This Data Processing Agreement (DPA) forms part of the Terms of Service between WFA Support Ltd ("Processor", company number 11535469) and the Customer ("Controller").
Processing Details
| Item | Details |
|---|---|
| Subject matter & Duration | Digital form creation, workflow, signature capture and PDF generation services for the term of the agreement. |
| Nature & Purpose | Receiving, storing, processing and returning form submissions as instructed by the Controller. |
| Types of Personal Data | Any personal data included in forms (names, contact details, signatures, photos, addresses, financial or health data, etc.). |
| Categories of Data Subjects | Controller’s employees, customers, clients and other individuals whose data appears in the uploaded forms. |
Customers should avoid uploading special-category or highly sensitive personal data unless it is necessary, lawful, and appropriate for their use of the service.
Processor Obligations
- Process personal data only on documented instructions from the Controller (unless required by UK law).
- Ensure confidentiality of all personnel with access to the data.
- Implement appropriate technical and organisational security measures.
- Not engage sub-processors without appropriate authorisation and safeguards. Current sub-processors are listed on our Sub-processors page.
- Assist the Controller with data subject rights requests and security breach notifications.
- Notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller personal data.
- Delete or return all personal data at the end of the contract (at Controller’s choice), unless UK law requires retention. Export, deletion, backups and operational copies are handled in line with our Data Retention Schedule.
- Make available information reasonably necessary to demonstrate compliance, subject to reasonable notice, scope, confidentiality and use of remote evidence where appropriate.
Security Measures
- Access to customer areas requires authenticated accounts.
- Role and permission checks are used to restrict access to customer-specific data.
- HTTPS is used where appropriate to protect data in transit.
- Session cookies are configured with security-focused settings.
- Application and access logs may be used to monitor security and diagnose issues.
- Core hosting is provided in the United Kingdom.
- Uploaded files and generated documents are access-controlled through account and permission checks.
- Backups and operational copies may be used for resilience and recovery, subject to retention controls.
Sub-processor changes
We maintain the current sub-processor list at /sub-processors. Where a material new sub-processor is introduced, we will update the list and provide notice where required by applicable law or contract.
International Transfers
Core infrastructure is hosted in the UK by 24host.uk. Limited transfers may occur where sub-processors process data outside the UK. Current sub-processors and transfer context are listed on our Sub-processors page.
Liability
Processor liability is subject to the limitations set out in the main Terms and Conditions.
By using Straight2PDF, the Customer agrees to this DPA. For any custom amendments, please contact privacy@straight2pdf.co.uk.
