Data Processing Agreement
Last updated: 28/11/2025
Company: M-Tech Computers Ltd ("Processor", "we", "us")
Client: The organisation using our software or services ("Controller", "you", "your")
This DPA applies to all deployment options, including:
- Hosted ERP systems (cloud, single-tenant or dedicated servers)
- On-premise ERP systems installed on the Client's own server
- Hybrid deployments
- Website integrations, APIs, and data exchange
- Remote access support and maintenance services
1. Definitions
- Personal Data, Processing, Controller, Processor, Data Subject: As defined in UK GDPR.
- Services: Any software, hosting, support, or related services supplied by M-Tech Computers Ltd.
- Subprocessor: Any third party engaged by the Processor to assist in providing the Services.
2. Roles of the Parties
The Controller determines the purpose and means of processing personal data within the ERP system. The Processor processes personal data only on documented instructions from the Controller.
This applies whether the ERP system is:
- Hosted by the Processor, or
- Hosted on infrastructure owned by the Controller.
3. Subject Matter and Duration
The Processor will process personal data for the duration of the service agreement, including support, maintenance, hosting, updates, integrations, and any tasks required to deliver the Services.
4. Nature and Purpose of Processing
Processing activities may include:
- Hosting or storing ERP data (hosted deployments)
- Accessing client systems for support, troubleshooting, or maintenance
- Installing updates, patches, and configuration changes
- Importing, exporting, or transforming data during migrations or integrations
- Processing data through APIs or linked websites
- Temporary handling or viewing of data for support diagnostics
Processing is undertaken solely to deliver the contracted Services.
5. Types of Personal Data
The ERP system may contain personal data such as:
- Customer details (names, addresses, contact information)
- Supplier information
- Employee information if entered into the ERP
- Order, transaction, and fulfilment data
- Delivery and logistics information
- Any additional personal data the Controller stores within the ERP or connected websites
The Processor does not determine what personal data the Controller enters.
6. Categories of Data Subjects
Data subjects may include:
- Customers
- Suppliers
- Employees of the Controller
- Website users (where integrated)
- Other individuals whose data is entered into the ERP system
7. Instructions from the Controller
The Processor shall:
- Process personal data only on documented instructions
- Notify the Controller if an instruction infringes applicable law
- Not use personal data for any purpose other than delivering the Services
8. Confidentiality
The Processor ensures that all personnel accessing personal data:
- Are authorised
- Are bound by confidentiality obligations
- Receive appropriate data protection training
9. Security Measures
The Processor implements appropriate technical and organisational measures, including:
- Secure hosting environments (for hosted solutions)
- Access controls and authentication
- Encryption of data in transit (e.g., HTTPS, VPN)
- Firewalls and intrusion protection
- Regular backups and recovery processes
- Logging and monitoring.
- Role-based access for support staff
- Secure remote access procedures
For on-premise deployments, the Controller is responsible for physical and network security of its environment.
10. Subprocessors
The Processor may use subprocessors, such as:
- Hosting providers (cloud servers, datacentres)
- Backup and storage providers
- Email or ticketing systems
- Third-party technical contractors assisting with support
- Website or integration platforms (as directed by the Controller)
11. International Transfers
Personal data will not be transferred outside the UK unless appropriate safeguards are in place, such as:
- UK adequacy regulations
- International Data Transfer Agreements (IDTAs)
- Standard Contractual Clauses (SCCs)
12. Assistance to the Controller
The Processor will assist the Controller with:
- Responding to data subject rights requests (access, rectification, deletion, etc.)
- Data protection impact assessments
- Breach notifications
- Security or compliance questions
Assistance may be subject to reasonable fees if beyond standard support.
13. Personal Data Breaches
The Processor will notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Services. The notification will include known details and steps taken or planned.
The Controller is responsible for notifying affected individuals and/or authorities where required.
14. Return or Deletion of Data
At the end of the service:
- Hosted deployments: the Processor will delete or return all personal data, unless retention is required by law.
- On-premise deployments: the Processor does not retain copies of data except temporary files created for support, which will be securely deleted after use.
A certificate of deletion can be provided upon request.
15. Return or Deletion of Data
The Processor will:
- Make documentation available to demonstrate compliance
- Cooperate with reasonable audit requests from the Controller or regulatory authorities
- Ensure audits do not compromise other clients systems or security
16. Liability
Liability is governed by the underlying service agreement between the Processor and Controller.
17. Governing Law
This DPA is governed by the laws of England and Wales.
18. Changes to This DPA
The Processor may update this DPA from time to time. The latest version will always be available at:
www.amo.co.uk/dpa.htm
Where updates materially affect client rights or processor obligations, the Processor will notify the Controller.
