Preamble
This Data Processing Agreement (DPA) applies whenever Preshift Ltd ('Preshift', 'we', 'us') processes Customer Personal Data on behalf of a Customer ('you') in the course of providing the Services. It forms part of, and is governed by, the Master Services Agreement or Order Form under which the Services are supplied. To the extent there is a conflict between this DPA and the MSA, this DPA prevails in respect of the processing of Customer Personal Data.
This DPA is designed to satisfy Article 28 of the UK GDPR and, where relevant, Article 28 of the EU GDPR. Defined terms in the MSA apply, with the additions below.
1. Definitions
Customer Personal Data: any personal data that Preshift processes on behalf of the Customer in the course of providing the Services, as described in Annex 1.
Data Protection Laws: the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and, where applicable to the processing, the EU GDPR and any implementing national legislation.
Data Subject, Processing, Controller, Processor, Sub-processor and Personal Data Breach: have the meanings given in the UK GDPR.
Sub-processor: any third party engaged by Preshift to process Customer Personal Data on Preshift's behalf in connection with the Services.
Standard Contractual Clauses (SCCs): the standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR as adopted by Commission Implementing Decision (EU) 2021/914, in their controller-to-processor or processor-to-processor variant as relevant.
UK Addendum: the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under section 119A of the Data Protection Act 2018.
2. Roles of the parties
The Customer is the Controller of Customer Personal Data. Preshift is the Processor.
Where the Customer is itself a processor on behalf of an ultimate controller (for example, a parent company or a managed-services client of the Customer), Preshift acts as a sub-processor in that chain. The Customer warrants that it has the necessary authority from the ultimate controller to instruct Preshift on those terms.
3. Scope, nature and purpose of processing
Preshift will process Customer Personal Data only for the purposes of (a) delivering the Services as described in the MSA, including Reports, Stack and any other products engaged; (b) complying with the Customer's documented instructions; and (c) complying with any legal obligation imposed on Preshift by Data Protection Laws.
The subject matter, nature, duration, purpose, types of personal data and categories of data subjects are set out in Annex 1.
4. Documented instructions
Preshift will process Customer Personal Data only on the Customer's documented instructions. The MSA, this DPA, the Customer's normal use of the Services (including all configuration choices made through the product), and any further written instructions agreed between the parties, constitute the Customer's documented instructions.
Preshift will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws, and may, on notice to the Customer, suspend the relevant processing until the instruction is amended or confirmed.
5. Confidentiality
Preshift will ensure that all personnel authorised to process Customer Personal Data are subject to a binding obligation of confidentiality, whether contractual or statutory, and have received appropriate training on Data Protection Laws.
6. Security (Article 32)
Preshift will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The measures Preshift applies are described in Annex 2 and are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the nature of processing and the rights and freedoms of data subjects.
Preshift will keep the measures in Annex 2 under review and may update them from time to time, provided the level of protection is not materially reduced.
7. Sub-processors
The Customer authorises Preshift to engage the Sub-processors listed at preshift.co.uk/sub-processors (Annex 3, by reference) for the processing of Customer Personal Data.
When Preshift wishes to engage a new Sub-processor or replace an existing one in a manner that materially affects the processing of Customer Personal Data, Preshift will give the Customer at least thirty days' prior written notice by email. The Customer may object on reasonable data-protection grounds during that period. If the parties cannot agree a resolution, the Customer may terminate the affected Services by written notice, in line with the MSA.
Preshift will impose on each Sub-processor data-protection obligations no less protective than those imposed on Preshift under this DPA, by way of a written contract. Preshift remains liable to the Customer for the acts and omissions of its Sub-processors.
8. International transfers
Preshift's primary processing location is the United Kingdom. Where Customer Personal Data is transferred outside the UK to a country that does not have an adequacy decision under the UK GDPR, Preshift will rely on:
• the UK Addendum together with the relevant module of the SCCs, both incorporated by reference into this DPA and deemed signed by the parties on the Effective Date; or • another appropriate transfer mechanism recognised under the UK GDPR.
Where the EU GDPR applies to a transfer, the SCCs in their relevant module apply directly. The specific transfer mechanism for each Sub-processor is shown at preshift.co.uk/sub-processors.
