except that neither party excludes or limits liability for breaches of Data Protection Laws to the extent such exclusion or limitation is not permitted by applicable law.
14. Term & Precedence
14.1 Term
This DPA takes effect on the date the Customer first integrates the Accsible Widget and remains in force for the duration of the Principal Agreement, and thereafter until all Personal Data has been deleted or returned in accordance with Section 11.
14.2 Precedence
In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the processing and protection of Personal Data.
14.3 Amendments
Accsible may update this DPA to reflect changes in Data Protection Laws or processing activities. Material changes will be notified to the Customer at least 30 days in advance via email. Continued use of the Service after the effective date of changes constitutes acceptance.
15. Contact
For questions or requests related to this DPA, contact us at:
- Data Protection Contact: [email protected]
- Security Incidents: [email protected]
- Registered Office: Denizcom Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
- ICO Registration: ZC114350