Provider: Totality Systems Ltd
Version: 1.0
Effective Date: 16/04/2026

This Data Processing Addendum ("DPA") forms part of the Terms and Subscriptions Agreement between Totality Systems Ltd ("the Processor") and the Client ("the Controller"). Where there is any conflict between this DPA and the Terms and Conditions, this DPA shall prevail in relation to matters of data protection.

1. Definitions

  • "UK GDPR" means the UK General Data Protection Regulation and the Data Protection Act 2018.
  • "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
  • "Sub-processor" means any third party appointed by the Processor to process Personal Data (e.g., cloud hosting providers).

2. Scope and Nature of Processing

The Processor shall process Personal Data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country, unless required to do so by UK law.

The nature of the processing is as follows:

  • Purpose: Provision of IT Support, Managed Services, Web/Email Hosting, and Cloud Functionality.
  • Subject Matter: Maintenance of Client IT infrastructure, user management, and hosting services.
  • Duration: For the duration of the Service Contract period plus any period required for decommissioning or legal retention.

3. Types of Personal Data and Categories of Data Subjects

The Processor may process the following categories of data:

  • Types of Personal Data: Names, business email addresses, telephone numbers, IP addresses, login credentials, system logs, and metadata associated with hosted services.
  • Categories of Data Subjects: Employees, contractors, and customers of the Client.

4. Technical and Organisational Security Measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: Use of industry-standard encryption for data at rest and in transit where applicable.
  • Access Control: Strict "Principle of Least Privilege" (PoLP) protocols, ensuring only authorised personnel have access to Client environments.
  • Authentication: Implementation of Multi-Factor Authentication (MFA) on all administrative entry points.
  • Resilience: Regular monitoring of system availability and scheduled patching/maintenance cycles.
  • Incident Response: A formalised procedure for detecting, reporting, and responding to security breaches.

5. Sub-processors

The Processor is authorised to engage Sub-processors (e.g., AWS, Microsoft Azure, Google Cloud) to facilitate hosting and infrastructure services. The Processor shall ensure that all Sub-processors are bound by data protection obligations no less stringent than those contained in this DPA.

6. Data Breach Notification

In the event of a confirmed Personal Data breach, the Processor shall notify the Controller without undue delay (and in any event within 48 hours of becoming aware of the breach), providing sufficient information to allow the Controller to meet its obligations under UK GDPR.

7. Audit and Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the UK GDPR and allow for audits/inspections conducted by or on behalf of the Controller.

8. Return or Deletion of Data

Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all Personal Data processed on behalf of the Controller, unless UK law requires the storage of the personal data.