Data Protection Agreement

Last updated: 26 April 2026

This Data Protection Agreement ("DPA") forms part of the agreement between Digital Team Group Limited ("we", "us", "our", the Processor) and the customer using the At9 Service (the Controller). It sets out how we process personal data on the Controller's behalf in compliance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and where applicable the EU GDPR.

How to read this: When you use At9 to manage bookings for your business, you (the Controller) are deciding what personal data is collected from your end-customers. We (the Processor) only handle that data on your behalf, on your instructions. This DPA describes the rules we follow.

1. Definitions

Terms used in this DPA have the meanings given to them in the UK GDPR. In particular:

"Controller" means the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data.
"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person processed under the Service.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates (typically the Controller's end-customers and staff).
"Sub-processor" means any third party engaged by us to process Personal Data on the Controller's behalf.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Roles and scope

The parties acknowledge that, with respect to the processing of Personal Data within Customer Data:

The Controller acts as the data controller.
We act as the data processor.

This DPA applies to all Personal Data we process on the Controller's behalf in providing the Service. It applies in addition to our Terms of Use and Privacy Policy.

3. Details of the processing

The subject matter, nature, purpose, duration, types of Personal Data and categories of Data Subjects are set out in Annex A below.

4. Our obligations as Processor

We will:

Process Personal Data only on documented instructions from the Controller, including with regard to international transfers, except where required to do otherwise by applicable law.
Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Annex C).
Engage Sub-processors only in accordance with section 6.
Assist the Controller, taking into account the nature of the processing, to respond to requests from Data Subjects exercising their rights (see section 7).
Assist the Controller in complying with its obligations under Articles 32 to 36 of the UK GDPR, taking into account the nature of the processing and the information available to us.
At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by law (see section 11).
Make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits (see section 10).

5. Controller's obligations

The Controller is responsible for:

Ensuring it has a valid lawful basis to collect and process the Personal Data and to make it available to us for processing.
Providing all necessary notices and obtaining all necessary consents from Data Subjects.
Issuing accurate and lawful instructions to us with regard to the processing.
Ensuring its use of the Service complies with applicable data protection laws.

6. Sub-processors

The Controller grants us general written authorisation to engage Sub-processors to provide parts of the Service (such as cloud hosting, payment processing, email delivery and crash reporting). A current list of Sub-processors is set out in Annex B.

We will:

Enter into a written contract with each Sub-processor that imposes data protection obligations no less protective than those in this DPA.
Remain liable to the Controller for the performance of each Sub-processor's obligations.
Inform the Controller of any intended addition or replacement of Sub-processors at least 30 days in advance, giving the Controller an opportunity to object on reasonable data protection grounds.

7. Data subject rights

If we receive a request from a Data Subject to exercise their rights under the UK GDPR (such as the right of access, rectification, erasure, restriction, portability or objection), we will:

Promptly forward the request to the Controller, without responding to the Data Subject directly except as instructed by the Controller or required by law.
Provide reasonable assistance, including by appropriate technical and organisational measures, to enable the Controller to respond to the request.

8. Personal Data Breach notification

We will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include, to the extent known:

A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected.
The likely consequences of the breach.
Measures taken or proposed to address the breach and mitigate its effects.
Contact details for further information.

We will cooperate with the Controller in investigating and responding to any breach.

9. International transfers

Personal Data is primarily processed within the United Kingdom and the European Economic Area. Where we transfer Personal Data outside these regions, we will ensure that an appropriate transfer mechanism is in place, such as:

An adequacy decision by the UK Government or European Commission.
The UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses (as applicable), each incorporated by reference into this DPA.
Such other valid transfer mechanism as is permitted under UK GDPR or EU GDPR.

10. Audits

We will make available to the Controller, on reasonable written request, information necessary to demonstrate compliance with this DPA, including the most recent third-party security audit reports we hold. The Controller may, at its own cost and no more than once per calendar year (or more frequently in case of a confirmed Personal Data Breach), conduct an audit of our compliance, subject to reasonable advance notice and to reasonable confidentiality and security restrictions.

