Atago Green

Atago Green Ltd

Data Processing Agreement — Summary

How we handle personal data when acting as a processor for our clients.

Version 0.2.1 · 27 May 2026

This page summarises the terms on which Atago Green Ltd acts as a data processor under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 when delivering services to its clients. It should be read alongside our Privacy Notice, which describes the personal data we handle as a data controller.

This is a summary. It is not the binding contract. Where a client engagement involves Atago Green acting as a processor on the client's behalf, a full Data Processing Agreement (DPA) will be executed between the client (as controller) and Atago Green (as processor) at the point of engagement. Defined terms used here have the meaning given in the UK GDPR.

1. About This Summary

This summary is published so that prospective clients, their procurement and risk teams, and their data protection officers can understand our standard processor position before due diligence and contracting. It reflects the standard terms on which we contract. Where a client requires variations, those will be reflected in the executed DPA and will take precedence.

This summary does not create rights for data subjects or third parties. Data subjects whose personal data we process should refer to the privacy notice of the client who is the controller of that data. Where we are the controller, our Privacy Notice applies.

2. When We Act as a Processor

Atago Green operates in two different data protection roles depending on the activity:

  • We are the controller for personal data we collect and use for our own business purposes — for example, managing our sales pipeline, contracting with clients and suppliers, running our website, and analysing publicly published Financial Ombudsman Service decision data. These activities are described in our Privacy Notice and recorded in our Article 30 Record of Processing Activities. They are not covered by this DPA summary.
  • We are a processor when a client supplies us with personal data and instructs us to process it for the purposes of the services we deliver to that client. Typical examples include analysis of a client's own complaints data, ingestion of client-specific case records into our FOS Watch insight product, and consulting engagements that involve handling client documents or records containing personal data.

Where it is unclear in a given engagement which role applies, we will agree the position with the client in writing before any processing begins. The Article 28 DPA only applies to processing in which we act as a processor on the client's instructions.

3. Subject Matter, Duration, Nature and Purpose of Processing

In line with Article 28(3) UK GDPR, the following elements will be set out for each client engagement in the executed DPA. Our standard position is summarised below.

ElementStandard position
Subject matterPersonal data provided by the client, or generated in the course of providing services to the client, that is necessary for delivery of the agreed services.
DurationFor the duration of the underlying services agreement (including any pilot, proof-of-concept, or evaluation period), plus any further period required to return or delete the data.
Nature of processingReceipt, storage, analysis, structuring, classification, tagging, reporting, and (where instructed) deletion of personal data, using our standard tooling and methodology.
Purpose of processingDelivery of the services described in the underlying services agreement — typically the provision of regulatory and ombudsman analytics, insight products such as FOS Watch / Insight Hub, and related consulting outputs.

4. Categories of Personal Data and Data Subjects

The categories of personal data and the categories of data subjects involved depend on the specific engagement and will be confirmed in the executed DPA. Our standard expectation is set out below.

Typical categories of personal data we may process as a processor include:

  • identifiers and contact details (names, job titles, work email, work telephone);
  • case-related information from client complaints or operational records (such as case reference numbers, dates, narrative free-text, outcomes, and any personal information contained within those records);
  • metadata associated with the above (for example, system identifiers, timestamps, and document references).

Typical categories of data subjects whose personal data we may process as a processor include:

  • the client's customers (including complainants) and their representatives;
  • the client's employees, agents, contractors and other personnel whose information appears within the records supplied;
  • third parties who appear in the records supplied (for example, named advisers, witnesses, or other connected individuals).

We do not seek to process special category personal data (UK GDPR Article 9) or criminal offence data (Article 10). Where such data may incidentally appear within records supplied by a client (for example, references to health or financial difficulty in a complaint file), the client must identify this in advance so that additional safeguards can be agreed.

