• +44 (0) 191 825 0808
  • contact@aoitnetworks.com
Contact us

Data Processing Agreement

Between:

[Partner Name] (“Data Controller” or “Partner”)

and

AOIT Networks Ltd (“Data Processor” or “AOIT”)

Company Number: 10450071
VAT Number: GB 253 424 912
Address: Jarrow Business Centre, Rolling Mill Road, Jarrow, Tyne and Wear, NE32 3DT, United Kingdom

1. Introduction and Definitions

1.1 Purpose

This Data Processing Agreement (“DPA”) forms part of the services agreement between the Partner and AOIT Networks Ltd (the “Agreement”) and sets out the terms on which AOIT will process personal data on behalf of the Partner in connection with the provision of managed IT and telecommunications services.

1.2 Definitions

In this DPA, the following terms have the meanings set out below:

“Data Protection Laws” means all applicable laws relating to the processing of personal data including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, as amended, updated, or replaced from time to time.

“Personal Data” means any personal data processed by AOIT on behalf of the Partner in connection with the provision of services under the Agreement.

“Data Subject” means the individual to whom personal data relates, including but not limited to the Partner’s employees, customers, contractors, and other individuals whose data is processed as part of the services.

“Processing” has the meaning given to it in the UK GDPR and includes any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

“Subprocessor” means any third party appointed by AOIT to process personal data on behalf of the Partner in connection with the services.

“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

“Services” means the managed IT and telecommunications services provided by AOIT to the Partner as specified in the Agreement.

1.3 Interpretation

References to sections are to sections of this DPA unless otherwise stated. Headings are for convenience only and do not affect the interpretation of this DPA. In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall prevail with respect to the processing of personal data.

2. Scope and Nature of Processing

2.1 Roles and Responsibilities

The Partner is the data controller of the personal data processed under this DPA. AOIT acts as a data processor on behalf of the Partner. AOIT shall process personal data only on documented instructions from the Partner, except where required to do so by applicable law, in which case AOIT shall inform the Partner of that legal requirement before processing, unless prohibited by law from doing so.

2.2 Nature and Purpose of Processing

AOIT processes personal data for the purpose of providing the services to the Partner, including but not limited to managed IT support, cybersecurity services, backup and disaster recovery, telecommunications services, network monitoring, and related technical services as specified in the Agreement.

2.3 Types of Personal Data

The personal data processed under this DPA may include:

  • Identity data (names, job titles, employee IDs)
  • Contact data (email addresses, telephone numbers, business addresses)
  • Technical data (IP addresses, system logs, device information, network traffic metadata)
  • Communications data (email content, call recordings, instant messages)
  • Usage data (system usage patterns, performance metrics)
  • Security data (authentication credentials, security event logs, access logs)
  • Financial data (where necessary for service delivery)
  • Any other personal data contained within systems, devices, networks, and services managed by AOIT on behalf of the Partner

2.4 Categories of Data Subjects

Data subjects may include:

  • The Partner’s employees, workers, and contractors
  • The Partner’s customers and clients
  • The Partner’s suppliers and business contacts
  • Any other individuals whose personal data is processed through the systems and services managed by AOIT

2.5 Duration of Processing

Personal data will be processed for the duration of the Agreement and for such period thereafter as is necessary to fulfill AOIT’s obligations under this DPA, including the return or deletion of personal data as set out in Section 10.

3. Partner’s Instructions

3.1 Documented Instructions

AOIT shall process personal data only on the Partner’s documented instructions unless required to do so by Data Protection Laws. The Partner’s instructions are set out in this DPA and the Agreement, and may be amended, extended, or replaced from time to time by further documented instructions issued by the Partner in writing.

3.2 Compliance with Instructions

AOIT shall immediately inform the Partner if, in AOIT’s opinion, any instruction from the Partner infringes Data Protection Laws or if AOIT is unable to comply with such instruction for any reason.

3.3 Legal Obligation to Process

If AOIT is required by Data Protection Laws or any other applicable law to process personal data beyond the Partner’s instructions, AOIT shall inform the Partner of that legal requirement before processing (unless prohibited by law from doing so on important grounds of public interest).