9. Data subject requests and Customer cooperation
Preshift will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures to fulfil its obligations to respond to data subject requests under Chapter III of the UK GDPR. Preshift will not respond to a data subject request relating to Customer Personal Data on its own except on the Customer's documented instructions or as required by law.
If Preshift receives a request, complaint or correspondence from a data subject, supervisory authority or law enforcement body relating to Customer Personal Data, Preshift will, except where prohibited by law, promptly notify the Customer and follow the Customer's reasonable instructions in responding.
10. Data protection impact assessments and prior consultation
Preshift will provide the Customer with reasonable assistance, taking into account the nature of processing and the information available to Preshift, to comply with the Customer's obligations under Articles 35 (DPIAs) and 36 (prior consultation) of the UK GDPR. Preshift may charge a reasonable fee for substantial assistance that is unrelated to a specific Personal Data Breach or directly necessitated by a Sub-processor change.
11. Personal Data Breach notification
If Preshift becomes aware of a Personal Data Breach affecting Customer Personal Data, Preshift will notify the Customer without undue delay and in any event within seventy-two hours of becoming aware. The notification will include, to the extent then available, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it and mitigate possible adverse effects.
Preshift will provide reasonable cooperation in the Customer's investigation and notification obligations under Articles 33 and 34 of the UK GDPR.
12. Return and deletion of Customer Personal Data
On termination or expiry of the Services, the Customer may within thirty days request Preshift to export its Customer Personal Data in a structured, commonly used and machine-readable format. Preshift will provide the export at no additional charge.
In any case, Preshift will delete all Customer Personal Data, and procure deletion by all Sub-processors, within ninety days of off-boarding. This commitment includes derived data (extracted contract terms, AI commentary archives, alert history, audit logs containing personal data) and backups, which are cycled out within the same window. Preshift will provide written confirmation of deletion on request.
The ninety-day commitment does not apply to data Preshift is required to retain by law (for example, accounting records under the Companies Act 2006), which Preshift will continue to hold for the minimum period required and only for the purpose of meeting that obligation.
13. Audit
Preshift makes available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR. This is met by Preshift providing, on request:
• a written response to a reasonable security questionnaire (no more than once per year unless triggered by a Personal Data Breach or material change in processing); • access to a current summary of Preshift's information-security programme, including the contents of Annex 2 as then in force; and • copies of any independent audit reports or certifications Preshift holds (for example, where available, an ISO 27001 statement of applicability, SOC 2 Type II report or penetration-test summary).
Where the Customer reasonably considers the above insufficient, the Customer may, on thirty days' written notice and not more than once per year, conduct or instruct a mutually acceptable third party to conduct an audit of Preshift's processing of Customer Personal Data, during normal business hours and subject to reasonable confidentiality and security undertakings. Each party bears its own costs of the audit, unless the audit identifies a material breach of this DPA by Preshift.
14. No selling, no AI training, purpose limitation
Preshift expressly commits, as part of this DPA, that Customer Personal Data:
• will not be sold or shared with any third party except as expressly permitted by this DPA (Sub-processors) or required by law; • will not be used to train any machine-learning or AI model, whether Preshift's or a third party's; • will not be used for marketing to the Customer, the data subjects, or any third party; • will be processed strictly for the purposes of providing the Services it was uploaded or ingested for.
Where AI inference is used inside the Services (for example, generating Reports commentary or extracting terms from a Stack contract), Preshift contracts with the inference provider on a zero-retention, no-training basis. The current inference Sub-processor and its commitments are shown in Annex 3.
15. Liability and indemnity
The liability of each party under this DPA, and any indemnities granted, are subject to the limitations and exclusions of liability in the MSA. Nothing in this DPA limits or excludes a party's liability for matters that cannot lawfully be limited or excluded.
16. Term and termination
This DPA takes effect on the Effective Date of the MSA and continues until the end of all processing of Customer Personal Data by Preshift, subject to clause 12 (Return and deletion).
17. Governing law and jurisdiction
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising under or in connection with this DPA. Where this DPA is read in conjunction with the SCCs or UK Addendum, the choice of law and forum in those clauses applies for matters falling within their scope.