5. Our Responsibilities as Processor

As a processor under Article 28 UK GDPR, we will:

  • process personal data only on the documented instructions of the client controller, including with regard to international transfers, unless we are otherwise required to do so by law;
  • ensure that personnel authorised to process the personal data are bound by appropriate confidentiality obligations (whether through contract of employment, contractor agreement, or professional duty);
  • implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 UK GDPR (see Section 9 below);
  • not engage another processor (a sub-processor) without prior general or specific written authorisation from the client controller, on the terms set out in Section 7 below;
  • assist the client controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling its obligation to respond to data subject rights requests;
  • assist the client controller in complying with its obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to us;
  • at the choice of the client controller, delete or return all personal data to the controller at the end of the provision of services, and delete existing copies unless retention is required by law;
  • make available to the client controller all information necessary to demonstrate compliance with our Article 28 obligations, and allow for and contribute to audits as set out in Section 11 below;
  • notify the client controller without undue delay if, in our opinion, an instruction infringes UK GDPR or other applicable data protection law.

6. Your Responsibilities as Controller

As the controller, the client is responsible for:

  • having a valid lawful basis under Article 6 UK GDPR (and, where relevant, an Article 9 condition) for the processing it instructs us to carry out;
  • providing appropriate privacy information to data subjects under Articles 13 and 14 UK GDPR;
  • ensuring that any personal data supplied to us is accurate, relevant, and limited to what is necessary for the agreed services;
  • transmitting personal data to us by secure means and only via the channels we have agreed for the engagement — personal data should not be sent to us by unencrypted email or other insecure channels without prior agreement;
  • ensuring that any third-country transfers required for the client to share personal data with us are supported by an appropriate transfer mechanism;
  • issuing instructions to us in writing through agreed channels, and notifying us promptly of any change to those instructions.

7. Sub-Processors

We use a small number of third-party service providers (sub-processors) to support the services we deliver. Each sub-processor we use as part of a client engagement will be:

  • engaged under a written contract that imposes data protection obligations equivalent to those set out in our DPA with the client;
  • recorded in our internal Supplier Register, with its data protection status, security position and (where relevant) international transfer mechanism documented;
  • reviewed periodically as part of our supplier management process.

The categories of sub-processor we may use include:

  • cloud productivity and email services (for document creation, internal communications, and file storage);
  • database and data platform services (for structured storage and querying of analysis outputs);
  • artificial intelligence and large language model API providers (where AI-assisted processing forms part of the agreed services);
  • website and form hosting platforms (where the engagement involves web-delivered outputs);
  • document storage and collaboration platforms (used in a controlled way for engagement-specific materials);
  • business support services (such as accounting and tax services), where strictly necessary.

On request, and on execution of the DPA, we will provide the named list of sub-processors relevant to the client engagement, together with the country of processing and the transfer mechanism relied upon where applicable.

Where we propose to add or replace a sub-processor that will be involved in processing personal data on behalf of the client, we will give the client at least thirty (30) days' prior written notice. The client may object on reasonable data protection grounds within that period, in which case we will work in good faith to resolve the objection. If the objection cannot be resolved, the client may terminate the affected services without penalty.

8. International Transfers

Some of our sub-processors store or process personal data outside the United Kingdom. Where this occurs in the course of providing services to the client, we will rely on one of the following safeguards under UK GDPR Chapter V:

  • transfers to countries that benefit from a UK adequacy regulation;
  • the International Data Transfer Agreement (IDTA) issued by the Information Commissioner's Office;
  • the Addendum to the EU Standard Contractual Clauses (SCCs) issued by the Information Commissioner's Office, where the underlying SCCs are in place;
  • another safeguard recognised under Article 46 UK GDPR.

Several of our current sub-processors are based in the United States. The transfer mechanism relied upon for each is recorded in our Supplier Register and will be confirmed in the executed DPA. Where required by Information Commissioner's Office guidance, a Transfer Risk Assessment is documented.

9. Security Measures

In accordance with Article 32 UK GDPR, we maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures are set out in detail in our Information Security Policy and supporting policies, and align with the Cyber Essentials baseline. They include, as standard:

  • identity and access management controls (strong authentication, multi-factor authentication, least-privilege access, and an Access Credential Register);
  • encryption of personal data in transit and at rest, using current industry-standard cryptographic protocols;
  • device-level security controls on equipment used to process personal data (including full-disk encryption, screen-lock timeouts, automatic security updates, and anti-malware controls);
  • network-level controls and segregation, with administrative interfaces protected from public exposure;
  • logging and monitoring across cloud platforms and productivity systems used to process personal data;
  • structured supplier due diligence and contractual security obligations for all sub-processors handling personal data;
  • documented operational risk management, incident response, and business continuity arrangements;
  • internal policies and training covering confidentiality, acceptable use, data protection, and the handling of personal data.

