Skip to main content
search

Data Processing Agreement (DPA)

Version: 1.0
Effective Date: 15.12.25

This Data Processing Agreement (“Agreement” or “DPA”) forms part of the contract between:

Aheadoftheherd Ltd (trading as “Fetch”)
31 High View Close, Hamilton Office Park, Leicester, Leicestershire, England, LE4 9LJ
Company Number: 07660516
(“Processor”, “Fetch”, “we”, “us”)

and

The Customer using the Fetch platform
(“Controller”, “Customer”, “you”)
(each a “Party”, together the “Parties”).

This DPA governs Fetch’s processing of personal data on behalf of the Customer in connection with the Fetch Service.

1. Definitions

Personal Data” means any information relating to an identified or identifiable individual as defined in UK GDPR.
UK GDPR” means the UK General Data Protection Regulation as incorporated into UK law under the Data Protection Act 2018.
Processing” means any operation performed on Personal Data, including collection, storage, retrieval, transmission, deletion, or analysis.
Sub-processor” means any third party engaged by Fetch to process Personal Data on our behalf.
Service” means the Fetch platform, applications, extensions, and all related tools and features.
International Transfer” means a transfer of Personal Data outside the UK.

2. Roles of the Parties

2.1 Controller
The Customer is the Data Controller of the Personal Data processed through the Service.

2.2 Processor
Fetch is the Data Processor and processes Personal Data on your documented instructions only.

3. Scope and Purpose of Processing

Fetch processes Personal Data solely to provide the Service, including:

  • Publishing and scheduling social media content
  • Connecting and managing social media accounts
  • Providing analytics and insights
  • Storing drafts, media, and user content
  • Monitoring platform usage and security
  • Providing customer support
  • Maintaining, improving, and securing the Service

A full description of processing is provided in Annex 1. Fetch will not process Personal Data for purposes other than those described unless required by law.

4. Instructions from the Controller

Fetch will process Personal Data only:

  • On documented instructions from the Customer,
  • Through configuration and use of the Service provided by the Customer, or
  • Where required by law (Fetch will inform the Customer unless prohibited).

If Fetch believes an instruction breaches data protection law, we will notify the Customer.

5. Customer Responsibilities

The Customer agrees to:

  1. Ensure the lawful collection and transfer of Personal Data to Fetch.
  2. Obtain all necessary permissions from users, employees, clients, or social media account owners.
  3. Ensure social media accounts are connected lawfully and in compliance with platform policies.
  4. Not upload or process Special Category Data using Fetch unless expressly agreed.
  5. Maintain control over user access, account settings, and revocation of tokens or social media permissions.\

6. Sub-processors

Fetch uses Sub-processors to provide hosting, storage, analytics, payments, email delivery, and other technical services.

6.1 Authorised Sub-processors
The Customer gives general authorisation for Fetch to engage Sub-processors. A current list of Sub-processors is available on request.

6.2 Sub-processor obligations
Fetch will ensure all Sub-processors:

  • Are bound by written agreements with data protection obligations no less protective than this DPA
  • Implement appropriate security measures
  • Only process Personal Data as necessary to provide their services

6.3 Adding/Changing Sub-processors
Fetch will notify the Customer of material Sub-processor changes.
The Customer may object in writing for legitimate data protection reasons.

7. International Data Transfers

Fetch may transfer Personal Data outside the UK as required to provide the Service. All transfers will comply with UK GDPR using one of the following:

  • The UK International Data Transfer Agreement (IDTA)
  • The UK Addendum to the EU Standard Contractual Clauses (SCCs)
  • A UK adequacy regulation
  • Appropriate contractual, organisational, and technical safeguards

Fetch will not transfer data internationally without a valid transfer mechanism.

8. Confidentiality

Fetch ensures all personnel and Sub-processors authorised to process Personal Data:

  • Are subject to confidentiality obligations
  • Access data only as required
  • Receive appropriate training

9. Security Measures

Fetch will implement and maintain appropriate technical and organisational measures, including but not limited to:

  • Encryption in transit
  • Access controls and authentication
  • Secure development and testing practices
  • Regular backups
  • Network monitoring and intrusion detection
  • Logging and audit trails
  • Data minimisation and separation
  • Incident response procedures

A detailed list is provided in Annex 2.

10. Personal Data Breach Notification

In the event of a Personal Data Breach affecting Customer data:

  • Fetch will notify the Customer without undue delay.
  • Notifications will include details of the breach, likely consequences, and mitigation steps.

The Customer is responsible for notifying the ICO or individuals, where required.

11. Data Subject Rights

Fetch will support the Customer in responding to:

  • Access requests
  • Rectification or deletion requests
  • Objections or restrictions
  • Data portability

Fetch will not respond directly to a data subject unless authorised by the Customer or required by law.

12. Data Retention, Return, and Deletion

Upon termination of the Service:

  • The Customer may export its data via available tools.
  • Fetch will delete or anonymise Customer Personal Data within 90 days unless we are required to retain it for legal or regulatory purposes.

Backups may persist for limited retention windows but remain protected.

13. Audits

Fetch will:

  • Make available documentation necessary to demonstrate compliance
  • Allow audits or inspections by the Customer or auditor (subject to reasonable notice, confidentiality, and limited to once per year unless required by law)

Remote audits and documentation reviews will be the default method.

14. Liability

The Parties’ liability under this DPA mirrors the liability terms set out in the main contract or Terms of Use.

Nothing in this DPA limits either Party’s liability for breach of data protection law, fraud, or wilful misconduct.

15. Duration

This DPA remains in force for the duration of:

  • The Customer’s contract with Fetch, and
  • Any period during which Fetch retains Personal Data on behalf of the Customer.

16. Business Sale or Change of Ownership

If Fetch (Aheadoftheherd Ltd) undergoes a merger, acquisition, restructuring, sale of assets, or transfer of ownership:

  • Personal Data processed under this DPA may be transferred to the new entity
  • The new entity will assume the obligations of Fetch under this DPA
  • Fetch will notify the Customer of the transfer

No additional consent is required for this transfer, provided the new entity maintains a level of protection materially similar to this DPA.

17. Governing Law

This DPA is governed by the laws of England and Wales.
Any disputes shall be subject to the exclusive jurisdiction of the English courts.

Annex 1: Description of Processing

Category Description
Nature of Processing Storage, transmission, analysis, scheduling, publishing, retrieval, and deletion of social media and user account data.
Purpose To provide the Fetch Service, including social publishing, analytics, content management, support, and security.
Types of Personal Data Social media profile IDs, usernames, access tokens, posts and drafts, analytics data, engagement metrics, images, video, account metadata, user contact details, support messages.
Data Subjects Customer employees, contractors, social media account owners, and individuals whose data appears in social content.
Processing Duration For the term of the Customer’s contract + up to 90 days for deletion processes and backups.

Annex 2: Security Measures

Fetch implements the following controls:

  • Encryption in transit (TLS)
  • Secure password hashing
  • Role-based access control
  • Multi-factor authentication options
  • Logging and monitoring
  • Network firewalls and DDoS protection
  • Regular penetration tests
  • Secure coding standards
  • Automated backup systems
  • Incident response and disaster recovery processes
  • Least-privilege access for staff
  • Sub-processor due diligence and monitoring

 

Close Menu