Alpha Scaling Ltd
Effective Date: [5/12/2026] | Last Updated: [5/12/2026]
This Data Processing Addendum ("DPA") forms part of the agreement between Alpha Scaling Ltd, a company registered in England and Wales ("Processor", "we", "us", or "our"), and the business entity using our Services ("Controller", "you", or "your").
This DPA applies wherever Alpha Scaling Ltd processes personal data on your behalf in connection with the Services. It supplements your principal agreement with us and our Privacy Policy, and gives effect to the requirements of Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
In the event of any conflict between this DPA and the principal agreement, this DPA shall prevail in respect of the processing of personal data.
1. Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the UK GDPR and DPA 2018.
TermMeaningApplicable Data Protection LawThe UK General Data Protection Regulation (UK GDPR) as it forms part of retained EU law under the European Union (Withdrawal) Act 2018; the Data Protection Act 2018; the Data (Use and Access) Act 2025; the Privacy and Electronic Communications Regulations 2003 (PECR); and any successor or replacement legislation.ControllerThe business entity that determines the purposes and means of processing personal data — being you, the customer of Alpha Scaling Ltd.ProcessorThe entity that processes personal data on behalf of the Controller — being Alpha Scaling Ltd.Personal DataAny information relating to an identified or identifiable natural person ('data subject'), as defined in Article 4(1) UK GDPR.ProcessingAny operation or set of operations performed on personal data, including collection, recording, storage, use, disclosure, erasure, or destruction.Special Category DataPersonal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, or data about sexual orientation or sex life, as defined in Article 9 UK GDPR.Sub-processorAny third party engaged by Alpha Scaling Ltd to process personal data on the Controller's behalf.ServicesThe products and services provided by Alpha Scaling Ltd to the Controller under the principal agreement.Security IncidentA confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
2. Details of Processing (Article 28(3) UK GDPR Schedule)
As required by Article 28(3) UK GDPR, the subject matter, duration, nature, purpose, type of personal data, and categories of data subjects are set out below.
ElementDetailsSubject matterProcessing of personal data necessary to provide the Services under the principal agreement.DurationFor the term of the principal agreement, and thereafter until deletion or return is completed in accordance with Section 9.Nature of processingCollection, storage, use, disclosure to sub-processors, erasure, and other operations as required to deliver the Services.Purpose of processingTo provide, maintain, and improve the Services; to communicate with the Controller and data subjects as instructed; to comply with legal obligations.Types of personal dataAs submitted by the Controller into the Services, which may include: names, email addresses, phone numbers, postal addresses, IP addresses, payment information, professional information, and communications.Categories of data subjectsThe Controller's customers, leads, employees, contractors, and other individuals whose personal data the Controller submits to the Services.Special category dataWe do not intentionally process special category data on your behalf. You must not submit special category data to the Services unless agreed in writing.
3. Roles and Scope
You are the Controller of the personal data you submit to the Services. Alpha Scaling Ltd acts as your Processor and will process personal data only:
on your documented instructions as set out in this DPA and the principal agreement;
as otherwise required by Applicable Data Protection Law (in which case we will inform you before processing, unless prohibited by law from doing so).
Nothing in this DPA relieves either party of its own obligations under Applicable Data Protection Law.
4. Processor Obligations (Article 28(3) UK GDPR)
Alpha Scaling Ltd shall, in its capacity as Processor:
4.1 Process only on instructions
Process personal data only on your documented instructions and not for any other purpose, except where required to do so by Applicable Data Protection Law. Where we are required by law to process personal data beyond your instructions, we will inform you before doing so unless prohibited by law.
4.2 Confidentiality
Ensure that all personnel authorised to process personal data are subject to appropriate confidentiality obligations — whether contractual or statutory — and receive relevant data protection training appropriate to their role.
4.3 Security (Article 32 UK GDPR)
Implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration, taking into account:
the state of the art and the costs of implementation;
the nature, scope, context, and purposes of processing;
the risks to the rights and freedoms of data subjects.
Current measures include, but are not limited to: encryption of data in transit, access controls and least-privilege principles, logging and monitoring, vendor security reviews, and incident response procedures.
4.4 Sub-processors
Not engage any new sub-processor or make material changes to existing sub-processor arrangements without prior written notice to you, as set out in Section 6.
