Data Processing Agreement
Effective date: 19 March 2026Data Controller: The business or individual subscribing to Masser services ("the Client", "you")
Data Processor: Penovex Limited trading as Masser, registered in England and Wales ("Masser", "we", "us")
Contact: team@masser.uk
This Data Processing Agreement ("DPA") forms part of the Client Terms & Conditions and governs the processing of personal data by Masser on behalf of the Client in connection with the provision of website hosting and related services.
1. Definitions
- Personal Data, Data Subject, Processing, Controller, Processor, Sub-processor — as defined in the UK General Data Protection Regulation (UK GDPR)
- Services — the website hosting, form handling, analytics configuration, and related services provided by Masser under the Client Terms
- Visitor Data — personal data of individuals who visit the Client's Masser-hosted website
2. Scope and Roles
2.1 The Client as Controller
The Client is the data controller for Visitor Data submitted through their website (e.g. contact form submissions containing names, email addresses, phone numbers, and messages).
2.2 Masser as Processor
Masser acts as data processor when handling Visitor Data on the Client's behalf. This includes:
- Receiving and forwarding contact form submissions
- Hosting website content that may display visitor-facing information
- Configuring analytics tools as instructed by the Client
2.3 Masser as Controller
Masser acts as an independent data controller for:
- The Client's own personal data (name, email, business information) — governed by the Client Privacy Policy
- Anonymised, aggregated performance data derived from visitor activity across all Masser-hosted websites — this data cannot identify any individual visitor or business
3. Processing Details
| Element | Detail |
|---|---|
| Subject matter | Hosting client websites and processing form submissions from website visitors |
| Duration | Duration of the Client's subscription, plus 90 days retention after cancellation |
| Nature of processing | Collection, storage, transmission, and deletion of Visitor Data |
| Purpose | Delivering form submissions to the Client; hosting and operating the website |
| Categories of data subjects | Website visitors who submit contact forms or enquiries |
| Types of personal data | Name, email address, phone number, message content, and any other data submitted via website forms |
4. Masser's Obligations
Masser shall:
4.1 Processing Instructions
- Process Visitor Data only on the Client's documented instructions, unless required by law
- Not process Visitor Data for any purpose other than providing the Services, except for the creation of aggregated, anonymised data as described in Section 9
4.2 Confidentiality
- Ensure that all personnel authorised to process Visitor Data are bound by confidentiality obligations
4.3 Security Measures
- Implement appropriate technical and organisational measures to protect Visitor Data, including:
- HTTPS/TLS encryption for all data in transit
- Encrypted database storage (Supabase with encryption at rest)
- Role-based access controls limiting data access to authorised personnel
- Regular review of security practices
- Secure email transmission of form submissions via Resend
4.4 Sub-processors
- Not engage a new sub-processor without providing the Client with prior notice (see Section 6)
- Ensure sub-processors are bound by equivalent data protection obligations
4.5 Data Subject Rights
- Assist the Client in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) insofar as the request relates to Visitor Data processed by Masser
- Notify the Client promptly if Masser receives a request directly from a data subject
4.6 Data Protection Impact Assessments
- Provide reasonable assistance to the Client in conducting data protection impact assessments where required
4.7 Audit
- Make available to the Client, on reasonable request, information necessary to demonstrate compliance with this DPA
- Allow for and contribute to audits conducted by the Client or an independent auditor mandated by the Client, subject to reasonable advance notice and scope limitations
5. Personal Data Breach
In the event of a personal data breach affecting Visitor Data:
- Masser shall notify the Client without undue delay and in any event within 72 hours of becoming aware of the breach
- The notification shall include:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Categories and approximate number of personal data records affected
- Description of likely consequences
- Description of measures taken or proposed to address the breach
- Masser shall cooperate with the Client and take reasonable steps to mitigate the breach
- The Client is responsible for notifying the ICO and affected data subjects where required under UK GDPR
6. Sub-processors
6.1 Approved Sub-processors
The Client authorises the use of the following sub-processors as at the effective date:
| Sub-processor | Location | Purpose |
|---|---|---|
| Supabase Inc. | United States | Database hosting, authentication |
| Netlify Inc. | United States | Website hosting and CDN |
| Resend Inc. | United States | Email delivery (form submissions) |
| Stripe Inc. | United States | Payment processing (does not process Visitor Data) |
| Namecheap Inc. | United States | Domain registration (does not process Visitor Data) |
| Anthropic PBC | United States | AI website generation (business info only, not Visitor Data) |
6.2 Changes to Sub-processors
- Masser shall notify the Client by email at least 30 days before engaging a new sub-processor or replacing an existing one
- The Client may object to a new sub-processor on reasonable data protection grounds within 14 days of notification
- If the objection cannot be resolved, the Client may terminate the subscription without penalty
6.3 Sub-processor Obligations
Masser shall ensure that each sub-processor is bound by a written agreement imposing data protection obligations no less protective than those in this DPA.
7. International Transfers
Where Visitor Data is transferred outside the UK (including to sub-processors in the United States), Masser shall ensure that appropriate safeguards are in place in accordance with UK GDPR, including:
- Standard Contractual Clauses (SCCs) approved by the ICO, or
- UK adequacy decisions, or
- Other transfer mechanisms approved by the ICO
Masser shall inform the Client if it becomes aware that a transfer mechanism is no longer valid and shall work with the Client to implement alternative safeguards.
8. Data Retention and Deletion
8.1 During Subscription
Visitor Data (form submissions) is transmitted to the Client's email in real-time and is not stored persistently by Masser beyond the email delivery process.
8.2 On Termination
Upon termination of the Client's subscription:
- Website files (which may contain visitor-facing content) are retained for 90 days, then permanently deleted
- No Visitor Data is retained by Masser after this period
- The Client may request earlier deletion by contacting team@masser.uk
8.3 Exceptions
Masser may retain data where required by applicable law (e.g. tax records, fraud prevention). Aggregated, anonymised data is retained indefinitely as described in Section 9.
9. Aggregated and Anonymised Data
The Client acknowledges and agrees that Masser may:
(a) Collect and retain anonymised, aggregated performance data derived from visitor activity across all Masser-hosted websites, including but not limited to page views, session durations, conversion rates, device types, geographic regions, and traffic sources
(b) Use this aggregated data internally to improve Masser's products, AI build quality, and service delivery
(c) Use this aggregated data to produce industry benchmark reports, performance insights, or other analytical products, provided no individual business or visitor is identifiable
(d) Share or license anonymised aggregate data to third parties (including market research firms, trade bodies, and commercial partners), provided such data cannot be used to identify any individual client, their business, or their website visitors
(e) Retain this aggregated data indefinitely, including after the Client's subscription ends
This processing of aggregated, anonymised data does not constitute processing of personal data under UK GDPR, as the data cannot be used to identify any natural person. Masser undertakes to apply robust anonymisation techniques that render re-identification impossible.
10. Liability
The liability of each party under this DPA is subject to the limitations set out in the Client Terms & Conditions.
11. Governing Law
This DPA is governed by the laws of England and Wales. Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
12. Contact
For any questions about this DPA:
- Masser: team@masser.uk
- Company: Penovex Limited