Data Processing Agreement

IDDQD Limited

August 2025

This Agreement is made between Us, the Supplier (IDDQD or IDDQD Limited) and You, the Client.

By using the Ideal Postcodes Service You agree to be bound by the following Data Processing Agreement.

1. Definitions and Interpretations

1.1 Definitions

  1. Applicable Laws means (a) European Union or Member State laws with respect to any Personal Data is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Personal Data in respect of which the Client is subject to any other Data Protection Laws.
  2. Client means You, in your capacity as the Data Exporter.
  3. Client Group means the Client (You) and any Company Affiliates established and/or doing business in the EEA, or United Kingdom.
  4. Company Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
  5. Data Controller means the person, public authority or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data; where the purposes and means of processing are determined by EU or Member State laws, the Data Controller (or the criteria for nominating the controller) may be designated by those laws.
  6. Data Exporter means the Data Controller or Data Subprocessor who transfers the personal data.
  7. Data Importer means the Data Processor who agrees to receive from the Data Exporter personal data intended for processing on the Data Exporter's behalf after the transfer in accordance with the Data Exporter's instructions.
  8. Data Processor means a person, public authority, agency or any other body which processes Personal Data on behalf of the Data Controller.
  9. Data Subprocessor means a person, public authority, agency or any other body appointed by or on behalf of a Data Processor to process Personal Data on behalf of a Data Controller.
  10. Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other jurisdiction.
  11. Data Subject means an identifiable natural person about whom a Data Controller holds Personal Data.
  12. EEA means the European Economic Area.
  13. EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
  14. GDPR means EU General Data Protection Regulation 2016/679.
  15. Personal Data means all data which is defined as ‘Personal Data’ under EU Data Protection Laws and to which EU Data Protection Laws apply..
  16. Terms of Service means the Terms of Service document found on https://terms.ideal-postcodes.co.uk, which governs the commercial relationship between the Client and IDDQD.

2. General

  1. In respect of the parties' rights and obligations under this Terms of Service regarding the Personal Data, the parties hereby acknowledge and agree that the Client is the Data Controller or Data Processor, and IDDQD is the Data Processor or Data Subprocessor, as applicable.
  2. IDDQD agrees that it shall process all Personal Data in accordance with its obligations pursuant to the Terms of Service.
  3. If Client is a Data Processor, the Client warrants to IDDQD that Client Group’s instructions and actions with respect to the Personal Data, including its appointment of IDDQD as another Data Processor have been authorised by the relevant Data Controller.

3. Obligations of IDDQD

  1. IDDQD, in its role as Data Importer, will comply with all applicable Data Protection Laws in the processing of Personal Data.
  2. The Data Importer will process Personal Data only insofar as is reasonable to provide the Ideal Postcodes Service, and will act in accordance with: (i) the Terms of Service, (ii) the Data Exporter's written instructions, (iii) any Applicable Laws.
  3. The Data Importer will notify the Data Exporter without undue delay of any requests from a Data Subject exercising their rights under Privacy and Data Protection Regulations.
  4. The Data Importer will notify the Data Exporter in regards to any legally binding request for disclosure of the Personal Data by a law enforcement authority.
  5. The Data Importer will inform the Data Exporter if any instructions provided by the Data Exporter infringe GDPR.
  6. The Data Importer will comply with requests to amend, transfer or delete Personal Data on behalf of the Client's Data Subjects.
  7. Other than to the extent required to comply with the Applicable Laws, following termination or completion of the Service, IDDQD will, upon request, delete or return all Personal Data processed pursuant to the Terms of Service and the Applicable Laws.

4. Obligations of the Client

  1. With respect to all Personal Data, as the Data Exporter, the Client Group warrants that it shall process and transfer Personal Data in accordance with the relevant provisions of the Applicable Laws.
  2. The Client accepts that, where it is the Data Controller, the Client is solely responsible for determining the lawful processing condition upon which it shall rely in providing instructions to process Personal Data.
  3. The Client accepts that, where it is the Data Processor, the Client Group has been provided authorisation by the Data Controller to process Personal Data.
  4. Where the Client Group consumes third party data as part of the Ideal PostcodesService, the Client Group acknowledges that third party data may be subject to additional terms to which the Client Group shall comply.

