Data Processing Addendum
Our DPA sets the rules for how MetricLift, acting as a processor, handles your customer data—covering security, subprocessors, transfers, and data subject rights.
Last updated: 11 October 2025 · Version 1.0
Plain English summary
- MetricLift acts as processor for business customers; you remain the controller.
- Security, subprocessors, and international transfers follow contractual safeguards.
- Use this DPA with our Privacy and Cookie policies for a full compliance pack.
1. Definitions
Terms like Controller, Processor, Personal Data, and Processing keep the meanings provided by applicable data protection law.
2. Roles
MetricLift is the Processor only when handling personal data on behalf of a subscribed customer; the customer stays the Controller.
3. Subject matter and duration
Processing scope, duration, and data categories follow the master service agreement and this DPA.
4. Instructions and purpose limitation
We act solely on documented Controller instructions, including those covering cross-border transfers or subprocessors.
5. Security
MetricLift maintains appropriate technical and organisational controls (encryption, access controls, monitoring). Control summaries are available on request.
6. Subprocessors
Subprocessors are vetted, contractually bound, and listed for transparency. We remain responsible for their work.
7. International transfers
Transfers outside the UK/EU rely on SCCs, adequacy decisions, or other approved safeguards.
8. Data subject requests
We assist Controllers in fulfilling access, deletion, or restriction requests, provided we receive sufficient details.
9. Audit and compliance
We provide information to demonstrate compliance and allow audits or questionnaires where reasonable and agreed.
10. Liability
Liability follows the main agreement. Nothing here removes statutory rights available to either party.
Contact
Request the executable DPA or processor list via info@metriclift.co.uk.