Data Processing Agreement Kurogo Group Ltd Effective Date: May 2026
This Data Processing Agreement ('DPA') forms part of the agreement between Kurogo Group Ltd ('Processor' or 'we') and the Client ('Controller' or 'you') for the provision of marketing and public relations services. This DPA sets out the rights and obligations of each party with respect to the processing of Personal Data in accordance with UK GDPR and the Data Protection Act 2018.
1. Definitions and InterpretationIn this DPA, the following terms shall have the following meanings: 'Controller' means the Client who determines the purposes and means of the processing of Personal Data. 'Data Protection Laws' means all applicable data protection and privacy laws including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (as amended). 'Data Subject' means an identified or identifiable natural person to whom Personal Data relates. 'Personal Data' means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services. 'Personal Data Breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. 'Processing' has the meaning given to it in the UK GDPR and 'process', 'processes' and 'processed' shall be construed accordingly. 'Processor' means Kurogo Group Ltd, who processes Personal Data on behalf of the Controller. 'Services' means the marketing and public relations services provided by Kurogo Group Ltd to the Client. 'Sub-processor' means any third party appointed by the Processor to process Personal Data on behalf of the Controller. 'UK GDPR' means the UK General Data Protection Regulation, as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018. 2. Scope and Application
This DPA applies to all processing activities carried out by the Processor on behalf of the Controller in connection with the provision of the Services. The Processor shall process Personal Data only in accordance with the Controller's documented instructions, unless required to do so by applicable law.The nature and purpose of the processing, the types of Personal Data, and categories of Data Subjects are set out in Schedule 1 (Details of Processing) to this DPA.
3. Controller and Processor Obligations
3.1 Controller Obligations
The Controller warrants and represents that:
- It has all necessary rights and has obtained all necessary consents to provide Personal Data to the Processor for processing in accordance with this DPA; - It has complied with all applicable Data Protection Laws in relation to the collection of Personal Data;Its instructions to the Processor will comply with all applicable Data Protection Laws; and - It is responsible for ensuring the accuracy, quality, and legality of Personal Data and the means by which it acquired the Personal Data.
3.2 Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by UK or EU law; - Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; - Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Clause 5; - Not engage a Sub-processor without prior written authorisation from the Controller, in accordance with Clause 6; - Assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws; - Assist the Controller in ensuring compliance with Data Protection Laws, taking into account the nature of processing; - At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless UK or EU law requires storage of the Personal Data; and - Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or its auditors.
4. Duration of Processing
The Processor shall process Personal Data for the duration of the Services agreement between the parties, unless otherwise instructed by the Controller or required by applicable law. Upon termination or expiry of the Services, the Processor shall, at the Controller's election, return or securely delete all Personal Data, unless legally required to retain copies.
5. Security of Processing
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:The pseudonymisation and encryption of Personal Data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; - The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and - A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.The security measures implemented by the Processor are set out in Schedule 2 (Technical and Organisational Measures) to this DPA.
6. Sub-processors
The Controller grants general written authorisation to the Processor to engage Sub-processors to process Personal Data, provided that:
- The Processor provides the Controller with at least 14 days' prior written notice of the addition or replacement of any Sub-processor; - The Processor imposes data protection obligations on the Sub-processor that are equivalent to those in this DPA; - The Processor remains fully liable to the Controller for the performance of the Sub-processor's obligations; - andThe Controller may object to the appointment of a Sub-processor on reasonable grounds relating to data protection within 7 days of receiving notice.
A list of current Sub-processors is set out in Schedule 3 (Sub-processors) to this DPA.
7. Data Subject Rights
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Data Protection Laws, including:
- Right of access by the Data Subject; - Right to rectification; - Right to erasure ('right to be forgotten'); - Right to restriction of processing; - Right to data portability; and - Right to object.
If a Data Subject contacts the Processor directly with a request, the Processor shall promptly forward the request to the Controller and shall not respond to the request without the Controller's prior written authorisation.
8. Personal Data Breaches
The Processor shall notify the Controller without undue delay, and in any event within 24 hours, upon becoming aware of a Personal Data Breach affecting the Controller's Personal Data.The notification shall include, to the extent possible:
- A description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data -Subjects and Personal Data records concerned; - The name and contact details of the Processor's data protection officer or other contact point; - A description of the likely consequences of the Personal Data Breach; and - A description of the measures taken or proposed to be taken to address the Personal Data Breach and mitigate its possible adverse effects.
The Processor shall cooperate with the Controller and take reasonable commercial steps as directed by the Controller to assist in the investigation, mitigation and remediation of such Personal Data Breach.
9. Data Protection Impact Assessment
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required under Data Protection Laws.