Further detail is available under non-disclosure as part of due diligence.

10. Personal Data Breaches

If we become aware of a personal data breach affecting personal data we process on behalf of the client, we will notify the client without undue delay and in any event within forty-eight (48) hours of becoming aware. Our notification will provide such information as is then available to us, including:

  • a description of the nature of the breach, including (where possible) the categories and approximate number of data subjects and personal data records affected;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and to mitigate its possible adverse effects;
  • the name and contact details of a point of contact for further information.

Where information is not available at the time of initial notification, we will provide it as soon as it becomes available. We will not communicate the breach to data subjects, regulators, or third parties without first liaising with the client controller, save where we are required to do so by law.

Notifications between client and Atago Green for breach purposes are made to the contact points designated in the executed DPA.

11. Audit and Information Rights

We will make available to the client all information reasonably necessary to demonstrate compliance with our processor obligations under Article 28 UK GDPR.

As a proportionate approach for an organisation of our size, we will satisfy audit obligations by:

  • responding promptly and in good faith to written due diligence questionnaires (including bilateral supplier DDQs and recognised industry standards such as FSQS);
  • providing on request copies of relevant policies, certificates, and self-assessment outputs (under appropriate confidentiality safeguards);
  • supporting reasonable client audit activity, on at least thirty (30) days' written notice, no more than once in any twelve-month period (except in cases of a notified personal data breach or where required by a competent supervisory authority), at the client's cost, and conducted in a manner that does not unreasonably interfere with our operations or compromise the confidentiality of other clients' data.

Where a client requires audit arrangements that go materially beyond this standard position, this will be reflected in the executed DPA and may be subject to additional commercial terms.

12. Return or Deletion at End of Services

On termination or expiry of the underlying services agreement, and at the choice of the client, we will:

  • return all personal data processed on the client's behalf in a commonly used, structured electronic format; or
  • delete all such personal data.

In either case we will delete existing copies, unless retention is required by law (for example, retention of records of contract performance for limitation-period or tax purposes). Where any personal data is retained for legal reasons, it will continue to be protected by the security measures set out in Section 9 and will be deleted at the end of the applicable retention period.

On request, we will provide written confirmation of return or deletion.

13. Executing the Full DPA

To put our standard DPA in place, please contact us using the details in Section 14. We will:

  • confirm whether the engagement involves processing on the client's instructions;
  • share our standard Article 28 DPA for review, together with the relevant sub-processor list and transfer mechanism information;
  • agree any engagement-specific particulars (the items set out in Section 3 above and any client-specific variations) and execute the DPA before any personal data is transferred to us.

If the client requires its own DPA template to be used, we will review it in good faith and identify any variations that would materially affect our standard position.

14. Contact Us

For questions about this summary, to request a copy of the full DPA, or to raise any data protection matter relating to services we provide as a processor, please contact us:

Emailhello@atago-green.com
Data protection contactAbby Thomas, Director (abby.thomas@atago-green.com)
Websitewww.atago-green.com
Postal addressAtago Green Ltd, Level 5A, Maple House, 149 Tottenham Court Road, London W1T 7NF
ICO registrationZB963098

Document Information

Versionv0.2.1
Last Updated27 May 2026
Published atatago-green.com/dpa
Document OwnerDirector, Atago Green Ltd
Review CycleAnnual as a minimum; on any material change to the underlying DPA template, supplier base, or transfer mechanisms

Version History

VersionDateAuthorNotes
v0.227 May 2026amtInitial published summary. Covers Article 28 UK GDPR processor terms, categorical sub-processor disclosure with 30 days' prior notice for changes, IDTA / UK SCCs Addendum for international transfers, 48-hour breach notification window, and proportionate audit approach via DDQ + documentation + scheduled audit on notice. Aligns with Data Protection Policy v0.3, Privacy Notice v0.6, Supplier Management Policy v0.5, and ROPA v0.3. Published at dpa.atago-green.com.
v0.2.127 May 2026amtURL references updated for path-based hosting: Privacy Notice link changed from privacy.atago-green.com to /privacy; Document Information "Published at" changed from dpa.atago-green.com to atago-green.com/dpa. No substantive policy change.