IntegrationHub Data Processing Agreement

Effective Date: 1 December 2025

This Data Processing Agreement (DPA) forms part of the Agreement between the Supplier and the Customer and sets out the Parties' obligations regarding the handling of personal data. The DPA is effective on the Effective Date.

Introduction

  1. Definitions

    1. Capitalised terms used but not defined in the DPA have the meanings set out in the Agreement.

    2. Capitalised terms used in the DPA but not defined elsewhere have the following meanings:
      Agreement: means the IntegrationHub Terms of Service.
      Data Protection Legislation: means:
      a) to the extent the UK GDPR applies, the law of the United Kingdom (UK) or of a part of the UK which relates to the protection of personal data.
      b) to the extent the EU GDPR applies, the law of the European Union (EU) or any member state of the European Union to which the Supplier is subject, which relates to the protection of personal data.
      EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
      Personal Data Breach: has the meaning given to it under the Data Protection Legislation.
      Purpose: the propose for which the personal data is processed, as set out in Annex A.
      Sub-Processor: has the meaning given to it under the Data Protection Legislation.
      UK GDPR: has the meaning given to it in the Data Protection Act 2018.
      The terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the Data Protection Legislation.

  2. Introduction

    1. This DPA is subject to and incorporated into the Agreement.

    2. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of the DPA will prevail.

    3. The Parties will comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove or replace a Party’s obligations or rights under the Data Protection Legislation.

  3. The Roles of the Parties

    1. The Parties have determined that, for the purposes of the Data Protection Legislation;

      1. the Customer is the Controller and the Supplier is the Processor;

      2. and the Supplier shall process the personal data set out in this DPA and Annex A of this DPA.

    2. By entering into the Agreement, the Customer consents to (and shall procure all required consents, from its personnel, representatives, agents and customers, in respect of) all actions taken by the Supplier in connection with the processing of personal data related to the Services.

    3. Without prejudice to the generality of section 3.2, the Customer will ensure that it has all necessary appropriate consents and notices in place in relation to the lawful processing of personal data for the duration and purpose of the Agreement and any relevant retention period.

  4. Personal Data Types and Processing Purpose

    1. Annex A sets out the scope, nature and Purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.

  5. The Supplier’s Obligations

    1. The Supplier shall, in relation to personal data processed in the provision of the Services:

      1. process that personal data only on the documented instructions of the Customer, which shall be to process the personal data for the Purpose set out in Annex A, unless the Supplier is required by the Data Protection Legislation to otherwise process that personal data. Where the Supplier is relying on the Data Protection Legislation as the basis for processing the personal data, the Supplier shall notify the Customer of this before performing the processing required by the Data Protection Legislation unless the Supplier is lawfully prohibited from doing so.

      2. inform the Customer if, in the opinion of the Supplier, the instructions of the Customer infringe the Data Protection Legislation.

      3. implement the technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected;

      4. ensure that any personnel engaged and authorised by the Supplier to process the personal data have committed themselves to confidentiality or are under appropriate statutory or common law obligation of confidentiality;

      5. assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to the Supplier), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

      6. notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;

      7. at the written direction of the Customer, delete or return personal data and copies thereof to the Customer on termination of the agreement unless the Supplier is required by the Data Protection Legislation to continue to process that personal data. In the event the Customer does not make such a request, the Supplier shall retain the personal data for a period of no more than 3 months, after which time the Supplier shall delete the personal data.

      8. maintain records to demonstrate its compliance with this section 5 and allow for reasonable audits by the Customer or the Customer’s designated auditor, for this Purpose on not less than 30 days written notice and at the Customer’s expense.

  6. Sub-Processors

    1. The Customer hereby provides its prior, general authorisation for the Supplier to:

      1. appoint Sub-Processors to process the personal data, provided that the Supplier:

        1. shall ensure that the terms on which it appoints such Sub-Processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on the Supplier in this DPA; and

        2. shall remain responsible for the acts and omissions of any such Sub-Processor as if they were the acts and omissions of the Supplier.

