Data Processing Agreement
Version 1.0 · Effective 2026-06-26 · UK GDPR + Data Protection Act 2018
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- The Customer (the "Controller"), being the entity that has subscribed to the Jeanus B2B CRM service ("Service") on its own behalf; and
- Pixel & Shovel Ltd, a company registered in England and Wales, trading as Jeanus, with registered office in Brighton, United Kingdom (the "Processor").
ICO registration: ZC068491. Contact: hello@pixelandshovel.co.uk.
2. Background
The Parties have entered into a subscription agreement under which the Processor provides the Service to the Controller (the "Principal Agreement"). In the course of providing the Service, the Processor processes Personal Data on behalf of the Controller. This DPA governs that processing and forms part of the Principal Agreement.
3. Definitions
Terms not defined here take the meaning given in the UK General Data Protection Regulation ("UK GDPR", the UK's implementation of the EU GDPR) and the Data Protection Act 2018 (together, "Data Protection Laws").
- Personal Data: any data relating to an identified or identifiable natural person that the Controller (or its end users) submits to the Service.
- Processing: as defined in the UK GDPR.
- Subprocessor: a third party engaged by the Processor to process Personal Data on the Controller's behalf, listed at /subprocessors.
- Data Subject: the individual to whom Personal Data relates.
4. Subject matter, nature and purpose of processing
- Subject matter: provision of the Jeanus B2B CRM Service, including data storage, querying, AI-assisted features, transactional email, and subscription billing.
- Nature: storing, organising, displaying, transmitting, copying, querying, exporting, and (where the Controller triggers AI features) submitting Personal Data to AI subprocessors for the purpose of generating drafts, summaries, briefings or enrichment.
- Purpose: enabling the Controller to operate its B2B sales, customer and account workflows.
- Duration: the term of the Principal Agreement, plus any retention period under section 13.
5. Categories of Personal Data and Data Subjects
The Controller determines what Personal Data it submits. The Service accommodates:
- Data Subjects: the Controller's own customers, prospects, leads, contacts, suppliers, candidates (for recruitment users), and the Controller's own employees and authorised users.
- Personal Data categories: identification (name, job title), contact (email, phone, business address), commercial (orders, quotes, pricing, billing), interaction (notes, activity, emails, call logs), and any other Personal Data the Controller chooses to record.
- Special category data: the Service is not designed to process special category data under Article 9 of the UK GDPR. The Controller agrees not to submit special category data unless the Parties have agreed additional terms in writing.
6. Controller obligations
The Controller:
- is the data controller of the Personal Data it submits and is responsible for the lawfulness, accuracy and lawful basis of that processing;
- is responsible for providing all required notices to, and (where required) obtaining all required consents from, Data Subjects;
- will give the Processor lawful, documented instructions; the Principal Agreement, this DPA, and the Controller's use of the Service within its documented features constitute documented instructions;
- will not submit special category data or data relating to criminal convictions without prior written agreement; and
- will keep its account credentials secure and take reasonable steps to off-board users whose access should be revoked.
7. Processor obligations
The Processor will:
- process Personal Data only on the Controller's documented instructions;
- ensure personnel authorised to process Personal Data are under appropriate confidentiality obligations;
- implement the technical and organisational security measures set out in Appendix A below and at /security;
- engage Subprocessors only in accordance with section 8;
- taking the nature of the processing into account, assist the Controller by appropriate technical and organisational measures with its obligations to respond to Data Subject requests under Articles 12-22 of the UK GDPR;
- assist the Controller with its obligations under Articles 32-36 of the UK GDPR (security, breach notification, data protection impact assessments and prior consultation);
- notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Controller's data;
- at the Controller's election, delete or return all Personal Data at the end of the Service, subject to section 13; and
- make available all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, in accordance with section 11.
8. Subprocessors
The Controller gives the Processor general authorisation to engage Subprocessors, subject to:
- the Processor maintaining a current list of Subprocessors at /subprocessors;
- before engaging a new Subprocessor, the Processor imposing data protection obligations on that Subprocessor no less protective than this DPA;
- the Processor giving at least 30 days' notice of any intended changes (by updating the page and notifying tenant admins by email);
- if the Controller reasonably objects on data protection grounds, the Parties discussing in good faith; if the Processor cannot offer an alternative, the Controller may terminate the Principal Agreement without penalty for the remainder of the current billing period;
- the Processor remaining liable to the Controller for the acts and omissions of its Subprocessors as if they were its own.
