Data Processing Addendum to MSA

(Version: 01/01/2026)

Abstract plus art by Fiona Mares

This page is incorporated by reference into the Master Services Agreement (MSA) between Attacat Limited (the "Company") and the Client. It sets out the scope, nature, and purpose of processing, along with the list of authorised Sub-processors.

Please note this page specifically relates to where Attacat is acting as a processor on behalf of the Client and the Client is the controller.

Where the Company acts as a Data Controller (i.e. in its own interests rather than when looking after the clients) regarding the personal data of the Client’s commercial representatives (such as contract signatories, billing contacts, and primary project leads) this is processed in accordance with the Company’s Privacy Policy.

1. Subject Matter and Duration

  • Subject Matter: The processing of Personal Data by the Company required to deliver technical implementation, integration, management and consultancy services (including  HubSpot and related systems) for the Client and as described in the Statements of Work (SoWs).
  • Duration: For the term of the Contract, unless retention is required by law.  Client's customer data will usually be held only for the shortest practical time necessary to perform the specific task (e.g., migration or integration) and deleted on termination if not already deleted.

2. Nature and Purpose of Processing

The Company processes Personal Data to assist the Client primarily with building, optimising, implementing and adopting efficient CRM strategies to meet business objectives. This primarily involves:

  • HubSpot and technical system implementation: includes configuration of CRM databases, migration of data, and setup of automation workflows.
  • Integration: Connecting disparate systems (e.g., ERP, Finance, Marketing) via APIs or middleware and may include hosting such integrations.
  • Technical Consultancy: Auditing and troubleshooting existing data structures.
  • Training and adoption
  • Adjacent services that may include marketing and advertising-related activities on behalf of the Client

4. Categories of Data Subjects (Processor Scope)

  • The Client’s Customers: The individuals contained within the Client’s CRM or marketing database (leads, prospects, current customers).
  • System Users: The Client’s employees or contractors for whom the Company configures user accounts, permissions, or access rights within the Third-Party Platform (e.g. the Client's sales, marketing and customer service teams)

5. Types of Personal Data (Processor Scope)

  • Relating to the Client’s Customers:
    • Contact details (Email addresses, phone numbers, postal addresses)
    • CRM and website data (Interaction history, deal value, lead status, purchase history, conversations (inc call recordings, chats, emails), resources viewed or downloaded).
    • Digital identifiers (IP addresses, cookie IDs, tracking pixels).
  • Relating to System Users:
    • Login credentials (email addresses, usernames).
    • Activity logs and performance data generated within the platform.
    • Support interactions (emails, support tickets, meeting notes, call recordings)

Exclusions: The Services are not intended for the processing of Special Category Data (e.g., health or biometric data) unless explicitly agreed in writing.

6. Appointed sub processors

Unless otherwise agreed in writing, by signing the MSA the Client authorises the Company to appoint the following sub-processors:

  • Google Workspace (inc Gmail, Google docs and spreadsheets) (United States (commercial organisations participating in the UK Extension to the EU-US Data Privacy Framework))
  • Microsoft (through Windows) (United States (commercial organisations participating in the UK Extension to the EU-US Data Privacy Framework))
  • Google Cloud Platform* (hosting) (United States (commercial organisations participating in the UK Extension to the EU-US Data Privacy Framework))
  • Google Tag Manager* (website tagging) (United States (commercial organisations participating in the UK Extension to the EU-US Data Privacy Framework))
  • CookieScript* (EU based Cookie banner provider)
  • Zapier* (automation) (United States (commercial organisations participating in the UK Extension to the EU-US Data Privacy Framework))
  • WP Engine* (website hosting based in UK)
  • Search Motive (developer based in UK)
  • Thread Analytics (developer based in Australia)
  • Web2Media (consultant based in EU)
  • Mersudin Forbes Digital (consultant based in UK)
  • Luiza Leopoldo (consultant based in EU)
  • OCM Communications (IT MSP based in UK)

International data transfers rely on adequacy decisions where recognised. For other organisations they are managed under EU SCCs and the UK International Data Transfer Addendum).  Note: The Client acknowledges that the use of these third parties frequently results in data being transferred to jurisdictions outside the UK/EEA. Where the Client contracts directly, the Client is responsible for validating international transfer mechanisms.

*will only be classified as sub-processors of the Company if the Company is contracted with and billed by the third party.  Where the Client contracts directly with the third party, the third party would be classified as the Client's own processors or joint controllers and the Company is merely an authorised user/administrator on the Client’s account.

 

7. Security Measures

The Company maintains a robust security posture, certified under the Cyber Essentials scheme. We implement the following technical and organisational measures to ensure the security of Personal Data:

  • Access Control: We enforce Multi-Factor Authentication (MFA) on all systems, including Google Workspace, Cloud environments, and remote administration gateways. Access is granted on a "least privilege" basis and reviewed regularly.
  • Device Security: All staff devices are "hardened" to a strict specification, managed centrally, and protected by enterprise-grade Endpoint Detection and Response (EDR) tools.
  • Network Security: We utilize boundary firewalls and host-based firewalls. Our internal network is segmented, and no files or emails are hosted on local servers.
  • Data Minimisation: We adhere to a strict policy of not storing Client Customer Data on our own systems unless strictly necessary for a specific technical task. Data is deleted from our systems immediately after the task is complete.
  • Encryption & Storage: Credentials are managed via Google Secrets Manager or secure password managers. Data at rest and in transit is secured via the industry-standard encryption protocols inherent to Google Workspace and Google Cloud Platform.
  • Staff Training: All staff undergo mandatory induction training on GDPR and password policies, alongside an ongoing automated cybersecurity training program

The specific tools and measures listed above represent the Company’s current internal security architecture. When engaging Sub-processors, the Company ensures that they implement technical and organisational measures that are appropriate to the risks presented by the processing they undertake. While Sub-processors may use different specific tools or technologies, they are contractually required to maintain a level of security that provides a substantially similar level of protection to the Client Data.

Further information about our approach to security is available on request.

 

 

Get in touch

If you have questions about this addendum

Copy of 33% column (right) art template (tall) (20) (1)