Local time:

10 July, 18:36
10 July, 18:36

/Data Processing Agreement

(t)'s and (c)'s

How we process personal data on behalf of our managed service customers, in accordance with UK GDPR.

Last updated:

Jul 10, 2026

DATA PROCESSING AGREEMENT

Meta Eagle Limited

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms of Service between Meta Eagle Limited ("we", "us", "our") and the customer ("you", "your") (together, the "Contract"). It applies whenever we process personal data on your behalf in the course of providing the Services.

Last updated: July 2026

1. DEFINITIONS

In this DPA, unless the context otherwise requires, the following terms have the meanings given below. Terms not defined here have the meanings given in the Terms of Service.

“UK GDPR” means the UK General Data Protection Regulation, as defined in the Data Protection Act 2018.

“Data Protection Legislation” means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable law relating to the processing of personal data, each as amended or replaced from time to time.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach” and “Special Category Data” have the meanings given to them in the UK GDPR.

“Customer Personal Data” means any Personal Data processed by us on your behalf in connection with the Contract.

“Sub-processor” means any third party appointed by us to process Customer Personal Data on your behalf in connection with the Services.

2. ROLES OF THE PARTIES

2.1 As between you and us, you are the Controller and we are the Processor in respect of Customer Personal Data processed in the course of delivering the Services, save that where the applicable quote, order, or statement of work specifies otherwise for a particular Service, that specification shall apply instead.

2.2 Each party shall comply with its respective obligations under the Data Protection Legislation. Nothing in this DPA relieves either party of any obligation it holds as a Controller in its own right, for example in respect of its own staff or business contacts.

2.3 You warrant that you have, and will maintain throughout the term of the Contract, a lawful basis under the Data Protection Legislation to disclose Customer Personal Data to us and to instruct us to process it as described in this DPA.

3. SUBJECT MATTER AND DETAILS OF PROCESSING

3.1 The subject matter, duration, nature and purpose of processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1 to this DPA.

3.2 We shall process Customer Personal Data only for the purposes of providing the Services and in accordance with your documented instructions from time to time, including those set out in the Contract and any applicable quote, order, or statement of work, unless we are required to do otherwise by UK law, in which case we shall, to the extent permitted by law, notify you of that legal requirement before processing.

3.3 If we consider that an instruction from you infringes the Data Protection Legislation, we shall inform you promptly, and may suspend performance of that instruction pending your response.

4. OUR OBLIGATIONS AS PROCESSOR

4.1 We shall ensure that any person we authorise to process Customer Personal Data (including our employees, agents, and contractors) is subject to a binding written obligation of confidentiality.

4.2 We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of the processing, in accordance with Article 32 of the UK GDPR. A summary of our current measures is set out in Annex 2.

4.3 We shall, taking into account the nature of the processing, provide reasonable assistance to you, at your cost, in responding to requests from Data Subjects to exercise their rights under the Data Protection Legislation, insofar as this is possible given the Services we provide.

4.4 We shall provide reasonable assistance to you, at your cost, in ensuring compliance with your obligations under Articles 32 to 36 of the UK GDPR (security of processing, breach notification, and data protection impact assessments), taking into account the nature of the processing and the information available to us.

4.5 We shall make available to you all information reasonably necessary to demonstrate our compliance with this DPA, and shall permit and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to reasonable notice, confidentiality, and no more than once in any twelve-month period save where required following a Personal Data Breach or by a supervisory authority.

4.6 Where you, or a Data Subject, ask us to delete, remove, or otherwise action Customer Personal Data, including the deactivation or removal of an account, we shall act only on your written instruction. We will provide reasonable technical assistance to give effect to that instruction, such as disabling or removing an account, but we are not responsible for identifying, retaining, exporting, or otherwise managing the substantive data associated with it; that responsibility remains yours as Controller. Where a Data Subject contacts us directly with a request relating to their Personal Data, we shall, save where UK law requires otherwise, redirect that request to you rather than action it ourselves.

5. PERSONAL DATA BREACH

5.1 We shall notify you without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

5.2 Our notification shall, so far as reasonably known to us at the time, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. We shall provide further information as it becomes available.

5.3 We shall take reasonable steps to contain and remediate a Personal Data Breach affecting Customer Personal Data, and shall cooperate with you in relation to any notification you are required to make to a supervisory authority or affected Data Subjects.

6. SUB-PROCESSORS

6.1 You provide general written authorisation for us to engage Sub-processors to process Customer Personal Data in connection with the Services. A current list of our Sub-processors is set out in Annex 3, which we shall keep up to date.

6.2 We shall give you not less than 14 days' notice before appointing a new Sub-processor or replacing an existing one, by updating Annex 3 and notifying you in accordance with Clause 20 of the Terms of Service. If you reasonably object to a new Sub-processor on data protection grounds within that notice period, we shall work with you in good faith to address your objection, which may include not appointing that Sub-processor or, where reasonably practicable, adjusting the affected Service.