9. International transfers
Where the Processor or a Subprocessor transfers Personal Data outside the United Kingdom, the transfer is made on the basis of the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (or another lawful transfer mechanism recognised under Data Protection Laws). The current list of Subprocessor locations is published at /subprocessors.
10. Data Subject rights
The Processor will:
- promptly notify the Controller of any request received directly from a Data Subject relating to the Controller's data, and will not respond directly except to confirm the request has been forwarded (unless instructed otherwise);
- provide reasonable assistance, including by making available administrative tools in the Service (data export, deletion, rectification), to enable the Controller to fulfil its obligations under Articles 12-22 of the UK GDPR within statutory time limits.
11. Audits
- The Processor will respond promptly to reasonable written requests for information necessary to demonstrate compliance with this DPA, including copies of relevant policies, attestations and Subprocessor DPAs.
- Where the Controller can demonstrate the information provided is insufficient, the Controller may, on at least 30 days' written notice and not more than once in any twelve-month period (unless required by a supervisory authority), conduct an audit by a mutually agreed independent third-party auditor under reasonable confidentiality terms. The Controller bears the costs of any such audit unless it discovers a material breach.
12. Personal Data Breach
- The Processor will notify the Controller of any Personal Data Breach affecting Controller data without undue delay and in any event within 48 hours of becoming aware.
- The notice will include, to the extent then known: nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures the Processor has taken or proposes to take.
- The Processor will cooperate with and assist the Controller in complying with the Controller's own Article 33 and 34 notification obligations.
13. Return or deletion of Personal Data
- On termination or expiry of the Principal Agreement, the Controller's tenant data will remain accessible for export for 30 days.
- After the 30-day window, the Processor will delete all Controller Personal Data from active systems within a further 30 days, save where retention is required by law (including statutory tax record retention applicable to billing data).
- Backup copies are overwritten on the standard backup rotation (30-day retention) after the data is deleted from active systems.
- The Processor will provide written confirmation of deletion on the Controller's reasonable request.
14. Liability
The Parties' liability under this DPA is subject to the limitations of liability set out in the Principal Agreement.
15. Term
This DPA comes into force on the Effective Date and continues for as long as the Processor processes Personal Data on behalf of the Controller. Sections 12, 13, 14 and 16 survive termination.
16. Governing law
This DPA is governed by the law of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising under or in connection with this DPA.
17. Order of precedence
In the event of a conflict between this DPA and the Principal Agreement on matters of data protection, this DPA prevails.
Appendix A - Technical and organisational security measures
The Processor implements at least the following measures, described in more detail at /security:
- Encryption: TLS 1.2+ in transit; AES-256 at rest (including backups).
- Tenant isolation: three-layer defence - application-level tenant ID filter, Postgres Row Level Security, and an automated Playwright regression test against the live deployment that crawls every customer-facing page across all demo tenants and asserts no cross-tenant data renders.
- Authentication: Supabase Auth with bcrypt hashing; TOTP MFA available to all users and required for staff/admin roles.
- Authorisation: role-based access controls within a tenant. Management routes guarded server-side.
- Access management: Supabase service-role key used server-side only; service-role calls logged.
- Audit logs: user actions recorded in the activities table with actor, target, timestamp and IP.
- Backups: daily encrypted backups, 30-day retention; point-in-time recovery on the underlying Postgres instance.
- Vulnerability management: dependencies tracked and updated; responsible disclosure at security@pixelandshovel.co.uk.
- Personnel: all personnel with production access bound by confidentiality.
- Incident response: documented playbook; 48-hour internal notification; 72-hour Controller notification.
Appendix B - Subprocessors
The current list of Subprocessors, with role, region, certifications and DPA, is at /subprocessors.
As at the Effective Date: Vercel Inc. (hosting, UK), Supabase Inc. (database + auth, UK/London), Anthropic PBC (AI features, US), Stripe Payments Europe Ltd. (billing, EU/Ireland), Resend Inc. (transactional email, US).
Signatures
To execute: download the DPA, complete the Controller block, and return to hello@pixelandshovel.co.uk. We will return a fully countersigned copy.