5. Subprocessing

  1. Each Company Group member authorises IDDQD to appoint Data Subprocessors.
  2. IDDQD will maintain a list of Data Subprocessors (including full details of the Processing to be undertaken by the Data Subprocessor) at https://terms.ideal-postcodes.co.uk and will add the names of new and replacement Data Subprocessors to the list prior to them commencing any subprocessing of Personal Data. Additions to this list may only occur on the first of any calendar month.
  3. The Client Group shall be responsible for checking https://terms.ideal-postcodes.co.uk for the the appointment of any new Data Subprocessor.
  4. If, within 14 days of a subprocessor list update, the Client notifies IDDQD in writing of any objections (on reasonable grounds) to the proposed appointment, IDDQD shall not appoint that proposed Data Subprocessor until reasonable steps have been taken to address the objections raised by the Client Group has been provided with a reasonable written explanation of the steps taken.
  5. With respect to each Data Subprocessor, IDDQD shall:
    • Carry out reasonable due diligence to ensure that the Data Subprocessor is capable of providing sufficient protection for Personal Data.
    • Ensure that the arrangement between IDDQD and the Data Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Data Processing Addendum and meet the requirements of the GDPR.
    • Provide to the Client for review such copies of the Contracted Data Processors' agreements with Data Subprocessors (which may be redacted to remove confidential commercial information not relevant to the Applicable Laws) as the Client may request from time to time.
    • Remain liable for any act of a Data Subprocessor that does not comply with the obligations as set out in this Data Processing Addendum.

6. Transfers outside of EEA

  1. IDDQD shall not cause or permit any Personal Data belonging to an EEA resident to be transferred outside of the EEA unless such transfer is necessary for the purposes of IDDQD carrying out its obligations.
  2. If an EEA resident’s Personal Data is to be processed outside of the EEA, IDDQD agrees to provide and maintain reasonable safeguards as set out in GDPR to lawfully transfer the Personal Data to a third country. These safeguards may include:
    • The requirement for IDDQD to execute or procure that the Data Subprocessor execute to the benefit of the Client Group standard contractual clauses approved by the EU authorities under EU Data Protection Laws.
    • The requirement for the Data Subprocessor to be certified under the EU-U.S. Privacy Shield Framework.

7. Security & Personal Data Breach

  1. IDDQD will take all security measures required in accordance with Privacy and Data Protection Requirements, and at the request of the Client Group provide a written description of, and rationale for, the technical and organisational measures implemented, or to be implemented, to protect the Personal Data.
  2. IDDQD shall ensure that IDDQD staff processing Personal Data are subject to a duty of confidence.
  3. In the event of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed by IDDQD or its Data Subprocessors, IDDQD Shall:
    • Notify the Client of the breach
    • Co-operate with the Client Group and take such reasonable commercial steps as are directed by the Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
  4. IDDQD shall provide reasonable assistance to the Client with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required of any Company Group Member, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Data Processors.

8. Audit

  1. The Client Group may exercise its right of audit under EU Data Protection Laws in relation to Personal Data.
  2. IDDQD shall make available to the Client Group such information (which may be redacted to remove confidential information not relevant to the requirements of the Applicable Law) as the Client Group may reasonably request to demonstrate IDDQD's compliance with the obligations of Data Processors under EU Data Protection Laws.
  3. IDDQD shall promptly send a copy of any Data Subprocessor agreement it concludes to the Data Exporter upon request.
  4. Any audit carried out by the Client will be conducted in a manner that does not disrupt, delay or interfere with IDDQD's performance of its business.

9. Data Subprocessor List

The list of Data Subprocessors can be found at Data Processors on https://terms.ideal-postcodes.co.uk.

10. Processing Operations

  1. The Personal Data transferred will be subject to the following basic processing activities:
    • Address Validation and Cleansing
    • Licensing of entities to access third party data via the Ideal Postcodes Services (for users of the Sublicensing Platform)
Previous
Data Protection and Privacy Policy Statement
Next
Data Processors