Last updated: 3 July 2026
This Data Processing Agreement (the "DPA") forms part of, and is incorporated by reference into, the Terms of Service between you (the "Controller") and Standard Tier (the "Processor", "we", "us"). It applies whenever we process personal data on your behalf through the Service, and it reflects our obligations under Article 28 of the UK GDPR and the Data Protection Act 2018.
You do not need to sign this DPA separately. By using the Service to process personal data about your staff, volunteers, or other individuals, you accept this DPA and instruct us to process that data on the terms set out below. If your organisation needs a countersigned copy, email jack@standardtier.co.uk and we will provide one.
Terms defined in the Terms of Service have the same meaning here. "Personal data", "processing", "controller", "processor", "data subject", and "personal data breach" have the meanings given in the UK GDPR. "Customer Personal Data" means personal data that we process on your behalf through the Service.
Data subjects: your venue managers, staff members, volunteers, and any other individuals whose personal data you submit to the Service.
Categories of personal data:
The Service is not intended to process special category data (as defined in Article 9 UK GDPR). You agree not to submit special category data through the Service without our prior written agreement.
You are the controller for Customer Personal Data and we are the processor. You are responsible for having a lawful basis to process that data, for informing data subjects about the processing, and for responding to requests they make about their rights.
We will process Customer Personal Data only on your documented instructions. Your instructions are set out in the Terms of Service, this DPA, and our Privacy Policy, together with any additional instructions you give us in writing. We will tell you without delay if, in our opinion, an instruction infringes the UK GDPR or other applicable data protection law.
We may also process Customer Personal Data where required to do so by UK law. If that happens, we will tell you before the processing unless the law prohibits us from doing so.
We will:
We will implement and maintain at least the following technical and organisational measures:
We keep these measures under review and will update them where reasonable to reflect changes in risk, technology, and good industry practice.
You give us general authorisation to appoint subprocessors. The subprocessors we currently use are listed on our Subprocessors page, which is the single up-to-date record of who we use and what for.
We will notify registered account holders by email at least 30 days before adding a new subprocessor that handles Customer Personal Data. If you have a reasonable objection based on data protection grounds, tell us within 15 days of the notice and we will use reasonable efforts to address the objection, including by offering a workaround or allowing you to cancel your subscription without penalty for the unused period.
Where we engage a subprocessor, we will put in place a written contract that imposes on the subprocessor substantially the same data protection obligations as those set out in this DPA, and we remain liable to you for the acts and omissions of the subprocessor to the same extent as if they were our own.
Where we or a subprocessor transfer Customer Personal Data outside the United Kingdom, we will put in place an approved transfer mechanism, such as the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge), the International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, along with any supplementary measures required.
If we become aware of a personal data breach affecting Customer Personal Data, we will notify you without undue delay and in any event within 24 hours of becoming aware. Our notification will include, to the extent known at the time, a description of the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures we have taken or propose to take. We send these notifications by email to the registered account holder for your venue, so please keep that address up to date. If an incident affects many customers at once, we will also publish a notice on standardtier.co.uk.
As controller, you are responsible for notifying the Information Commissioner's Office within 72 hours where the breach is notifiable under Article 33 UK GDPR, and for notifying affected data subjects where required under Article 34.
We will make available to you the information needed to demonstrate compliance with Article 28 UK GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.
Because we operate a shared, multi-tenant platform, audits must be conducted in a way that does not interfere with the Service or other customers' data. In practice this means:
On termination or expiry of your subscription, we will at your choice delete or return all Customer Personal Data and delete existing copies, unless UK law requires further storage. Export tools are available through your account for at least 30 days after termination. After the retention periods set out in our Privacy Policy expire, any remaining Customer Personal Data will be deleted from our live systems and, within a further reasonable period, from backups in accordance with our backup rotation.
Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits or excludes any liability that cannot lawfully be limited or excluded, including liability for death or personal injury caused by negligence, for fraud, or under the UK GDPR where a cap would be contrary to law.
We may update this DPA to reflect changes in law, guidance, or our practices. Minor clarifications take effect when we post the updated version, with a new "last updated" date. For material changes we will give registered account holders at least 30 days' notice by email.
This DPA is governed by the law of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, subject to any mandatory consumer protections that apply to you.
For data protection questions, breach reports, or requests under this DPA, email jack@standardtier.co.uk. You can also lodge a complaint with the Information Commissioner's Office at ico.org.uk.