Annex 1 · Details of processing
- Subject matter
- Provision of the Services described in the MSA, including Preshift Reports, Preshift Stack and any other engaged products.
- Duration
- For the term of the MSA. Processing for return or deletion continues for up to ninety days after termination (clause 12).
- Nature of processing
- Collection, storage, structuring, analysis, retrieval, transmission, deletion.
- Purpose of processing
- Delivering Reports (daily, weekly, monthly operational reporting), Stack (contract intake, renewal alerts, benchmarking, AI-assisted negotiation prep), and customer support and account management for the foregoing.
- Types of personal data
- Customer business contacts (name, role, work email, phone). Where relevant to a specific Service: named staff present on shift reports (Reports); signatories and authorised representatives on supplier contracts uploaded to Stack; and any other personal data the Customer chooses to upload or expose through a connected system.
- Categories of data subjects
- Customer employees, contractors and authorised users; the Customer's customers where the Customer chooses to share customer-level data; signatories and named contacts on supplier contracts.
- Special category data
- Not anticipated. The Customer should not knowingly upload or expose special category data to the Services. If it does, the Customer warrants it has an Article 9 lawful basis.
- Frequency of transfer
- Continuous, for the duration of the Services.
- Retention
- For the duration of the MSA. On termination, deletion within ninety days, subject to legal retention obligations (clause 12).
Annex 2 · Technical and Organisational Measures (Article 32)
- Hosting
- Production systems hosted on Amazon Web Services in the United Kingdom (eu-west-2, London). Frontend services delivered via Vercel's edge network with regional control.
- Encryption in transit
- TLS 1.2 or higher for all customer-facing endpoints and inter-service communication.
- Encryption at rest
- AES-256 or provider-equivalent for all customer data stores, including primary databases, file storage and backups.
- Access control
- All personnel access to production via single sign-on with mandatory multi-factor authentication. Role-based access control, least privilege. Privileged-access events logged and reviewed.
- Network security
- Production environments segmented from non-production. Inbound traffic limited to required ports via security groups and WAF. Outbound traffic monitored for anomalies.
- Tenant isolation
- Customer data is logically segregated by tenant identifier. Application-level enforcement of tenant boundaries. No cross-tenant queries are permitted.
- Backups
- Encrypted, regularly tested, retention aligned to ninety-day post-termination commitment. Restore procedures documented and exercised.
- Vulnerability management
- Dependencies and infrastructure patched on a defined schedule, with expedited patching for critical CVEs. Automated dependency scanning. Manual security review for significant releases.
- Logging and monitoring
- Application, infrastructure and access logs collected centrally with alerting on suspicious patterns. Logs retained for the minimum period necessary to satisfy security and audit needs.
- Personnel
- Background-screening commensurate with role. Written confidentiality obligations as part of employment or contractor terms. Annual security and data-protection training. Access revoked on termination, within one working day.
- Sub-processors
- Engaged under written contracts with data-protection terms at least as protective as this DPA. Listed publicly at /sub-processors with thirty-day notification of changes.
- Secure development
- Code reviewed by a second engineer before production deployment. Secrets managed in a dedicated vault, never committed to source control.
- Incident response
- Documented Personal Data Breach response procedure. Seventy-two-hour notification to Customer (clause 11). Annual tabletop exercise.
- Business continuity
- Documented continuity plan covering hosting failure, supplier failure, and personnel loss.
- Data deletion
- Ninety-day deletion on customer off-boarding, including derived data and backups, in line with clause 12.
- AI inference
- AI inference performed via Sub-processors under zero-retention, no-training contracts. Customer Personal Data sent for inference is processed in-memory only and not stored by the inference provider beyond the request lifetime.
Annex 3 · Authorised sub-processors
The current list of authorised Sub-processors, with purpose, location and transfer mechanism, is maintained at preshift.co.uk/sub-processors. This list is incorporated by reference into this DPA. Changes are governed by clause 7.
whenever you're ready
Let's talk about your tech.
Half an hour on Zoom or in person. We'll show up with questions, not a slide deck.