Data Processing Agreement
Last updated: 28 May 2026
What this document is for.
UK GDPR (Article 28) requires a written agreement wherever one party processes personal data on behalf of another. You (the customer) are the data controller for your own customers' data. I (Pandemonium Software Ltd, trading as ModuForge) am the data processor — I handle some of that data on your behalf to build, host, and maintain your website.
This DPA is part of the Terms of Service. By accepting the terms at intake, you also accept this DPA.
1. Definitions
- "Controller" — you, the customer who signs up for ModuForge services.
- "Processor" — Pandemonium Software Ltd (company number 16948391), trading as ModuForge.
- "Personal Data" — any information relating to an identified or identifiable natural person, as defined by UK GDPR Article 4(1).
- "Sub-processor" — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" — the individual whose Personal Data is processed (typically your customers, website visitors, or newsletter subscribers).
- "UK GDPR" — the General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, read with the Data Protection Act 2018.
2. Scope and purpose of processing
The Processor processes Personal Data solely to deliver the services described in the Terms of Service:
- Building, hosting and maintaining the Controller's website.
- Configuring and managing connected services on the Controller's behalf (email sending, booking, Google Business Profile, payment processing).
- Running operational automation (review monitoring, GBP audits, analytics digests).
- Providing ongoing support, updates, and change requests.
The Processor does not process Personal Data for any purpose other than delivering the contracted services, and never sells, rents, or shares Personal Data for marketing purposes.
3. Categories of Personal Data processed
| Category | Examples |
|---|---|
| Controller identity | Name, email, phone, business name, address |
| Controller's customer data | Newsletter subscriber emails, enquiry form submissions, booking requests |
| Website content | Photos, testimonials, service descriptions, brand assets |
| Payment data | Invoice amounts, payment dates, subscription status (card details handled by Stripe — never seen or stored by the Processor) |
| Analytics and logs | Page views, referrers, device type (aggregated, no individual tracking) |
Special category data: the Processor does not knowingly process any special category data (Article 9) or criminal offence data (Article 10). If the Controller's website collects such data, the Controller must inform the Processor in writing before processing begins.
4. Processor obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller (which are the Terms of Service and any written change requests), unless required by law to do otherwise — in which case the Processor will inform the Controller before processing, unless legally prohibited from doing so.
- Ensure that any persons authorised to process the Personal Data are bound by confidentiality obligations. As a one-person operation, this applies to Ben Pandher (sole director) and any contractors engaged in future.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: encryption of data in transit (HTTPS/TLS), access controls on all systems, automated data deletion processes, and regular security reviews.
- Not engage another processor (sub-processor) without the Controller's prior written consent — see Section 6.
- Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by UK GDPR.
- Assist the Controller in ensuring compliance with Articles 32 to 36 (security, breach notification, impact assessments, prior consultation) taking into account the nature of processing and the information available to the Processor.
- At the Controller's choice, delete or return all Personal Data after the end of the service — and delete existing copies unless UK law requires storage. See Section 8.
- Make available to the Controller all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
5. Controller obligations
The Controller shall:
- Ensure there is a lawful basis for providing Personal Data to the Processor (typically contract performance or legitimate interest).
- Provide clear and complete instructions regarding the processing of Personal Data.
- Be responsible for the accuracy of Personal Data provided.
- Fulfil its own obligations to Data Subjects (privacy notices, consent collection where required, responding to rights requests).
6. Sub-processors
The Controller provides general written authorisation for the Processor to engage the following sub-processors. The Processor will notify the Controller by email before adding or replacing a sub-processor, giving the Controller the opportunity to object within 14 days.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Website hosting (Workers, Pages, R2, D1), DNS, CDN, DDoS protection | US (global edge) |
| Notion Labs, Inc. | Customer records, project management, intake data storage | US |
| Resend, Inc. | Transactional email delivery (intake confirmations, notifications, newsletters) | US |
| Stripe, Inc. | Payment processing, subscription billing, invoicing | US / Ireland |
| Google LLC | Google Business Profile management (Places API), Google Maps | US |
| Anthropic, PBC | AI operations assistant (enquiry processing, GBP audits, content analysis). Does not train on customer data per Anthropic commercial terms. | US |
| Sentry (Functional Software, Inc.) | Error tracking and application monitoring | US |
International transfers: several sub-processors are based in the United States. Transfers are covered by each provider's standard contractual clauses (SCCs) or UK International Data Transfer Agreement (IDTA) as applicable. The Processor will ensure that any sub-processor provides at least the same level of data protection as required by this DPA.
7. Data breach notification
If the Processor becomes aware of a Personal Data breach, it will:
- Notify the Controller without undue delay and in any event within 24 hours of becoming aware of the breach.
- Provide sufficient detail for the Controller to fulfil its own breach notification obligations under Articles 33 and 34 UK GDPR, including: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
- Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation and remediation of the breach.
8. Data retention and deletion
The Processor applies the following retention periods, aligned with the automated GDPR retention system described in the Terms of Service (Section 11):
- Personal data (content, contacts, brand assets, subscriber lists, analytics): deleted automatically 30 days after the Controller cancels the service. The 30-day window allows for change-of-mind reactivation and final-invoice handling.
- Financial records (invoice amounts, payment dates, business name): retained for 7 years from the end of the tax year in which they arose, as required by HMRC (Companies Act 2006 s388, VATA 1994 Sch 11). These records contain the minimum data necessary for the legal obligation.
- Anonymised audit logs: after deletion completes, an internal record is kept (timestamp + customer reference only — no Personal Data) to demonstrate the scrub was performed.
The Controller may request early erasure of Personal Data (before the 30-day window expires) by emailing pandamoniumsoftwareltd@gmail.com. The Processor will action this within 30 days as required by Article 17 UK GDPR, except where retention is required by law (financial records).
9. Data Subject rights
If a Data Subject contacts the Processor directly with a rights request (access, rectification, erasure, restriction, portability, objection, or a data protection complaint under the Data (Use and Access) Act 2025), the Processor will:
- Promptly notify the Controller of the request.
- Assist the Controller in responding within the UK GDPR timeframe (one calendar month, extendable by two months for complex requests).
- Not respond to the Data Subject directly without the Controller's instruction, unless required by law.
10. Audits
The Controller may request an audit of the Processor's compliance with this DPA by giving 14 days' written notice. The Processor will cooperate and provide reasonable access to relevant records and systems. Audits will be conducted during normal business hours and will not unreasonably interfere with the Processor's operations.
11. Liability
Each party's liability under this DPA is subject to the limitations set out in Section 12 of the Terms of Service.
12. Term and termination
This DPA comes into effect when the Controller accepts the Terms of Service and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. It terminates automatically when all Personal Data has been deleted or returned in accordance with Section 8.
13. Governing law
This DPA is governed by the laws of England and Wales. Any dispute arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
14. Contact
For any questions about this DPA, contact the Processor at pandamoniumsoftwareltd@gmail.com.
Processor details
- Legal entity: Pandemonium Software Ltd
- Companies House number: 16948391
- Registered office: 10 Olivers Close, Long Hanborough, Witney, OX29 8GL, England
- Contact: pandamoniumsoftwareltd@gmail.com