← Back

Data Processing Agreement

Last updated: February 2026

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TechTeamUp Ltd ("Processor", "we", "us") and the Project Owner ("Controller", "you") who uses the BugBoard platform ("the Service").

This DPA applies where we process Personal Data on your behalf as a Data Processor in the course of providing the Service — specifically, feedback data and screenshots captured via the BugBoard widget on your website(s). It is designed to ensure compliance with Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, as well as the EU General Data Protection Regulation (Regulation (EU) 2016/679) where applicable.

2. Definitions

Terms used in this DPA have the meanings given in the UK GDPR unless otherwise defined:

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates
  • "Processing" means any operation performed on Personal Data, as defined in Article 4(2) UK GDPR
  • "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data

3. Roles and Responsibilities

Controller (Project Owner): You determine the purposes and means of processing Personal Data collected via the widget on your site(s). You are responsible for ensuring you have a lawful basis for collecting data through the widget, providing appropriate privacy notices to your site's users, and assessing the risk of personal data appearing in captured screenshots.

Processor (TechTeamUp Ltd): We process Personal Data solely on your documented instructions and for the purpose of providing the Service. We store, display, and manage feedback data (including screenshots) on your behalf but do not independently determine the purposes of processing.

4. Subject Matter and Details of Processing

Subject matterProvision of the BugBoard visual feedback and bug reporting platform
DurationDuration of the Project Owner's subscription to the Service
Nature and purposeCapture, storage, display, and management of visual feedback including screenshots, annotations, and associated metadata
Types of Personal DataScreenshots (which may contain any PII visible on the captured page), page URLs, browser metadata, IP addresses, user-provided descriptions and comments, email addresses (if provided in feedback)
Categories of Data SubjectsEnd users who submit feedback via the widget; individuals whose personal data may be incidentally visible in captured screenshots

Special note on screenshots: The BugBoard widget captures screenshots of web pages which may incidentally contain personal data of the Controller's users (e.g., names, email addresses, profile information, or other content visible on the page). The Controller acknowledges this risk and accepts responsibility for implementing appropriate measures to minimise unnecessary PII capture (e.g., CSS masking of sensitive fields) and for reviewing and deleting screenshots containing sensitive personal data.

5. Obligations of the Processor

We shall:

  • Process Personal Data only on your documented instructions, unless required by applicable law
  • Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality
  • Implement appropriate technical and organisational measures to ensure security, including encryption in transit (TLS), securely hashed credentials, and project-level access control
  • Not engage another processor (Sub-Processor) without your prior general or specific written authorisation, subject to Section 7
  • Assist you in responding to Data Subject requests
  • Assist you in ensuring compliance with obligations relating to security, breach notification, and data protection impact assessments (Articles 32–36 UK GDPR)
  • At your choice, delete or return all Personal Data after the end of the Service, and delete existing copies unless required by law
  • Make available information necessary to demonstrate compliance and allow for audits as set out in Section 9

6. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on your behalf, we shall:

  • Notify you without undue delay, and in any event within 48 hours of becoming aware of the breach
  • Provide sufficient information to enable you to meet your obligation to notify the ICO within 72 hours (Article 33 UK GDPR)
  • Cooperate with you and take reasonable commercial steps to assist in investigation, mitigation, and remediation
  • Document the breach including the facts, effects, and remedial action taken

Breach notifications will include: (a) the nature of the breach; (b) the categories and approximate number of Data Subjects and records concerned; (c) the likely consequences; (d) the measures taken or proposed.

7. Sub-Processors

You provide general authorisation for us to engage the Sub-Processors listed below. We shall inform you of any intended changes and give you the opportunity to object.

Sub-ProcessorPurposeLocation
Railway (railway.app)Cloud hosting, database, screenshot storageEU (US entity)
Cloudflare (cloudflare.com)DNS, CDN, DDoS protectionGlobal (US entity)

We shall impose on each Sub-Processor data protection obligations no less protective than those in this DPA. We remain fully liable for each Sub-Processor's performance.

8. International Transfers

Where Personal Data is transferred outside the UK or EEA, we ensure appropriate safeguards:

  • UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable

9. Audit Rights

We shall make available information reasonably necessary to demonstrate compliance with this DPA. We shall allow for and contribute to audits, including inspections, subject to:

  • At least 30 days' written notice
  • Audits conducted during normal business hours without unreasonably disrupting operations
  • You bearing your own audit costs
  • Scope limited to processing activities relevant to this DPA
  • Third-party auditors must execute a confidentiality agreement
  • Limited to once per twelve-month period, unless required by a supervisory authority or following a breach

10. Data Subject Requests

If we receive a request from a Data Subject to exercise their rights under the UK GDPR, we shall promptly notify you and shall not respond directly unless authorised by you or required by law. We shall provide reasonable assistance to enable you to respond within the statutory timeframe.

11. Data Deletion and Return

Upon termination or upon your written request, we shall at your choice:

  • Return all Personal Data (including screenshots) in a structured format; or
  • Delete all Personal Data and confirm deletion in writing

Data shall continue to be protected in accordance with this DPA until fully deleted.

12. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects or supervisory authorities under applicable data protection law.

13. Term and Termination

This DPA shall remain in effect for the duration of the processing. Obligations that by their nature should survive (including data deletion, confidentiality, and breach notification) shall survive termination.

14. Governing Law

This DPA is governed by the laws of England and Wales. Disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

15. Contact

TechTeamUp Ltd
Data Protection Contact: Tom Watts
Email: [email protected]