Last revised: 23 April 2026
1. Scope
This Data Processing Agreement (the DPA) forms part of the SaaS Terms between EfficientEther Ltd (the Processor) and the customer (the Controller) and applies whenever EfficientEther processes personal data on behalf of the customer in connection with the EfficientEther platform.
Where a signed DPA executed between the parties exists, that document takes precedence over this online version.
2. Definitions
Terms including Personal Data, Processing, Data Subject, Controller, Processor, and Sub-Processor carry the meaning given in UK GDPR and EU GDPR. Applicable Data Protection Laws means UK GDPR, the UK Data Protection Act 2018, and, where the customer is subject to it, EU GDPR.
3. Processing Details
| Item | Detail |
|---|---|
| Subject matter | Provision of the EfficientEther platform and associated services to the customer. |
| Duration | For the term of the subscription agreement plus any data retention period required for service continuity, audit, or legal purposes. |
| Nature and purpose | Collection, storage, analysis, transmission, and deletion of personal data strictly to deliver the contracted service. |
| Categories of data subjects | Customer personnel, end users, and authorised administrators who interact with the platform. |
| Categories of personal data | Account identifiers, business contact details, authentication metadata, service usage logs, and any personal data the customer chooses to upload into the platform in line with the subscription agreement. |
| Special category data | Not required by the service. Customers must not upload special category data unless explicitly agreed in writing in advance. |
4. Customer Instructions
EfficientEther processes personal data only on documented instructions from the customer, including the instructions set out in the subscription agreement and any subsequent written instructions. EfficientEther will notify the customer if, in its opinion, an instruction conflicts with applicable data protection law.
5. Confidentiality and Personnel
Personnel authorised to process personal data are bound by written confidentiality obligations or are under appropriate statutory duties of confidentiality, and are trained on their data protection responsibilities.
6. Security Measures
EfficientEther implements and maintains appropriate technical and organisational measures consistent with ISO/IEC 27001 and ISO/IEC 42001 certifications and Cyber Essentials accreditation, including:
- Role-based access control with least-privilege defaults and regular access review.
- Encryption of personal data in transit and at rest.
- Network segmentation, vulnerability management, and dependency patching.
- Centralised logging, alerting, and documented incident response.
- Backup coverage with defined recovery time and recovery point objectives.
- Annual penetration testing and continuous internal audit.
7. Partner Tiers and Data Visibility
The EfficientEther platform supports a tiered partner model so customers who buy via a reseller or distributor benefit from the same data protection chain as customers who contract with EfficientEther directly.
| Party | Role | Data Visibility |
|---|---|---|
| End customer | Controller | Full visibility of its own tenant and personnel data. |
| Reseller partner | Processor for the end customer, controller of its own customer and commercial records. | End customer records the reseller itself onboards; own commercial records. |
| Distributor | Controller of its own reseller records. Becomes a processor for end customer personal data only if explicitly scoped in writing. | Reseller partner records; no end customer personal data by default. |
| EfficientEther | Processor or sub-processor acting on the instructions of the contracting party. | Only as required to provide the service. |
Role-based access controls enforce these boundaries in the partner portal and access changes are logged. Where a customer contracts through a reseller, EfficientEther's data protection obligations flow down through back-to-back partner terms. Notifications required under this DPA (including sub-processor changes and personal data breaches) are made to the party EfficientEther contracts with, who is responsible for onward notification under its own agreement with the end customer.
8. Sub-processors
The customer provides general written authorisation for EfficientEther to engage sub-processors to deliver the service, subject to the safeguards in this DPA. The current list is published at legal.efficientether.co.uk/sub-processors.html and mirrored at efficientether.co.uk/sub-processors.
EfficientEther notifies customers of intended additions or replacements of sub-processors at least 30 days in advance, unless a shorter period is required to address a risk to personal data. The customer may object to a material change by giving written notice within the notice period; if the parties cannot resolve the objection, the customer may terminate the affected service.
Each sub-processor is bound by written terms that impose data protection obligations no less protective than those in this DPA.
9. International Transfers
Where personal data is transferred outside the UK or EEA, EfficientEther relies on an appropriate transfer mechanism under UK GDPR and EU GDPR, including the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or an adequacy decision (including the UK Extension to the EU-US Data Privacy Framework, where applicable).
10. Data Subject Rights
EfficientEther provides reasonable assistance to the customer, taking into account the nature of the processing, to respond to data subject requests for access, rectification, erasure, restriction, objection, and portability. Where the customer cannot action a request through self-service tooling, EfficientEther supports on request.
11. Breach Notification
EfficientEther notifies the customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting customer personal data, including sufficient information to allow the customer to meet its own notification obligations.
12. Audits
EfficientEther makes available to the customer all information reasonably necessary to demonstrate compliance with this DPA, including ISO 27001, ISO 42001, and Cyber Essentials certificates and audit summaries. Customers with a reasonable requirement beyond the standard evidence pack may request a scoped audit by written arrangement, subject to confidentiality and reasonable cost recovery.
13. Return and Deletion
At the customer's choice, and on termination of the service, EfficientEther returns or deletes customer personal data, except where retention is required by law, for legitimate service-continuity purposes, or for dispute resolution, in which case the data remains subject to the confidentiality and security obligations in this DPA.
14. Liability and Precedence
Liability under this DPA is subject to the limitations and exclusions set out in the subscription agreement. In the event of conflict, this DPA prevails over the subscription agreement solely in respect of data protection matters.
15. Contact
Customers requiring a signed counterpart, a jurisdiction-specific addendum, or additional security documentation should email privacy@efficientether.co.uk or open a security enquiry via efficientether.co.uk/contact.
Data controller: EfficientEther Ltd (Company Number 14951957, VAT GB455180788), registered in England and Wales. Registered office: 86-90 Paul Street, London, England, EC2A 4NE.