4. Security Obligations

4.1 Security Measures

AOIT shall implement and maintain appropriate technical and organizational measures to protect personal data against Security Incidents and to ensure a level of security appropriate to the risk of processing. These measures shall include, as appropriate:

  • Encryption of personal data in transit and at rest where technically feasible
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Regular testing, assessment, and evaluation of the effectiveness of security measures
  • Measures to identify vulnerabilities with regard to the processing of personal data
  • Access controls ensuring that personnel processing personal data do so only on the Partner’s instructions
  • Multi-factor authentication and strong password policies for access to systems containing personal data
  • Role-based access controls implementing the principle of least privilege
  • Comprehensive logging and monitoring of access to systems and personal data
  • Regular security assessments, vulnerability scanning, and penetration testing
  • Secure backup and disaster recovery procedures
  • Physical and environmental security controls for data centers and facilities
  • Network security measures including firewalls, intrusion detection, and traffic monitoring
  • Endpoint protection and device management controls
  • Regular security patches and updates to systems and software

4.2 Documentation and Evidence

AOIT shall maintain documentation of the security measures implemented and shall make such documentation available to the Partner upon reasonable request. AOIT may provide evidence of compliance through security questionnaires, audit reports, certifications, or other documentation as appropriate.

4.3 Security Certifications

AOIT is working toward achieving recognized security certifications including ISO 27001 and Cyber Essentials. Once obtained, these certifications will be listed in AOIT’s security documentation and updated on the AOIT website. The Partner may request current certification status at any time.

4.4 Personnel Security

AOIT shall ensure that all personnel who have access to personal data are subject to appropriate confidentiality obligations (whether a contractual or statutory duty) and receive adequate training on data protection and information security.

5. Subprocessing

5.1 General Authorization

The Partner provides general authorization for AOIT to engage subprocessors to process personal data on the Partner’s behalf, subject to the terms of this Section 5.

5.2 Current Subprocessors

AOIT’s current subprocessors are listed on the AOIT website at www.aoitnetworks.com/subprocessors. The Partner acknowledges and agrees to the engagement of the subprocessors listed at the date of this DPA.

5.3 New or Replacement Subprocessors

AOIT shall provide the Partner with at least 30 days’ prior written notice of the addition or replacement of any subprocessor. Notice shall be provided by email to the Partner’s designated contact and by updating the list on the AOIT website.

The Partner may object to the appointment of a new or replacement subprocessor on reasonable grounds relating to data protection by notifying AOIT in writing within 14 days of receiving notice. If the Partner objects, the parties shall work together in good faith to address the Partner’s concerns, which may include AOIT not appointing that subprocessor, implementing additional safeguards, or the Partner migrating to alternative services.

If the parties cannot reach an agreement and the Partner continues to object on reasonable grounds, the Partner may terminate the affected services by giving 30 days’ written notice, without penalty or further obligation.

5.4 Subprocessor Obligations

AOIT shall ensure that any subprocessor is appointed under a written contract that imposes substantially the same data protection obligations on the subprocessor as are imposed on AOIT under this DPA, including obligations regarding security, confidentiality, data subject rights, breach notification, and deletion of data.

5.5 Liability for Subprocessors

AOIT remains fully liable to the Partner for the performance of any subprocessor’s obligations under this DPA.

5.6 Subprocessor Scope

Subprocessors are only granted access to personal data to the extent necessary to perform the specific functions for which they have been engaged and in accordance with the terms of this DPA and the subprocessor agreement.

6. Data Subject Rights

6.1 Assistance with Data Subject Requests

AOIT shall, taking into account the nature of processing and to the extent possible, provide reasonable assistance to the Partner to enable the Partner to respond to requests from data subjects exercising their rights under Data Protection Laws, including:

  • Right of access to personal data
  • Right to rectification of inaccurate or incomplete personal data
  • Right to erasure of personal data (“right to be forgotten”)
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making and profiling

6.2 Forwarding Requests

If AOIT receives a request from a data subject directly, AOIT shall promptly forward such request to the Partner without responding to the data subject, unless otherwise instructed by the Partner or required by law.

6.3 Assistance Timeframe

AOIT shall provide assistance to the Partner within 10 business days of receiving a request from the Partner, or within such other timeframe as the Partner reasonably specifies, taking into account the nature and complexity of the request.

6.4 Partner’s Responsibility

The Partner acknowledges that it is responsible for determining whether a data subject request is valid and how to respond to such requests. AOIT’s role is limited to providing assistance and cooperating with the Partner as the data controller.

7. Security Incidents and Breach Notification

7.1 Notification Obligation

AOIT shall notify the Partner without undue delay, and in any event within 72 hours, after becoming aware of any Security Incident affecting personal data processed under this DPA.