11. Return and deletion of Personal Data

On termination or expiry of the agreement, we will, at the Controller's choice:

Make Personal Data available for export by the Controller for a period of 30 days, after which we will delete it; or
Return Personal Data to the Controller in a structured, commonly used and machine-readable format and then delete it.

We will delete copies in our backups within 12 months of termination, except to the extent retention is required by applicable law.

12. Liability

Each party's liability arising under or in connection with this DPA is subject to the limitations set out in our Terms of Use. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law.

13. Term and termination

This DPA takes effect on the date the Controller starts using the Service and continues for the duration of the provision of the Service. The obligations in sections 4 (Our obligations as Processor), 8 (Personal Data Breach notification), 11 (Return and deletion) and 12 (Liability) survive termination as necessary to give them effect.

14. Order of precedence

If there is any conflict or inconsistency between this DPA and the Terms of Use or Privacy Policy, this DPA prevails to the extent of the conflict in respect of the processing of Personal Data on behalf of the Controller.

15. Amendments

We may update this DPA from time to time to reflect changes in applicable law, the Service or our processing practices. Material changes will be notified to the Controller at least 30 days in advance and will take effect on the date stated in the notification.

16. Governing law

This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction over any dispute arising from or in connection with it.

17. Contact

For questions about this DPA or to make any data protection request:

Email: contact@at9.app
Post: Digital Team Group Limited, Elmpark House, 3 Elmpark View, York, YO31 1DY

Annex A — Details of the processing

Subject matter	Provision of the At9 booking management Service to the Controller, enabling the Controller to take and manage bookings for its business.
Duration	For as long as the Controller has an active subscription, plus the post-termination retention periods set out in section 11 and our Privacy Policy.
Nature and purpose	Hosting, storage, transmission, organisation, retrieval, display, backup and deletion of Personal Data, and providing related support services, all for the purpose of providing the Service.
Types of Personal Data	Names, email addresses, phone numbers, business names, booking dates and times, room or resource assignments, notes, customer references, and any other Personal Data the Controller chooses to enter into the Service.
Categories of Data Subjects	The Controller's authorised users (e.g. staff), the Controller's customers (e.g. diners, pet owners, clients) whose bookings are recorded in the Service, and any other Data Subjects whose information the Controller enters.
Special category data	The Service is not designed or intended for the processing of special category data (Article 9 UK GDPR). The Controller agrees not to enter such data into the Service except where strictly necessary and in accordance with applicable law.

Annex B — Sub-processors

The following Sub-processors are currently engaged in providing the Service. The list is subject to change in accordance with section 6.

Sub-processor	Service	Location
[Hosting provider]	Cloud infrastructure and database hosting	UK / EU
[Payment processor]	Subscription billing and payment processing	UK / EU / US (with SCCs)
[Email provider]	Transactional email delivery	EU / US (with SCCs)
[Crash reporting]	Application monitoring and crash reporting	EU / US (with SCCs)
[Analytics]	Privacy-friendly product analytics	EU

Annex C — Technical and organisational measures

We implement and maintain technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include:

Access control

Multi-factor authentication required for all staff with access to production systems.
Role-based access control following the principle of least privilege.
Regular review of access permissions.
Immediate revocation of access on departure of personnel.

Encryption

All data in transit between the app and our servers is encrypted using TLS 1.2 or higher.
Sensitive data at rest is encrypted using industry-standard algorithms.
Passwords are hashed using a strong, salted, slow hashing algorithm.

Network and infrastructure security

Production systems hosted in ISO 27001 certified data centres.
Firewalls, network segmentation and intrusion detection.
Regular vulnerability scanning and dependency monitoring.

Operational security

Documented change management process for production deployments.
Comprehensive logging and monitoring of access to Personal Data.
Encrypted backups with regular restore testing.
Documented incident response procedures.

Personnel

All staff with access to Personal Data undergo background checks.
Confidentiality obligations included in employment contracts.
Regular data protection and security training.

Physical security

Office access controlled by keycard.
Devices used to access production systems are encrypted and centrally managed.