Data Processing Agreement
Last updated: February 2025
This Data Processing Agreement ("DPA") forms part of the agreement between Brindleford Technologies Ltd ("Processor", "we", "us") and the customer ("Controller", "you") for the Linux RMM service.
This DPA applies where we process personal data on your behalf in connection with the Service and is designed to meet the requirements of GDPR Article 28.
1. Definitions
In this DPA:
- "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the EU GDPR (where applicable), and any other applicable data protection legislation
- "Personal Data" has the meaning given in the Data Protection Laws
- "Processing" has the meaning given in the Data Protection Laws
- "Data Subject" means an individual whose personal data is processed
- "Sub-processor" means any third party engaged by us to process personal data on your behalf
- "Security Incident" means any unauthorised access, acquisition, use, or disclosure of personal data
2. Scope and Roles
2.1 Controller and Processor
For the purposes of this DPA:
- You are the Controller of personal data processed through the Service
- We are the Processor, processing personal data on your behalf and according to your instructions
2.2 Processing Activities
We process personal data to provide the Service, including:
- Storing and managing data you upload or input into the Service
- Collecting system metrics and logs from managed devices
- Processing credentials stored in the secure vault
- Executing scripts and commands as directed by you
- Generating reports and analytics based on your data
3. Details of Processing
3.1 Subject Matter
Remote monitoring and management of Linux servers and systems.
3.2 Duration
Processing continues for the duration of your subscription and any applicable data retention period.
3.3 Nature and Purpose
Collection, storage, analysis, and display of system metrics, logs, and configuration data for IT management purposes.
3.4 Categories of Data Subjects
- Your employees and authorised users
- Your clients (for MSPs)
- End users whose data may be present on managed systems
3.5 Types of Personal Data
- User account information (names, email addresses)
- IP addresses and network identifiers
- System usernames and user IDs
- Activity logs and audit trails
- Any personal data present in system logs or scripts
4. Processor Obligations
We shall:
- Process personal data only on your documented instructions, unless required by law
- Ensure that persons authorised to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Comply with conditions for engaging sub-processors (see Section 6)
- Assist you in responding to data subject requests
- Assist you in ensuring compliance with security, breach notification, and impact assessment obligations
- Delete or return personal data at the end of the service, at your choice
- Make available information necessary to demonstrate compliance and allow for audits
5. Controller Obligations
You shall:
- Ensure you have a lawful basis for processing personal data through the Service
- Provide clear instructions for processing
- Ensure personal data provided is accurate and up to date
- Comply with all applicable Data Protection Laws
- Respond to data subject requests where we are unable to do so directly
6. Sub-processors
6.1 Authorisation
You authorise us to engage sub-processors to assist in providing the Service. We maintain a list of current sub-processors, available upon request.
6.2 Sub-processor Requirements
We shall:
- Enter into written agreements with sub-processors imposing data protection obligations no less protective than this DPA
- Remain liable for sub-processor compliance
- Notify you of any intended changes to sub-processors at least 30 days in advance
6.3 Objection
You may object to a new sub-processor by notifying us within 14 days of our notice. If we cannot accommodate your objection, you may terminate the affected services.
6.4 Current Sub-processors
Our current sub-processors include:
| Category |
Purpose |
Location |
| Cloud Infrastructure |
Hosting and data storage |
EU/UK |
| Payment Processing |
Subscription billing |
EU/UK |
| Email Service |
Transactional notifications |
EU/UK |
7. Security Measures
We implement appropriate technical and organisational measures, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and authentication requirements
- Regular security assessments and penetration testing
- Monitoring and logging of system access
- Incident response procedures
- Business continuity and disaster recovery plans
- Employee training on data protection
- Physical security of data centres
8. Data Subject Rights
We shall:
- Promptly notify you of any data subject request we receive
- Not respond directly to data subjects unless authorised by you
- Provide reasonable assistance to help you respond to requests
- Implement appropriate technical measures to facilitate request handling
9. Security Incidents
9.1 Notification
We shall notify you without undue delay (and within 48 hours where feasible) upon becoming aware of a Security Incident affecting personal data.
9.2 Notification Content
Our notification shall include:
- Nature of the incident and categories of data affected
- Approximate number of data subjects and records affected
- Name and contact details of our data protection contact
- Likely consequences of the incident
- Measures taken or proposed to address the incident
9.3 Cooperation
We shall cooperate with you and take reasonable steps to assist in investigating and mitigating the incident.
10. International Transfers
Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place:
- Transfers to countries with adequacy decisions
- Standard Contractual Clauses (SCCs) approved by the European Commission
- International Data Transfer Agreement (IDTA) for UK transfers
- Other approved transfer mechanisms as applicable
11. Audits
We shall:
- Make available information necessary to demonstrate compliance with this DPA
- Allow for and contribute to audits conducted by you or an auditor mandated by you
- Provide audit rights subject to reasonable notice, confidentiality, and during normal business hours
- Provide copies of relevant certifications and audit reports upon request
12. Data Deletion and Return
Upon termination of the Service:
- We will delete or return all personal data within 30 days of your written request
- Deletion includes all copies except where retention is required by law
- We will provide written confirmation of deletion upon request
- Backup data will be deleted according to our backup rotation schedule (typically within 30 days)
13. Liability
Liability under this DPA is governed by the limitation of liability provisions in our Terms and Conditions, except that nothing in this DPA limits liability for:
- Death or personal injury caused by negligence
- Fraud or fraudulent misrepresentation
- Any matter that cannot be limited or excluded by law
14. Term and Termination
This DPA shall:
- Come into effect upon your acceptance of our Terms and Conditions
- Remain in effect for the duration of our processing of personal data
- Survive termination of the main agreement to the extent required for data deletion and ongoing obligations
15. Amendments
We may amend this DPA to reflect changes in Data Protection Laws or our processing activities. We will notify you of material changes at least 30 days before they take effect. Continued use constitutes acceptance of the amended DPA.
16. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
17. Contact Information
For questions about this DPA or to exercise rights under it:
For a signed copy of this DPA or to request our current sub-processor list, please contact us at the email above.