Data processing agreement

Data Processing Agreement (DPA) — Efficient Brewing Ltd

Last updated: 25-11-2025

This Data Processing Agreement (“Agreement”) forms part of the Terms of Service between Efficient Brewing Ltd (“Processor”) and the customer (“Controller”).

1. Subject Matter

The Processor provides production schedule optimisation software and processes personal data solely for providing the Service to the Controller.

2. Duration

This Agreement remains in force for as long as the Controller uses the Service and the Processor processes personal data on behalf of the Controller.

3. Nature and Purpose of Processing

The Processor stores and processes personal data for the following purposes:

  • Managing user accounts and access;
  • Operating the scheduling and optimisation features;
  • Maintaining and improving the Service;
  • Ensuring security and stability;
  • Providing support to the Controller.

Processing activities may include collection, storage, retrieval, transmission, and deletion.

4. Types of Personal Data

Personal data processed may include:

  • Identification data (e.g. name, email address);
  • Authentication data (e.g. hashed passwords);
  • Technical data (e.g. IP address, logs, device information);
  • Integration-related data (e.g. API tokens and configuration).

5. Categories of Data Subjects

Data subjects may include:

  • Employees and authorised users of the Controller;
  • Individuals whose details are entered into the Service by the Controller (e.g. staff assigned to tasks).

6. Obligations of the Processor

The Processor shall:

  1. Process personal data only on documented instructions from the Controller, including with regard to transfers, unless required by law.
  2. Ensure that persons authorised to process personal data are bound by confidentiality obligations.
  3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
  4. Assist the Controller, where reasonably possible, in fulfilling its obligations to respond to data subject requests.
  5. Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required and reasonable.
  6. Notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data.
  7. At the choice of the Controller, delete or return all personal data after the end of the provision of services, unless retention is required by law.
  8. Make available to the Controller all information reasonably necessary to demonstrate compliance with this Agreement and applicable data protection laws.

7. Subprocessors

The Controller authorises the Processor to engage subprocessors for the provision of the Service, including but not limited to:

  • Google Cloud Platform (Google Cloud Run, Firestore)

The Processor shall:

  • Ensure subprocessors are bound by data protection obligations no less protective than those in this Agreement;
  • Remain liable for the acts and omissions of subprocessors.

8. International Transfers

Where personal data is transferred outside the UK or EEA, the Processor shall ensure that such transfers are subject to appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs); or
  • Other mechanisms recognised under data protection law.

9. Obligations of the Controller

The Controller shall:

  • Ensure it has a lawful basis for processing personal data;
  • Provide any required notices to data subjects;
  • Ensure that data entered into the Service is accurate and lawful;
  • Comply with applicable data protection laws in its use of the Service.

10. Audits

The Controller may, upon reasonable notice and during normal business hours, request information necessary to verify the Processor’s compliance with this Agreement. Any onsite audits shall:

  • Be subject to reasonable prior notice;
  • Not unreasonably disrupt the Processor’s operations;
  • Be at the Controller’s cost.

11. Termination

Upon termination of the underlying Terms of Service:

  • The Processor shall delete or return personal data processed on behalf of the Controller, unless retention is required by law.
  • The data deletion/return process shall follow the timelines and methods specified by the Processor’s policies, communicated to the Controller upon request.

12. Governing Law

This Agreement is governed by the laws of England and Wales.