Select Page
View Categories

Data Processing Agreement – February 5, 2025

3 min read

Effective Date: 02 February 2025

1. Definitions #

  • Controller – The legal entity which determines the purposes and means of the processing of personal data.
  • Processor – The Xdemor Group Limited, which processes personal data on behalf of the Controller.
  • Sub-processor – Any third party engaged by the Processor to process personal data on its behalf.
  • Data Subject – The individual whose personal data is processed.
  • Applicable Data Protection Law – The UK GDPR, the Data Protection Act 2018, and other relevant UK/EU regulations.
  • Personal Data, Processing, Supervisory Authority, Special Category Data – As defined under Article 4 of the UK GDPR.

2. Subject Matter and Duration #

This DPA governs the processing of personal data by The Xdemor Group Limited (“Processor”) on behalf of the Client or Partner (“Controller”) for the duration of the service agreement between the Parties, unless otherwise required by law.

3. Scope and Purpose of Processing #

The Processor shall process Personal Data only:

  • As necessary to provide Hosting, SEO, Advertising, Analytics, UI/UX, SaaS or related services
  • As documented in the service-level agreement or client instructions
  • To improve platform performance and service quality (excluding profiling or resale)
  • As required to meet regulatory or technical obligations

4. Categories of Personal Data and Data Subjects #

Categories of Data Subjects may include:

  • Website visitors
  • End-users of Controller’s services
  • Employees or contractors of the Controller

Types of Personal Data may include:

  • Identifiers (e.g., IP address, user ID, session cookie)
  • Contact details (e.g., email, form submissions)
  • Behavioural analytics data (e.g., clicks, heatmaps, scroll depth)
  • Technical metadata (e.g., browser, device, geolocation)

No Special Category Data shall be processed unless explicitly agreed and covered by a separate Data Impact Assessment (DPIA).

5. Obligations of the Processor (Xdemór) #

  • Process data only on documented instructions from the Controller
  • Implement appropriate technical and organisational security measures (Art. 32 GDPR)
  • Ensure personnel confidentiality and training
  • Cooperate with supervisory authorities and the Controller
  • Notify the Controller of any data breach without undue delay
  • Maintain a record of processing activities under Art. 30 GDPR

6. Subprocessing #

The Controller authorises the use of Sub-processors listed at:
https://policies.zone/subprocessors

All Sub-processors shall be bound by written agreements ensuring data protection obligations no less protective than this DPA. The Processor shall notify the Controller of any intended changes concerning new or replacement Sub-processors, with the right for the Controller to object on justified legal grounds.

7. International Data Transfers #

Where personal data is transferred outside the UK/EEA, Xdemór ensures such transfers comply with GDPR requirements, including:

  • Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Agreement (IDTA)
  • Transfers to countries with adequacy decisions

8. Assistance to the Controller #

Xdemor will assist the Controller in:

  • Responding to data subject requests under Chapter III of the GDPR
  • Conducting data protection impact assessments
  • Complying with Articles 32 to 36 of the GDPR

Such assistance may be provided under a separate service level or administrative fee structure, where applicable.

9. Audit Rights #

The Controller may audit Xdemor’s processing activities related to this DPA, subject to:

  • 30 days’ written notice
  • Reasonable scope and frequency
  • Confidentiality and non-disruption of Processor operations

Xdemor may provide certifications or third-party audit reports (e.g., ISO, SOC 2) in lieu of direct audits.

10. Deletion or Return of Data #

Upon termination or expiry of the main agreement:

  • Xdemor shall, at Controller’s choice, delete or return all Personal Data
  • This excludes data required by law to be retained for legal, tax, or audit purposes
  • Proof of erasure will be provided upon request

Data retained for service improvement shall be anonymised and excluded from scope of GDPR.

11. Liability and Indemnity #

Each party shall be liable for its own acts and omissions under this DPA.

Xdemor is not liable for damages resulting from:

  • Controller’s failure to comply with GDPR
  • Controller’s misuse or unauthorised configuration of services

12. Termination #

This DPA shall remain in force for the duration of any service or processing arrangement between the Parties or until terminated by either party with 30 days’ notice.

13. Contact and Communication #

If you have questions or concerns regarding this policy or wish to exercise any of your rights under applicable data protection laws, you may contact us as follows:

The Xdemor Group Limited
Compliance & Legal
86-90 Paul St., London, EC2A 4NE, United Kingdom

Email: enquiries@xdemor.com
Data Protection Officer: dpo@xdemor.com

Additional contacts:

  • privacy@xdemor.com – for inquiries or requests related to personal information under GDPR or the UK DPA 2018
  • legal@xdemor.com – for contractual, regulatory, or legal notices

To submit a data subject request (DSAR):

  • Submit via Online Data Request Form (include full name, contact, and description of the request)
  • Or send via postal mail to:
    Data Protection Officer
    The Xdemor Group Limited
    86-90 Paul St., London, EC2A 4NE, United Kingdom

You may also file a complaint with the relevant authority:

14. Changes to This Policy #

We may update this Cookie Policy periodically. If significant changes are made, we will notify you via email or prominent notice. You are responsible for reviewing the latest version.