4.5 Data subject rights
Assist you, by appropriate technical and organisational measures and so far as possible, to fulfil your obligations to respond to data subject rights requests under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection). Where a request is made directly to us, we will refer the data subject to you unless we are legally required to respond directly.
4.6 Security and compliance assistance
Assist you in ensuring compliance with your obligations under Articles 32 to 36 UK GDPR, taking into account the nature of processing and the information available to us, including assistance with:
security of processing (Article 32);
notification of personal data breaches to the ICO (Article 33);
communication of personal data breaches to data subjects (Article 34);
data protection impact assessments (Article 35);
prior consultation with the ICO where required (Article 36).
4.7 Deletion or return
At your written request, or on termination of the Services, delete or return all personal data to you — at your choice — and delete existing copies, unless Applicable Data Protection Law requires continued retention. We will provide written confirmation of deletion within 30 days of the request.
4.8 Audit and demonstration of compliance
Make available to you all information reasonably necessary to demonstrate compliance with the obligations in Article 28 UK GDPR, and allow for and contribute to audits and inspections conducted by you or a mandated auditor, subject to the conditions in Section 10.
5. Controller Obligations
You, as Controller, represent and warrant that:
you have a valid lawful basis under UK GDPR Article 6 (and Article 9 where applicable) for each processing activity you instruct Alpha Scaling Ltd to carry out;
you have provided all required privacy notices to data subjects and obtained any necessary consents;
your instructions to us comply with Applicable Data Protection Law;
you will not submit special category data to the Services without prior written agreement.
6. Sub-processors
6.1 Authorised sub-processors
You authorise Alpha Scaling Ltd to engage the sub-processors listed below. We remain responsible for each sub-processor's compliance with this DPA and will impose obligations on them no less protective than those in this DPA.
Sub-processorService ProvidedLocation / Transfer MechanismHighLevel LLC (GoHighLevel)CRM, SMS/MMS, marketing automation, client portalUnited States — UK Extension to EU-US DPF / IDTAStripe, Inc.Payment processing and billingUnited States — UK Extension to EU-US DPF / IDTAMeta Platforms, Inc.Advertising delivery, measurement, and conversion trackingUnited States — UK Extension to EU-US DPF / IDTAGoogle LLCGoogle Ads, Google Analytics, and related advertising and analytics servicesUnited States — UK Extension to EU-US DPF / IDTATikTok Technology Ltd / TikTok For BusinessAdvertising delivery and measurementUnited States / Singapore — IDTA or equivalent safeguardsLinkedIn CorporationAdvertising delivery and measurementUnited States — UK Extension to EU-US DPF / IDTAPostHog, Inc.Product and website analyticsUnited States — IDTA or equivalent safeguardsResend, Inc.Transactional email deliveryUnited States — IDTA or equivalent safeguardsVercel Inc.Website hosting, CDN, and application infrastructureUnited States — IDTA or equivalent safeguards
6.2 Changes to sub-processors
We will give you at least 30 days' written notice before engaging a new sub-processor or making a material change to an existing sub-processor arrangement, unless we are prevented from doing so for legal or security reasons, in which case we will notify you as soon as reasonably practicable.
If you object on reasonable data-protection grounds within that notice period, we will work with you in good faith to resolve the objection. If we cannot resolve the objection, either party may terminate the affected part of the Services on written notice, without prejudice to any fees accrued.
7. International Data Transfers
Where personal data is transferred outside the United Kingdom, Alpha Scaling Ltd will ensure that such transfers are made only where one of the following safeguards applies:
the destination country or territory has been granted an adequacy regulation by the UK Government;
the transfer is covered by the UK Extension to the EU-US Data Privacy Framework, where applicable;
appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
another derogation under Article 49 UK GDPR applies.
Details of the transfer mechanism applicable to each sub-processor are set out in the table in Section 6.1. You may request copies of relevant transfer documentation by contacting us at [[email protected]].
8. Security Incidents and Breach Notification
Alpha Scaling Ltd will:
notify you without undue delay, and in any event within 48 hours of becoming aware, of any confirmed Security Incident affecting personal data processed on your behalf;
provide sufficient information to enable you to meet your own notification obligations to the Information Commissioner's Office (ICO) within the 72-hour window under Article 33 UK GDPR;
co-operate with you and take such reasonable steps as you direct to investigate, mitigate, and remediate the Security Incident.