7.2 Notification Content

The notification shall include, to the extent known at the time of notification:

  • A description of the nature of the Security Incident, including where possible the categories and approximate number of data subjects and personal data records concerned
  • The name and contact details of AOIT’s designated contact for the Security Incident
  • A description of the likely consequences of the Security Incident
  • A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects
  • Any other information the Partner may reasonably require

7.3 Ongoing Cooperation

AOIT shall cooperate with the Partner and provide such further information and assistance as the Partner may reasonably request in relation to the Security Incident, including to enable the Partner to fulfill any obligations to notify data subjects or supervisory authorities under Data Protection Laws.

7.4 Investigation and Remediation

AOIT shall promptly investigate any Security Incident and take reasonable steps to remediate the cause of the Security Incident and prevent recurrence. AOIT shall provide the Partner with updates on the investigation and remediation efforts at reasonable intervals.

7.5 No Acknowledgment of Liability

AOIT’s notification of a Security Incident under this Section 7 shall not constitute an acknowledgment of fault or liability with respect to the Security Incident.

8. Data Protection Impact Assessments and Consultations

8.1 Cooperation with DPIA

Where the Partner is required to conduct a data protection impact assessment (DPIA) under Data Protection Laws, AOIT shall provide reasonable cooperation and assistance to enable the Partner to conduct such assessment, taking into account the nature of processing and the information available to AOIT.

8.2 Prior Consultation

Where the Partner is required to consult with a supervisory authority under Data Protection Laws, AOIT shall provide reasonable cooperation and assistance to enable the Partner to fulfill such obligation, taking into account the nature of processing and the information available to AOIT.

8.3 Information Provision

AOIT shall provide the Partner with such information regarding the processing of personal data as the Partner may reasonably require to fulfill its obligations under Data Protection Laws, including in relation to DPIAs and prior consultations.

9. Audit Rights

9.1 Right to Audit

The Partner may, upon reasonable written notice and during normal business hours, audit AOIT’s compliance with its obligations under this DPA. Such audits shall not be conducted more than once per calendar year, except where:

  • There has been a Security Incident affecting the Partner’s personal data
  • AOIT has materially breached this DPA
  • A supervisory authority requires an audit
  • There has been a material change to AOIT’s processing operations

9.2 Notice Period

The Partner shall provide AOIT with at least 60 days’ written notice of its intention to conduct an audit, unless a shorter notice period is required by a supervisory authority or in the case of an urgent Security Incident.

9.3 Audit Scope and Conduct

Audits shall be conducted in a manner that does not unreasonably interfere with AOIT’s business operations or compromise the security or confidentiality of AOIT’s other customers. The Partner shall ensure that any auditors are subject to appropriate confidentiality obligations.

9.4 Alternative Compliance Evidence

In lieu of an on-site audit, the Partner may accept alternative evidence of compliance, including:

  • AOIT’s responses to a comprehensive security questionnaire provided by AOIT
  • Third-party audit reports, certifications, or attestations (such as ISO 27001, SOC 2, Cyber Essentials)
  • Documentation of AOIT’s security policies, procedures, and controls
  • Other evidence reasonably demonstrating AOIT’s compliance with this DPA

AOIT may require the Partner to first review such alternative evidence before conducting an on-site audit.

9.5 Costs

Each party shall bear its own costs associated with any audit conducted under this Section 9, unless the audit reveals a material breach of this DPA by AOIT, in which case AOIT shall reimburse the Partner’s reasonable costs of conducting the audit.

9.6 Audit Findings

The Partner shall provide AOIT with a copy of any audit report and shall allow AOIT a reasonable opportunity to remediate any identified non-compliance before taking further action.

10. Data Return and Deletion

10.1 Return or Deletion on Termination

Upon termination or expiry of the Agreement, or upon the Partner’s written request, AOIT shall, at the Partner’s election:

  • Return all personal data to the Partner in a structured, commonly used, and machine-readable format; or
  • Securely delete or destroy all personal data; or
  • A combination of return and deletion as specified by the Partner

Such return or deletion shall be completed within 60 days of termination or the Partner’s request, unless a longer period is required by applicable law or agreed by the parties.

10.2 Immediate Deletion During Offboarding

AOIT shall delete personal data immediately upon completion of the offboarding process for devices, systems, and services, except where retention is required by law or as specified below.

