Last Updated: March 2026
This Data Processing Agreement ("DPA") forms part of the Service Agreement between TR7 Ltd ("TR7", the "Processor") and the customer ("Customer", the "Controller"). This DPA sets out the terms under which TR7 processes personal data on behalf of the Customer in compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and the Data Protection Act 2018.
In this DPA, the terms "personal data", "data subject", "processing", "controller", "processor", "sub-processor", and "supervisory authority" shall have the meanings given to them in the UK GDPR and EU GDPR. "Data Protection Laws" means the UK GDPR, EU GDPR, the Data Protection Act 2018, and any applicable national implementing legislation, as amended from time to time.
The Customer acts as the Data Controller and determines the purposes and means of processing personal data. TR7 acts as the Data Processor and processes personal data solely on behalf of and in accordance with the documented instructions of the Customer. TR7 shall not process personal data for any purpose other than as instructed by the Customer, unless required to do so by applicable law, in which case TR7 shall inform the Customer prior to processing (unless prohibited by law).
The following categories of personal data may be processed under this DPA:
Data Subjects: Customer's employees, contractors, end users, and authorised contacts.
Categories of Personal Data:
• Contact information (name, email address, phone number, job title)
• Account credentials (usernames, encrypted passwords)
• System access logs and IP addresses
• Technical support communications and ticket content
• Configuration metadata associated with named users
Special Categories: TR7 does not intentionally process special categories of personal data (e.g., health data, biometric data). The Customer shall not submit special category data to TR7 without prior written agreement.
TR7 processes personal data solely for the purposes of:
• Providing and operating the TR7 Software and related services
• Delivering technical support and professional services
• Managing user accounts and access controls
• Generating usage analytics and performance reports (anonymised where possible)
• Complying with legal and regulatory obligations
Processing shall continue for the duration of the Service Agreement and shall cease upon termination, subject to Section 10 (Data Retention and Deletion).
TR7 implements and maintains appropriate technical and organisational measures to protect personal data, including but not limited to:
The Customer provides general written authorisation for TR7 to engage sub-processors for the processing of personal data, subject to the following conditions:
• TR7 shall maintain a list of current sub-processors, available upon request.
• TR7 shall notify the Customer at least thirty (30) days prior to engaging a new sub-processor or replacing an existing one.
• The Customer may object to a new sub-processor within fourteen (14) days of notification. If the Customer objects on reasonable grounds and TR7 cannot accommodate the objection, either party may terminate the affected services.
• TR7 shall impose data protection obligations on each sub-processor that are no less onerous than those set out in this DPA.
• TR7 shall remain fully liable for the acts and omissions of its sub-processors.
TR7 shall assist the Customer in responding to requests from data subjects exercising their rights under Data Protection Laws, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. TR7 shall promptly notify the Customer if it receives a request from a data subject directly and shall not respond to such request without the Customer's prior written instructions, unless required by law.
TR7 shall notify the Customer without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach. The notification shall include:
• The nature of the breach, including the categories and approximate number of data subjects and records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects
• The contact details of TR7's data protection point of contact
TR7 shall cooperate with the Customer and take all reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
Upon termination of the Service Agreement, TR7 shall, at the Customer's election, either return all personal data to the Customer or securely delete all personal data within ninety (90) days, unless retention is required by applicable law. TR7 shall provide written confirmation of deletion upon the Customer's request. Any personal data retained for legal compliance purposes shall continue to be protected in accordance with this DPA.
TR7 shall not transfer personal data outside the United Kingdom or the European Economic Area (EEA) without the Customer's prior written consent and without ensuring that appropriate safeguards are in place, such as:
• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO) or the European Commission
• An adequacy decision by the UK Secretary of State or the European Commission
• Binding Corporate Rules approved by the relevant supervisory authority
TR7 shall conduct a transfer impact assessment where required and implement supplementary measures as necessary to ensure an essentially equivalent level of data protection.
TR7 shall make available to the Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer. Such audits shall be conducted with reasonable prior notice (at least thirty days), during normal business hours, and shall not unreasonably interfere with TR7's operations. The Customer shall bear the costs of any audit unless the audit reveals a material non-compliance by TR7.
TR7 shall provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (DPIAs) where required by Data Protection Laws, and in any prior consultation with the relevant supervisory authority.
The liability of each party under this DPA shall be subject to the limitations set out in the Service Agreement and the End User License Agreement (EULA). Each party shall be liable for damages caused by processing that infringes Data Protection Laws, in accordance with the liability provisions of the UK GDPR and EU GDPR.
For data protection inquiries:
TR7 Ltd
Data Protection Contact
EAGLE TOWER, Montpellier Drive, Office Suite 120
Cheltenham GL50 1TA, United Kingdom
Email: privacy@tr7.com
UK Information Commissioner's Office (ICO): ico.org.uk