6.3 We shall impose data protection obligations on each Sub-processor that are substantially equivalent to those set out in this DPA, and shall remain liable to you for each Sub-processor's performance of those obligations.

7. INTERNATIONAL TRANSFERS

Where we or a Sub-processor transfer Customer Personal Data outside the United Kingdom, we shall ensure that the transfer is subject to appropriate safeguards under the Data Protection Legislation, such as the UK International Data Transfer Agreement, an adequacy regulation, or another lawful transfer mechanism.

8. RETURN AND DELETION OF DATA

On termination or expiry of the Contract, we shall, at your written election, delete or return to you all Customer Personal Data in our possession, and delete existing copies, within 30 days, unless UK law requires us to retain some or all of that data, in which case we shall isolate and protect it from further processing except as required by that law.

9. LIABILITY

Each party's liability arising out of or in connection with this DPA, whether in contract, tort (including negligence), or otherwise, is subject to the limitations and exclusions of liability set out in the Terms of Service, including the liability cap in Clause 13.1 and the cyber incident provisions in Clause 13.4.

10. TERM

This DPA takes effect on the date it is incorporated into the Contract and continues for as long as we process Customer Personal Data on your behalf, notwithstanding termination or expiry of the Contract.

11. GENERAL

11.1 In the event of any conflict between this DPA and the Terms of Service on a matter relating to the processing of Customer Personal Data, this DPA shall prevail on that matter.

11.2 This DPA is governed by, and shall be construed in accordance with, English law, and the parties submit to the exclusive jurisdiction of the English courts.

ANNEX 1: DETAILS OF PROCESSING

Subject matter of processing

The provision of managed IT support, cloud licensing, cybersecurity, backup, and related Services by us to you, as set out in the applicable quote, order, or statement of work.

Duration of processing

For the duration of the Contract, and thereafter in accordance with Clause 8 (Return and Deletion of Data) of this DPA.

Nature and purpose of processing

Access to, and administration, monitoring, security, and backup of, your IT systems, networks, devices, and cloud services, in order to deliver the Services. This may include remote access, endpoint monitoring, email security, and data backup and recovery.

Categories of Data Subjects

  • Your employees, contractors, and workers

  • Your customers and business contacts, to the extent their Personal Data is held on systems we manage or have access to

Types of Personal Data

  • Names, job titles, and contact details

  • Account and login credentials, and device and network identifiers

  • Email content and attachments, to the extent held on systems we manage or have access to

  • Any other Personal Data held within your IT systems, networks, or backups that we access or process in the course of delivering the Services

Special Category Data

We do not expect to process Special Category Data in the ordinary course of providing the Services. Where Special Category Data is held within your systems and is incidentally accessible to us in the course of providing the Services, it is processed only to the extent necessary to deliver those Services, and you remain responsible for ensuring you have an appropriate lawful basis and condition for processing that data.

ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES

A summary of the technical and organisational security measures we maintain is set out below. Further detail is available on request.

  • Role-based access controls and multi-factor authentication for administrative access to customer systems

  • Endpoint detection and response, and remote monitoring and management, tooling across managed devices

  • Encryption of data in transit and, where supported by the platform, at rest

  • Regular review and patching of systems used to deliver the Services

  • Staff confidentiality obligations and role-appropriate access to customer systems and data

  • Documented incident response procedures

  • Regular backup of data we are contracted to protect, in accordance with the applicable quote or order

ANNEX 3: SUB-PROCESSORS

The following categories of Sub-processor may be engaged to support the delivery of the Services. This list is maintained and kept current by us; the specific products within each category may change from time to time in accordance with Clause 6.2 of this DPA.

  • Remote monitoring and management (RMM) platform providers

  • Endpoint detection and response (EDR) and cybersecurity platform providers

  • Backup and disaster recovery platform providers

  • Professional services automation (PSA) and IT service management platform providers

  • Network monitoring platform providers

  • Cloud productivity and licensing distributors and platform providers

  • Multi-tenant cloud administration and security tooling providers

A named, current list of specific Sub-processor products in use is available on request by emailing admin@metaeagle.co.uk.

Meta Eagle

/Come and Soar with us.

Smart updates for smart people.

By submitting, you agree to our Terms and Privacy Policy

Abstract flowing waves in grayscale creating a smooth, undulating pattern with light and shadow gradients

Meta Eagle

/Come and Soar with us.

Smart updates for smart people.

By submitting, you agree to our Terms and Privacy Policy

Abstract flowing waves in grayscale creating a smooth, undulating pattern with light and shadow gradients

Meta Eagle

/Come and Soar with us.

Smart updates for smart people.

By submitting, you agree to our Terms and Privacy Policy

Abstract flowing waves in grayscale creating a smooth, undulating pattern with light and shadow gradients

Meta Eagle

/Come and Soar with us.

Smart updates for smart people.

By submitting, you agree to our Terms and Privacy Policy

Abstract flowing waves in grayscale creating a smooth, undulating pattern with light and shadow gradients