Breach notifications will be sent to the contact details you have registered with us. Our notification will include, to the extent then known: the nature of the breach; the categories and approximate number of data subjects and records affected; the likely consequences; and the measures taken or proposed to address the breach.
Notification of a Security Incident does not constitute an acknowledgement of fault or liability.
9. Data Retention and Deletion
Alpha Scaling Ltd retains personal data only for as long as necessary to provide the Services and as described in our Privacy Policy.
On termination of the Services, or on receipt of your written request, we will — at your choice:
return all personal data to you in a structured, commonly used, machine-readable format; or
securely delete all personal data in our possession and in the possession of our sub-processors.
We will provide written certification of deletion within 30 days of completing the process. Retention may be extended where required by Applicable Data Protection Law, in which case we will inform you of the applicable legal obligation and the categories of data retained.
10. Audit Rights
Upon reasonable written request (with no less than 30 days' notice except where Applicable Data Protection Law requires otherwise), Alpha Scaling Ltd will:
make available information reasonably necessary to demonstrate compliance with this DPA, including security documentation, completed questionnaires, and relevant certifications;
allow for and contribute to audits and inspections conducted by you or an independent third-party auditor appointed by you.
Audits shall be conducted during normal business hours, with minimum disruption to our operations, and subject to reasonable confidentiality obligations. You shall bear the costs of any audit unless the audit reveals a material breach of this DPA by Alpha Scaling Ltd. No more than one audit per 12-month period is required, unless a Security Incident gives reasonable grounds for a further inspection.
11. Data Protection Impact Assessments
Where a data protection impact assessment (DPIA) is required under Article 35 UK GDPR in relation to processing carried out under this DPA, Alpha Scaling Ltd will provide you with reasonable assistance by supplying relevant information about our processing activities and security measures.
Where prior consultation with the ICO is required under Article 36 UK GDPR, we will co-operate with you and provide any information reasonably requested to support that consultation.
12. Data Subject Rights Requests
Alpha Scaling Ltd will provide you with reasonable technical and organisational assistance to fulfil your obligations to respond to data subject rights requests under UK GDPR Articles 15 to 22, including requests to:
access personal data (Article 15);
rectify inaccurate personal data (Article 16);
erase personal data (Article 17);
restrict processing (Article 18);
receive personal data in a portable format (Article 20);
object to processing (Article 21).
Where a data subject submits a rights request directly to Alpha Scaling Ltd, we will refer them to you as Controller unless we are legally required to respond directly. We will inform you of any such referral without undue delay.
13. Confidentiality and Personnel
Alpha Scaling Ltd ensures that personnel with access to personal data processed under this DPA:
are subject to appropriate confidentiality obligations (whether contractual or statutory);
receive data protection training appropriate to their role and the sensitivity of the data they handle;
are granted access only to the personal data necessary for their role (least-privilege principle).
14. Liability
Each party's liability arising from or in connection with this DPA is subject to the limitations and exclusions in the principal agreement, except to the extent that such limitations are prohibited by Applicable Data Protection Law.
Nothing in this DPA limits liability that cannot be excluded or limited under Applicable Data Protection Law, including liability for wilful misconduct or gross negligence in connection with a Security Incident.
15. Term and Termination
This DPA is effective from the date the principal agreement comes into force and remains in effect until the principal agreement is terminated or expires.
Termination of this DPA does not affect any accrued rights or obligations of either party. Sections 9 (Data Retention and Deletion), 10 (Audit Rights), and 14 (Liability) survive termination.
16. Changes to This DPA
Alpha Scaling Ltd may update this DPA from time to time to reflect changes in Applicable Data Protection Law, regulatory guidance, or our processing activities. We will provide you with at least 30 days' written notice of any material change. Continued use of the Services after the notice period constitutes acceptance of the revised DPA.
17. Governing Law and Jurisdiction
This DPA is governed by the laws of England and Wales. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
18. Contact
For questions about this DPA or our processing of personal data on your behalf, please contact:
Alpha Scaling Ltd — Data Protection Contact
Phone: [PHONE NUMBER]
Post: [REGISTERED ADDRESS]
SCHEDULE 1 — SIGNATURE BLOCK
By signing below, the parties agree to be bound by this DPA as of the Effective Date.
Processor: Alpha Scaling LtdController: [COMPANY NAME]Signed by: Name: Title: Date: