Data Processing Agreement (DPA)
Last updated: March 1, 2026
This Data Processing Agreement ("DPA") forms part of the Master Service Agreement or Terms of Service (the "Agreement") between Project Paced Ltd (the "Processor") and the entity subscribing to the Service (the "Controller").
1. Definitions and Interpretation
1.1. "Data Protection Laws" means the UK GDPR and the Data Protection Act 2018. 1.2. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. 1.3. Terms such as "Controller", "Processor", "Data Subject", and "Processing" shall have the meanings given to them in the UK GDPR.
2. Scope and Roles
2.1. Roles: The Parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Controller and Project Paced Ltd is the Processor. 2.2. Instructions: The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by UK law.
3. Processor Personnel
3.1. The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security of Processing
4.1. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the UK GDPR and detailed in the Processor's Security Policy.
5. Sub-processing
5.1. Authorisation: The Controller provides a general written authorisation to the Processor to engage sub-processors from the Processor's current Sub-processor List. 5.2. Changes: The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 30 days.
6. Data Subject Rights
6.1. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights.
7. Personal Data Breach
7.1. The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach.
8. International Data Transfers
8.1. Restricted Transfers: The Processor processes data primarily in the USA. 8.2. Mechanism: Transfers are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, which are hereby incorporated by reference.
9. Deletion or Return of Data
9.1. At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless UK law requires storage of the Personal Data.
10. Audit Rights
10.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller.
Annex 1: Details of Processing
| Detail | Description |
|---|---|
| Subject Matter | Provision of project visualization and AI-assisted timeline tools. |
| Duration | The term of the Agreement plus 30 days for data deletion. |
| Nature of Processing | Collection, storage, visualization, AI generation of milestones, resource allocation analytics, portfolio aggregation, and PDF report generation. |
| Data Subject Categories | Controller's employees, contractors, and end-users. |
| Data Categories | Account holder names and emails; project titles and milestone descriptions; team member names, emails, departments, and capacity allocations (Enterprise). |
Project Paced Ltd International House, 64 Nile Street, London, N1 7SR, United Kingdom. Contact: support@projectpaced.com