    2. The Supplier maintains an up-to-date list of Sub-Processors, including their locations and the types of services they provide here (“Sub-Processor List”). The Supplier may update the Sub-Processor List from time to time to reflect the appointment of additional or replacement Sub-Processors.

    3. The Customer will be entitled to object to the appointment of a new Sub-Processor, where that Sub-Processor is relevant to the Services used by the Customer, if the use of that Sub-Processor objectively has caused, or is likely to cause, a material data protection risk. Any such objection must be notified to the Supplier in writing within 14 days of the Sub-Processor List being updated to reflect the appointment of the Sub-Processor.

    4. If the Customer objects to the use of a Sub-Processor in accordance with section 6.3 above, then the Parties will (acting reasonably and in good faith) promptly discuss the Customer’s objections and the Supplier must either:

      1. not use or cease to use that Sub-Processor to process personal data; or

      2. permit the Customer to terminate the Agreement, or the element of Services to which the Sub-Processor relates, without additional liability.

    5. The Customer acknowledges and agrees that it authorises the Supplier to engage the Sub-Processors identified on the Sub-Processor List as at the Effective Date.

  7. Transfers

    1. The Customer provides its prior, general authorisation for the Supplier to transfer personal data outside of the UK as required for the Purpose, provided that the following conditions are met:

      1. the personal data is transferred to a country or territory that is recognised by the appropriate regulatory body as providing adequate protection for the privacy rights of individuals; or

      2. the Supplier participates in a valid cross-border mechanism under the Data Protection Legislation, to ensure appropriate safeguards and an adequate level of protection are in place in accordance with the Data Protection Legislation.

Annex A – Particulars of Processing

Scope

The Supplier is permitted to process personal data for the purpose of supplying the Services to the Customer in accordance with the Agreement.

Nature

The nature of processing the personal data consists of collection, recording, organisation, structuring, storage, consultation, use, disclosure and deleting data.

Purpose

The purpose of the processing is the supply of the Services in accordance with the Agreement.

Duration

For the Service Period, and up to three months post termination, after which all data will be deleted.

Types of Personal Data

Data relating to individuals provided to the Supplier by the Customer or any person the Customer authorises or directs to engage with the Supplier in accordance with the Agreement, including:

- Name

- Address

- Email address

- Phone number

- Communication content provided by the Customer in its use of the Services, including from participation in voice, video, chat, SMS, WhatsApp, Facebook, email, or other means of communication through use of Zoom and the data in any underlying third-party platform.

- Recordings or transcriptions of communications if such recording is permitted by the Customer’s administrator controls.

The Supplier does not intentionally process special category data on behalf of the Customer. However, the Customer acknowledges that, in its use of the Services, it may provide or upload special category data due to the nature of the contents of the communications.

If the Customer provides or causes the processing of any special category data through its use of the Services, it is the Customer’s sole responsibility to ensure all necessary legal bases for processing, including but not limited to, obtaining and maintaining all appropriate consents, and providing all required notices, are in place.

Categories of Data Subjects

- Customer’s Employees

- Customer’s Agency Workers

- Customer’s Contractors

- End Customer

Hosting and Data Access Location

Personal data will be hosted in a region located in the UK and applicable to the Customer’s account configuration.

Personal data will be accessed by the Supplier’s personnel located in the UK for the purposes of providing the Services, specifically in accordance with a submitted support ticket, or specific to reporting requirements as opted into by the Customer.

Sub-processors

A full list of our sub-processors can be found here.

TwitterLinkedIn
Location IconManchester, United Kingdom
Phone Icon0161 552 5852
HM Government G-Cloud Digital Marketplace SupplierCyber EssentialsCyber Essentials Plus
Trust CentrePrivacy PolicyModern Slavery
© 2025 Acceleraate Limited | Company # 14383406 | VAT # GB427726283
Part of Founded Group Limited
Zoom and the Zoom logo are trademarks of Zoom Video Communications, Inc