1. Purpose of This Agreement
This Data Processing Agreement (“DPA”) sets out the terms under which Squeez Ltd (“Processor”) will process personal data on behalf of the Client (“Controller”) in the course of providing review management and related services.
This DPA is subject to the terms of the main Service Agreement between the parties.
2. Roles and Responsibilities
Client (Controller): Determines the purpose and lawful basis for processing personal data.
Squeez Ltd (Processor): Processes personal data only on documented instructions from the Client.
Sub-Processors: The Processor may engage sub-processors with appropriate safeguards in place.
3. Categories of Data Processed
The Processor may process the following types of data provided by the Client:
Customer name
Customer phone number
Customer email address
4. Purpose of Processing
Personal data is processed solely for the purpose of:
Sending automated review requests (e.g., via WhatsApp).
Managing customer engagement on behalf of the Client.
No other use of the data is permitted.
5. Data Subject Rights
The Processor will assist the Client in fulfilling obligations relating to data subject rights (access, correction, deletion, portability, restriction).
Requests received directly by the Processor will be referred promptly to the Client.
6. Security Measures
The Processor shall implement appropriate technical and organisational measures, including but not limited to:
Encrypted storage and transfer.
Role-based access control and multi-factor authentication.
Regular security monitoring and breach response procedures.
7. Sub-Processing
The Client authorises the Processor to use sub-processors.
A list of current sub-processors is available on request.
The Processor shall ensure sub-processors provide equivalent GDPR protections.
8. International Transfers
Data may be transferred outside the UK/EEA (e.g., to the United States via Go HighLevel).
Such transfers are safeguarded by the EU–US Data Privacy Framework and Standard Contractual Clauses.
9. Data Retention & Deletion
Data shall only be retained for as long as necessary to provide the service.
Standard retention period: 12 months unless otherwise instructed by the Client.
On termination of services, all data will be securely deleted within 30 days (unless legal obligations require retention).
10. Data Breach Notification
The Processor shall notify the Client without undue delay (and within 48 hours) upon becoming aware of a personal data breach.
11. Audit Rights
The Client may request reasonable information to demonstrate compliance.
The Processor shall cooperate with audits or inspections, subject to reasonable notice and confidentiality safeguards.
12. Liability
Each party shall be liable for its own acts and omissions under this DPA and under applicable data protection laws.
13. Governing Law
This DPA shall be governed by the laws of England and Wales.