10.3 Exceptions to Deletion

Notwithstanding Section 10.1 and 10.2, AOIT may retain personal data to the extent and for such period as required by applicable law, including but not limited to:

  • Financial records, invoices, and transaction data required for tax and accounting purposes (retained for 6 years after termination)
  • Business contact information for the Partner organization (names, business email addresses, business telephone numbers) required for legal, billing, or dispute resolution purposes
  • System logs and security data required for legal compliance, audit, or regulatory purposes
  • Backup copies retained in accordance with AOIT’s standard backup retention policies, provided such data is securely deleted as part of the normal backup lifecycle

10.4 Certification of Deletion

Upon the Partner’s written request, AOIT shall provide written certification that personal data has been returned or deleted in accordance with this Section 10.

10.5 Subprocessor Deletion

AOIT shall ensure that any subprocessors return or delete personal data in accordance with the requirements of this Section 10.

11. International Data Transfers

11.1 Data Location

AOIT processes and stores personal data primarily within the United Kingdom and the European Economic Area (EEA). Where personal data is transferred outside the UK or EEA, AOIT shall ensure that appropriate safeguards are in place in accordance with Data Protection Laws.

11.2 Transfer Mechanisms

Where international data transfers are necessary, AOIT shall use one or more of the following transfer mechanisms:

  • Transfer to a country that has been deemed to provide an adequate level of protection for personal data by the UK government or European Commission
  • Standard contractual clauses approved for use in the UK (UK International Data Transfer Agreement or equivalent)
  • Other transfer mechanisms recognized under Data Protection Laws as providing appropriate safeguards

11.3 Subprocessor Transfers

AOIT shall ensure that any subprocessors processing personal data outside the UK or EEA comply with the requirements of this Section 11.

11.4 Information on Transfers

AOIT shall provide the Partner with information about international data transfers upon request, including the countries to which data is transferred and the safeguards in place.

12. General Provisions

12.1 Confidentiality

Each party shall maintain the confidentiality of all confidential information obtained from the other party in connection with this DPA and shall not disclose such information to third parties except as required by law or with the prior written consent of the other party.

12.2 Limitation of Liability

The parties’ liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit or exclude either party’s liability for fraud, gross negligence, or willful misconduct.

12.3 Entire Agreement

This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the processing of personal data and supersedes all prior agreements, understandings, and arrangements, whether oral or written, relating to such subject matter.

12.4 Amendment

This DPA may only be amended or modified by written agreement signed by authorized representatives of both parties, except that AOIT may amend this DPA to the extent necessary to comply with changes in Data Protection Laws, provided that such amendments do not materially reduce the Partner’s rights or increase the Partner’s obligations under this DPA.

12.5 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not be affected or impaired.

12.6 Waiver

No failure or delay by either party in exercising any right or remedy under this DPA shall constitute a waiver of that right or remedy, nor shall any single or partial exercise of any right or remedy preclude any other or further exercise of that right or remedy.

12.7 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of England and Wales. The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute or claim arising out of or in connection with this DPA.

12.8 Survival

The provisions of this DPA that by their nature should survive termination or expiry of the Agreement shall survive, including Sections 4 (Security Obligations), 7 (Security Incidents and Breach Notification), 9 (Audit Rights), 10 (Data Return and Deletion), and 12 (General Provisions).

12.9 Order of Precedence

In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall prevail with respect to the processing of personal data.

12.10 Notices

Any notice required or permitted to be given under this DPA shall be in writing and delivered by email or courier to the addresses set out in the Agreement or such other address as a party may designate by written notice to the other party.

13. Acceptance and Effective Date

13.1 Incorporation into Agreement

This Data Processing Agreement is incorporated into and forms part of the services agreement between the Partner and AOIT Networks Ltd. By accepting the Agreement (whether electronically or in writing), the Partner agrees to be bound by the terms of this DPA.

13.2 Effective Date

This DPA is effective as of the date the Partner accepts the Agreement, or if later, the date on which AOIT begins processing personal data on behalf of the Partner.

13.3 Version Control

Current Version: 1.0
Last Updated: January 2026
Document Location: https://www.aoitnetworks.com/legal-repository/data-processing-agreement/

13.4 Updates and Amendments

AOIT may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory requirements, or AOIT’s processing operations. Material changes that reduce the Partner’s rights or increase the Partner’s obligations will be communicated to the Partner by email at least 30 days before taking effect.

The Partner’s continued use of the services after the effective date of any changes constitutes acceptance of the updated DPA. If the Partner does not agree to material changes, the Partner may terminate the affected services in accordance with the termination provisions of the Agreement.

Non-material changes, such as clarifications, formatting updates, or changes required by law, may be implemented immediately without prior notice.

13.5 Access to Previous Versions

Previous versions of this DPA are available upon request by contacting support@aoitnetworks.com.