top of page

Data Protection Addendum

Effective date: 10 September 2025
Processor: Nevrast Consulting Ltd (trading as Arcwell)

Company No: 15924692

Registered office: 4th Floor Radius House, 51 Clarendon Road, Watford, Hertfordshire, England, WD17 1HP

 

This DPA forms part of any agreement under which we provide services to a client (the Agreement). It applies where, in providing the services, Arcwell processes Personal Data on behalf of the client as processor (the Controller is the client). Capitalised terms have the meanings in UK GDPR unless defined below.

​

1) Definitions

​

  • Data Protection Laws: UK GDPR, the Data Protection Act 2018, PECR, and any applicable laws/amendments.

  • Personal Data Breach, Data Subject, Processing, etc.: as defined in UK GDPR.

  • Sub‑processor: a processor engaged by Arcwell to process Personal Data on behalf of the Controller.

​​

2) Roles & instructions

 

2.1 The Controller appoints Arcwell as processor to process Personal Data strictly in accordance with the Controller’s documented instructions, the Agreement and this DPA.


2.2 Arcwell will inform the Controller if an instruction appears to infringe Data Protection Laws (without providing legal advice).

 

2.3 Unless prohibited by law, Arcwell shall promptly notify the Controller if it receives a binding request for disclosure of Personal Data by a public authority.

​

3) Nature, subject matter, duration & purpose

 

As described in Annex A. Processing will last for the term of the Agreement and any retention period required for legal/accounting defence, after which data will be deleted or returned per Section 10.

​

4) Confidentiality

 

Arcwell ensures that personnel authorised to process Personal Data are bound by confidentiality obligations and receive appropriate data protection training.

​

5) Security

 

Arcwell implements the technical and organisational measures set out in Annex B and, considering the state of the art, costs and risks, maintains an appropriate level of security.

​

6) Sub‑processors

 

6.1 The Controller provides a general authorisation for Arcwell to use Sub‑processors as set out in Annex C (as updated from time to time).

 

6.2 Arcwell shall impose data protection terms on Sub‑processors no less protective than this DPA and remains fully responsible for their performance.

 

6.3 Arcwell will notify the Controller of any intended changes concerning the addition or replacement of Sub‑processors, giving the Controller an opportunity to object on reasonable grounds.

​

7) International transfers

 

Where Personal Data is transferred outside the UK/EEA, Arcwell will ensure appropriate safeguards are in place (e.g., IDTA or SCCs with the UK Addendum) as described in Annex D.

​

8) Assistance to the Controller

 

Arcwell will, taking into account the nature of processing and information available to it, assist the Controller to: (a) respond to Data Subject requests; (b) meet obligations regarding security, Personal Data Breach notification, DPIAs, and prior consultations with supervisory authorities.

​

9) Personal Data Breach

 

Arcwell will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data, and provide information to assist the Controller in meeting its obligations.

​

10) Return and deletion

 

At the Controller’s choice, upon termination of services relating to processing, Arcwell will delete or return all Personal Data and delete existing copies, unless retention is required by law. If deletion is impracticable (e.g., backups), data will be securely isolated and protected from further processing until deletion is possible.

​

11) Audit

 

Upon reasonable prior written notice, and no more than once per 12 months (unless required by a competent authority or following a breach), Arcwell will make available information necessary to demonstrate compliance and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall minimise disruption and protect confidentiality; parties will agree scope, timing, and security.

​

12) Liability

 

Each party’s aggregate liability under this DPA is subject to the limitations and exclusions set out in the Agreement, except that nothing limits liability where not permitted by law.

​

13) Order of precedence & changes

 

If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict regarding data protection. Arcwell may update the Annexes to reflect changes to subprocessors or measures; material changes will be notified to the Controller.

​

14) Governing law

 

This DPA is governed by the laws of England & Wales. The parties submit to the exclusive jurisdiction of the English courts.

​

Annex A — Details of Processing

 

Subject matter: Consulting services, including discovery, diagnostics, workshops, pilots and implementation support that may involve limited processing of client-provided Personal Data.

 

Nature & purpose: Accessing, analysing and storing Personal Data as necessary to deliver services (e.g., reviewing sample records, running test datasets in sandboxes, creating reports).

 

Duration: For the term of the relevant Statement of Work or engagement, plus lawful retention for defence/accounting.

 

Types of Personal Data: Typically business contact data (name, role, work email/phone), employee identifiers, limited customer/prospect records (names, emails, transactional metadata), and support interaction metadata. We do not intentionally process special categories.

 

Categories of Data Subjects: Client employees and contractors; client customers and prospects; client suppliers/partners (as relevant).

 

Frequency: Continuous or intermittent during the engagement.

​

Annex B — Security Measures (summary)

 

  • Access control: Role-based access; MFA on core systems; least-privilege; joiner-mover-leaver process; quarterly access reviews.

  • Data in transit & at rest: TLS 1.2+ in transit; encryption at rest as provided by cloud vendors; encryption for portable devices.

  • Endpoint security: Managed devices with disk encryption, screen lock, and up-to-date OS/patching; antivirus/EDR where applicable.

  • Network: Zero-trust principles; restricted admin access; VPN for privileged operations if required.

  • Development/test: Separation of environments; use of synthetic/anonymised datasets for tests where possible.

  • Backups & continuity: Vendor-managed backups for SaaS; periodic restore testing by vendors; Arcwell maintains business continuity procedures.

  • Monitoring & logging: Administrative actions and access logs retained per vendor defaults; alerts on suspicious activity.

  • Training & policies: Annual privacy/security training; acceptable use and incident response procedures.

  • Vendor management: Sub-processor due diligence and contractual controls.

  • Data minimisation: Process only what is necessary; purge work files after handover/close.

​​

Annex C — Sub‑processors (current categories)

 

Arcwell uses reputable providers in the following categories; a current list with specific vendors is available on request:

​

  • Website and webforms: Wix.com Ltd (hosting/forms)

  • Productivity and email: Google Workspace

  • File storage and collaboration: Google Drive 

  • Analytics (site): Google Analytics 4 (consent-based).

 

Arcwell will notify the Controller before adding or replacing sub‑processors materially relevant to the services.

​

Annex D — International Transfers

 

Where Personal Data is transferred to a country without adequacy, one of the following will be used as applicable:

​

  • The UK International Data Transfer Agreement (IDTA); or

  • The EU Standard Contractual Clauses (SCCs) with the UK Addendum.
    Supplementary measures may be applied (encryption, access controls, data minimisation) based on a transfer risk assessment.

​​

bottom of page