Data Processing Addendum

Purpose

This Data Processing Addendum (DPA) forms part of our contractual terms with clients where Bugni Labs processes personal data on behalf of the client. It ensures compliance with UK GDPR, EU GDPR, and the Data Protection Act 2018.

Roles and Responsibilities

Controller: The client determines the purposes and means of processing personal data.

Processor: Bugni Labs processes personal data on behalf of the controller in accordance with documented instructions.

Scope of Processing

Processing details are documented in each engagement and typically include:

  • Subject matter: Provision of engineering, platform, or AI services
  • Duration: Term of the engagement plus necessary retention period
  • Nature and purpose: As specified in the statement of work
  • Types of personal data: Defined per engagement (e.g., employee data, customer data, technical logs)
  • Categories of data subjects: As relevant to client's business

Processor Obligations

Bugni Labs shall:

  • Process personal data only on documented instructions from the controller
  • Ensure persons authorised to process data are bound by confidentiality
  • Implement appropriate technical and organisational security measures
  • Respect conditions for engaging sub-processors
  • Assist the controller in responding to data subject rights requests
  • Assist with data protection impact assessments and consultations
  • Delete or return personal data at the end of services (as instructed)
  • Make available information necessary to demonstrate compliance
  • Notify the controller of any personal data breach without undue delay

Security Measures

We implement security measures including:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security testing and vulnerability assessments
  • Logging and monitoring of access to personal data
  • Incident response and breach notification procedures
  • Secure development practices and code reviews
  • Employee security training and background checks

Detailed security controls are documented in our Information Security policy.

Sub-Processors

We may engage sub-processors for specific processing activities. Clients are informed of intended changes to sub-processors and may object. All sub-processors are bound by equivalent data protection obligations.

International Transfers

Where data is transferred outside the UK/EEA, we implement appropriate safeguards such as Standard Contractual Clauses or rely on adequacy decisions. See Data Transfers policy.

Data Subject Rights

We assist controllers in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within agreed timeframes, typically within 72 hours of receiving a request.

Audits and Compliance

We allow for audits and inspections by the controller or appointed auditors, subject to reasonable notice, confidentiality obligations, and coordination to minimise disruption.

Data Breach Notification

In the event of a personal data breach, we notify the controller without undue delay and within 24 hours where feasible, providing all relevant information to enable the controller to meet regulatory notification obligations.

Data Deletion and Return

Upon termination or completion of services, we delete or return all personal data to the controller as instructed, unless legal obligations require continued storage. Certification of deletion is provided upon request.

Requesting a DPA

Clients requiring a formal DPA should contact us. We can accommodate client-specific DPAs or provide our standard DPA template.

Contact

Email: dpo@bugni.io

Compliance enquiries: compliance@bugni.io