Data Processing Agreement
This Data Processing Agreement (“Agreement”) forms part of Midgard IT Ltd’s terms of service and applies to all clients who receive services from Midgard IT Ltd. It governs how we process personal data on your behalf when delivering those services. By continuing to use our services on or after the effective date above, you accept this Agreement. If you would prefer a separately signed copy for your own records, please contact us at info@midgard.co.uk.
In this Agreement, “Client” (referred to as “you”) means the organisation receiving services from Midgard IT Ltd (“Midgard IT”, “we”, “us”). Your main services agreement with us is referred to as the “Main Agreement”.
1. Definitions
- Personal Data — any information relating to an identified or identifiable natural person, as defined in UK GDPR
- Processing — any operation performed on personal data (access, storage, retrieval, modification, deletion, transmission)
- Sub-processor — any third party engaged by Midgard IT to process personal data on your behalf
- UK GDPR — the UK General Data Protection Regulation and Data Protection Act 2018
2. Scope and Purpose
2.1 Midgard IT processes personal data on your behalf solely for the purpose of providing IT managed services as defined in the Main Agreement, including but not limited to:
- Remote monitoring and management of your IT systems
- Helpdesk and technical support
- IT asset management
- VoIP and telephony services, where provided
- Any other services specified in the Main Agreement
2.2 Midgard IT acts as a data processor. You remain the data controller and are responsible for the lawfulness of the processing instructions you give to Midgard IT.
3. Midgard IT’s Obligations
Midgard IT agrees to:
3.1 Process only on documented instructions — process personal data only as instructed by you in writing (including via the Main Agreement), unless required by law.
3.2 Confidentiality — ensure that all personnel authorised to process personal data are subject to a duty of confidentiality.
3.3 Security — implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Access controls and authentication requirements, including enforced multi-factor authentication
- Encryption of data in transit and of stored credentials at rest
- Regular security awareness for staff with access to client systems
- Secure remote access via Atera RMM with audit logging
3.4 Sub-processors — not engage any sub-processor without your prior authorisation. Current approved sub-processors are listed in Schedule 1.
3.5 Data subject rights — assist you in responding to data subject requests (access, erasure, rectification, portability) insofar as this is possible given the nature of the processing.
3.6 Data breach notification — notify you without undue delay (and in any event within 24 hours of becoming aware) of any personal data breach affecting your data, to enable you to meet your 72-hour ICO reporting obligation.
3.7 Deletion or return — on termination of the Main Agreement, delete or return all personal data to you as directed, within 30 days.
3.8 Audit — make available to you all information necessary to demonstrate compliance with this Agreement and allow for audits conducted by you or an appointed auditor (with reasonable notice).
4. Your Obligations
As the data controller, you agree to:
4.1 Ensure you have a lawful basis for processing and for sharing personal data with Midgard IT.
4.2 Provide clear, documented processing instructions.
4.3 Notify Midgard IT promptly of any changes to processing requirements.
5. Sub-processors
5.1 You grant general authorisation for Midgard IT to use the sub-processors listed in Schedule 1.
5.2 Midgard IT will notify you of any intended changes to sub-processors (additions or replacements) with at least 14 days’ notice, giving you the opportunity to object.
5.3 Midgard IT remains fully liable to you for the performance of sub-processors’ obligations.
6. International Transfers
6.1 Midgard IT will not transfer personal data outside the UK without your prior consent, except to countries with an adequacy decision or where appropriate safeguards (such as Standard Contractual Clauses) are in place.
6.2 Current international transfers are documented in Schedule 1.
7. Duration and Termination
7.1 This Agreement remains in force for the duration of the Main Agreement.
7.2 On termination, clause 3.7 (deletion/return) applies.
8. Liability
8.1 Each party’s liability under this Agreement is subject to the limitations set out in the Main Agreement.
8.2 Midgard IT will not be liable for processing carried out in accordance with your instructions that are later found to be unlawful.
Schedule 1 — Approved Sub-processors
| Sub-processor | Purpose | Country | Transfer Basis |
|---|---|---|---|
| Atera Networks Ltd | Remote monitoring, management, and remote access to client systems | Israel | UK Adequacy Decision |
| Microsoft Corporation (M365) | Email communications, file storage related to service delivery | Ireland/EU | EU-US Data Privacy Framework |
| Hetzner Online GmbH | Hosting of MyMidgard Portal (where client ticket and asset data is stored) | Germany (EU) | No transfer — EU data centre |
| Gradwell Communications | VoIP/telephony services, including call logs and call recordings (where Midgard IT provides the client’s phone system) | United Kingdom | No transfer — UK-based |
Schedule 2 — Categories of Personal Data Processed
| Category | Examples | Data Subjects |
|---|---|---|
| Staff identity data | Names, usernames, email addresses | Client employees |
| Device and system data | Device names, IP addresses, installed software, system logs | Client employees |
| Business communications | Emails, documents (accessed only as required for support) | Client employees, client’s customers |
| IT asset information | Hardware serials, licence keys, configuration | N/A (asset data, not always personal) |
| Support ticket content | Issue descriptions, error messages, screenshots | Client employees |
| Telephony data | Call logs, call recordings, voicemail (where VoIP services are provided) | Client employees, callers, and call recipients |
Questions
If you have any questions about this Agreement, or would like a separately signed copy for your records, contact us at info@midgard.co.uk or 01792 477800.
