Data Processing Agreement

1. Overview

This Data Processing Agreement, or DPA, applies where Pravune Ltd processes personal data on behalf of a customer and the customer acts as the controller under applicable data protection law.

It is intended to form part of the relevant agreement, proposal, order, statement of work, or service arrangement between Pravune and the customer, unless a separate signed data processing agreement applies.

2. Roles of the parties

For customer data processed on behalf of a customer, the customer will usually be the controller and Pravune will usually be the processor.

The customer decides the purposes and means of processing. Pravune processes personal data only as needed to provide the agreed services and in accordance with the customer’s documented instructions, unless required by law.

Pravune may also act as an independent controller for some business information, such as website enquiries, account administration, billing records, supplier records, and direct communications. That processing is described in our Privacy Policy.

3. Processing details

The details below describe the general processing that may apply to Pravune services. Specific customer projects may have additional or different processing details in a written agreement, proposal, order, or statement of work.

4. Types of personal data

Depending on the services provided and the information supplied by the customer, Pravune may process the following types of personal data.

Customers should not provide special category, criminal offence, highly sensitive, or unnecessary personal data unless this has been expressly agreed and suitable safeguards are in place.

5. Pravune’s processor obligations

Where Pravune acts as a processor, Pravune will:

• Process personal data only on the customer’s documented instructions, unless required by law.
• Ensure people authorised to process personal data are subject to appropriate confidentiality obligations.
• Use appropriate technical and organisational measures to protect personal data.
• Assist the customer with data subject rights requests where reasonably possible and applicable.
• Assist the customer with security, breach, impact assessment, and consultation obligations where applicable.
• Delete or return personal data at the end of the services, unless retention is required by law or legitimate business record requirements.
• Make reasonable information available to demonstrate compliance with this DPA.

6. Customer obligations

Where the customer acts as controller, the customer is responsible for ensuring that personal data is provided to Pravune lawfully and appropriately.

• Ensure there is a lawful basis for providing personal data to Pravune.
• Ensure the personal data provided is relevant, accurate, and limited to what is necessary.
• Provide clear documented instructions for processing where required.
• Avoid providing special category, sensitive, or unnecessary personal data unless expressly agreed.
• Respond to data subject requests, regulatory enquiries, and legal obligations where the customer is the controller.
• Maintain appropriate customer-side security controls for accounts, systems, permissions, and user access.

7. Sub-processors

Pravune may use third-party providers and sub-processors to support service delivery, such as hosting, email, infrastructure, analytics, diagnostics, security, support, development, communications, or storage providers.

Where Pravune appoints a sub-processor to process customer personal data, Pravune will take reasonable steps to ensure the sub-processor is subject to suitable data protection obligations.

Pravune remains responsible for its use of sub-processors as required by applicable data protection law and the relevant customer agreement.

Pravune will make reasonable information available about material sub-processors used to process customer personal data. Where practical, Pravune will give customers advance notice of material changes to sub-processors.

If a customer reasonably objects to a new sub-processor on data protection grounds, the parties will work together in good faith to assess the concern and agree a reasonable resolution, which may include an alternative arrangement where commercially and technically practical.

8. Security measures

Pravune will use appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.

Measures may include access controls, account security, least-privilege access, logging, backups, secure configuration, supplier review, secure development practices, and operational safeguards depending on the service and environment.

9. Data subject rights

Pravune will provide reasonable assistance to the customer where the customer needs help responding to data subject rights requests relating to personal data processed by Pravune on the customer’s behalf.

If Pravune receives a request directly from an individual relating to customer-controlled personal data, Pravune may refer the request to the customer unless required by law to respond otherwise.

10. Personal data breaches

If Pravune becomes aware of a confirmed or suspected personal data breach affecting customer personal data processed by Pravune as processor, Pravune will notify the customer without undue delay after becoming aware of it.

Pravune will provide reasonable information and assistance to help the customer assess the breach, meet legal obligations, and take appropriate action, where applicable and reasonably possible.

11. International transfers

Some providers used by Pravune may process personal data outside the UK. Where this happens, Pravune will take reasonable steps to ensure appropriate safeguards are in place where required by applicable data protection law.

These safeguards may include adequacy regulations, approved contractual terms, transfer risk assessments, or other recognised transfer mechanisms where applicable.

12. End of services

At the end of the relevant services, Pravune will delete or return customer personal data where reasonably possible and where requested by the customer, unless continued retention is required by law, security, dispute management, backup retention, accounting, audit, or legitimate business record requirements.

Deletion from backups or logs may take additional time where immediate deletion is not technically practical, provided suitable safeguards remain in place.

13. Audit and information

Pravune will make reasonable information available to help demonstrate compliance with this DPA and applicable processor obligations.

Any audit, inspection, questionnaire, or information request must be reasonable, proportionate, limited to relevant processing, and subject to suitable confidentiality, security, timing, and access controls.

14. Related pages

These pages provide additional information about Pravune’s privacy, security, support, and vulnerability reporting practices.

15. Changes to this DPA

Pravune may update this DPA from time to time to reflect changes in services, legal requirements, providers, security practices, or business operations. The latest version will be published on this page.