Data Processing Agreement
Last updated: February 2025
1. Parties and Scope
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Controller”) and John Scrooby trading as Narratree (the “Processor”). This DPA applies where the Processor processes personal data on behalf of the Controller through the Narratree platform.
2. Definitions
Terms used in this DPA have the same meaning as in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, unless otherwise defined. “Personal Data”, “Processing”, “Data Subject”, “Controller”, and “Processor” shall have the meanings given to them in UK GDPR.
3. Details of Processing
| Element | Details |
|---|---|
| Subject matter | Processing of employee/team member data to provide organisational chart and team management functionality |
| Duration | For the duration of the Controller’s use of the Service, plus thirty (30) days for data export after termination |
| Nature and purpose | Storage, display, synchronisation, and AI-assisted structuring of organisational data to provide the Narratree platform |
| Categories of data subjects | Employees, contractors, and team members of the Controller’s organisation |
| Types of personal data | Names, job titles, departments, reporting lines, email addresses, start dates, profile photographs, and other data imported from HR systems or manually entered |
4. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by law. The Controller’s instructions are as set out in these Terms and through the Controller’s use of the Service.
- Ensure that any persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, tenant-level data isolation, and secure credential storage.
- Not engage another processor (sub-processor) without prior written consent of the Controller. The Controller hereby provides general written authorisation for the sub-processors listed in our Privacy Policy. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
- Assist the Controller, taking into account the nature of processing, in responding to requests from data subjects exercising their rights under UK GDPR.
- Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of personal data breaches, and data protection impact assessments, taking into account the nature of processing and the information available to the Processor.
- At the choice of the Controller, delete or return all personal data after the end of the provision of the Service, and delete existing copies unless required by law to retain the data.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, on reasonable notice.
5. Sub-Processors
The Controller provides general authorisation for the Processor to engage the following sub-processors:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Google Cloud Platform | Hosting and storage | All Service data | Europe (EU) |
| Anthropic | AI-assisted data import | Data provided during AI import | US |
The Processor shall notify the Controller at least thirty (30) days before adding or replacing a sub-processor, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, the Processor shall work with the Controller to find a mutually acceptable solution. If no solution can be found, the Controller may terminate the agreement.
6. International Transfers
Where personal data is transferred outside the United Kingdom, the Processor shall ensure that appropriate safeguards are in place in accordance with UK GDPR, such as the International Data Transfer Agreement (IDTA), the UK Addendum to EU Standard Contractual Clauses, or reliance on an adequacy decision.
7. Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data. The notification shall include, to the extent available: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
8. Term and Termination
This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller. Upon termination of the Service agreement, the Processor shall, at the Controller’s choice, return or delete all personal data within thirty (30) days, unless retention is required by applicable law.
9. Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales, and is subject to the exclusive jurisdiction of the courts of England and Wales.
10. Contact
For questions about this DPA, please contact us at hello@narratree.io.