10. Deletion or Return of Personal Data
Upon termination or expiry of the Services, the Processor shall, at the Controller's written election:
- Return all Personal Data to the Controller in a commonly used electronic format; and/or - Securely delete all copies of Personal Data in its possession or control.
The Processor may retain Personal Data to the extent required by applicable law, provided that the Processor shall ensure the confidentiality of all such Personal Data and shall only process such Personal Data as necessary to comply with the legal requirement.
11. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller.The Controller shall give the Processor reasonable prior written notice of any audit or inspection and shall conduct audits during normal business hours. The Controller shall ensure that all auditors are bound by appropriate confidentiality obligations.
12. International Data Transfers
The Processor shall not transfer Personal Data outside the United Kingdom without the prior written consent of the Controller. Where such transfers are authorised, the Processor shall ensure that appropriate safeguards are in place in accordance with Data Protection Laws, including but not limited to standard contractual clauses approved by the UK Information Commissioner's Office or adequacy decisions.
13. Liability and Indemnity
Each party's liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability set out in the Services agreement between the parties.The Processor shall indemnify and hold harmless the Controller against all claims, liabilities, costs, expenses, loss or damage (including legal fees) arising out of or in connection with any breach by the Processor of its obligations under this DPA.
14. Term and Termination
This DPA shall commence on the effective date and shall remain in force for so long as the Processor processes Personal Data on behalf of the Controller.Either party may terminate this DPA if the other party commits a material breach of its obligations under this DPA and fails to remedy such breach within 30 days of receiving written notice of the breach.
15. Governing Law and Jurisdiction This DPA shall be governed by and construed in accordance with the laws of England and Wales. The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA.
16. Contact Information
For any questions or concerns regarding this DPA or data processing practices, please contact:
Kurogo Group Ltd85 Great Portland StreetLondon, England, W1W 7LT United Kingdom Company Number: 13197937 Email: hello@kurogo.co.uk
SCHEDULE 1: Details of ProcessingNature and Purpose of Processing The Processor will process Personal Data as necessary to provide marketing and public relations services to the Controller, including but not limited to:
Marketing campaign management and execution Public relations and media outreachContent creation and distribution Analytics and reportingCommunication with media contacts and stakeholders
Duration of Processing
The Processor will process Personal Data for the duration of the Services agreement between the parties, and for such additional period as may be required by law or as instructed by the Controller.
Types of Personal Data
The Personal Data processed may include: Names Email addresses Phone numbers Job titles and company information LinkedIn profile URLs and social media handles Business addresses Communication preferences Any other information provided by the Controller in connection with the Services
Categories of Data Subjects
The Data Subjects whose Personal Data may be processed include: The Controller's customers and prospective customers Media contacts and journalistsBusiness partners and stakeholders The Controller's employees and representatives Any other individuals whose Personal Data the Controller provides to the Processor
SCHEDULE 2: Technical and Organisational Measures The Processor has implemented the following technical and organisational measures to protect Personal Data:
Access Control Password-protected systems with strong password requirements Multi-factor authentication for access to systems containing Personal Data Role-based access controls limiting access to Personal Data on a need-to-know basis Regular review and removal of access rights for employees who no longer require access Data Encryption Encryption of Personal Data in transit using TLS/SSL protocols Encryption of Personal Data at rest where technically feasible Network Security Firewall protection for all systems Regular security updates and patchesIntrusion detection and prevention systems Data Backup and Recovery Regular automated backups of Personal Data Tested disaster recovery and business continuity procedures Physical Security Secure office premises with controlled access Secure disposal of physical documents containing Personal Data Staff Training and Awareness Regular data protection and security training for all staff Confidentiality agreements with all employees and contractors Clear policies and procedures for handling Personal Data Incident Management Documented incident response procedures Regular testing of incident response procedures Designated incident response team Monitoring and Testing Regular security audits and vulnerability assessments Logging and monitoring of access to systems containing Personal Data Regular review and updating of security measures
SCHEDULE 3:
List of Sub-processors
The Processor may engage the following categories of Sub-processors to assist in the provision of the Services: Email marketing platforms (e.g., Mailchimp, HubSpot) Analytics services (e.g., Google Analytics)Customer Relationship Management (CRM) systems (e.g., Salesforce, Pipedrive) Cloud storage and hosting providers Payment processing services (e.g., Stripe, PayPal) Communication and collaboration toolsThe Processor shall maintain an up-to-date list of Sub-processors and shall provide this list to the Controller upon request.
The Processor shall notify the Controller of any changes to this list in accordance with Clause 6 of this DPA.All Sub-processors are required to enter into written agreements with the Processor that impose data protection obligations equivalent to those set out in this DPA.