Skip to main content

Data Processing Agreement

Last updated: March 13, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service, order form, subscription agreement, or other written or electronic agreement governing the customer's use of SquirrelStack (the "Customer Agreement") between Future Mill Limited ("Processor", "we", "us") and the customer identified in the Customer Agreement ("Controller", "you").

This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with the Service. In the event of a conflict between this DPA and the Customer Agreement, this DPA prevails with respect to data protection matters.

1. Definitions

  • "Data Protection Laws" means the UK GDPR, the EU GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable data protection or privacy legislation
  • "Personal Data" means any data relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data
  • "Restricted Transfer" means a transfer of Personal Data to a country or recipient that requires an approved transfer mechanism under Data Protection Laws

2. Scope and Roles

The Controller determines the purposes and means of processing Personal Data through the Service. The Processor processes Personal Data only on behalf of and on the documented instructions of the Controller.

The Controller warrants that it is authorised to provide instructions to the Processor and that it has complied, and will continue to comply, with Data Protection Laws in relation to the Personal Data processed under this DPA.

The details of the processing are described in Annex 1 below.

3. Controller Obligations

The Controller shall:

  1. Ensure there is a lawful basis for the processing of Personal Data through the Service
  2. Provide any required notices to, and obtain any required consents from, Data Subjects
  3. Ensure that its instructions to the Processor comply with Data Protection Laws
  4. Be responsible for the accuracy, quality, and legality of Personal Data provided to the Service
  5. Not instruct the Processor to process special categories of Personal Data or criminal offence data unless the parties have agreed appropriate safeguards in writing

4. Processor Obligations

The Processor shall:

  1. Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law
  2. Inform the Controller if, in the Processor's opinion, an instruction infringes Data Protection Laws, unless prohibited from doing so by law
  3. Ensure that persons authorised to process Personal Data are subject to obligations of confidentiality
  4. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2
  5. Not engage a Sub-processor without meeting the requirements of Section 6
  6. Assist the Controller in responding to Data Subject requests, taking into account the nature of the processing
  7. Assist the Controller in meeting its obligations regarding security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of the processing and the information available to the Processor
  8. At the Controller's choice, delete or return all Personal Data on termination of the Service, and delete existing copies unless storage is required by law
  9. Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA

5. Data Subject Requests

The Processor shall notify the Controller without undue delay if it receives a request from a Data Subject to exercise rights under Data Protection Laws in relation to Personal Data processed under this DPA. The Processor shall not respond to such requests directly unless authorised or legally required to do so.

The Processor shall provide reasonable assistance to enable the Controller to respond to Data Subject requests, including by providing export or deletion functionality within the Service where practicable.

6. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors in accordance with this Section. The current list of Sub-processors is set out in Annex 3.

The Processor shall:

  1. Maintain an up-to-date Sub-processor list in Annex 3
  2. Give the Controller at least 15 days' prior notice of any intended addition or replacement of a Sub-processor, by updating Annex 3 and sending notice to the Controller's primary account owner or billing contact
  3. Impose data protection obligations on each Sub-processor by way of contract that are no less protective than those in this DPA
  4. Remain fully liable to the Controller for the performance of each Sub-processor's obligations

If the Controller objects to a new Sub-processor on reasonable data protection grounds, it must notify the Processor in writing within the 15-day notice period and describe the basis of the objection. The parties shall discuss the concern in good faith. If the Processor cannot reasonably address the objection, either party may terminate the affected feature or the affected portion of the Service on written notice, without penalty for the terminated portion.

7. International Transfers

The Controller instructs the Processor to make Restricted Transfers only where necessary to provide the Service and only where appropriate safeguards are in place.

Where the Processor transfers Personal Data outside the UK or EEA, the Processor shall use one or more of the following transfer mechanisms, as applicable:

  • An adequacy decision or adequacy regulations issued by the UK or EU
  • The European Commission's standard contractual clauses, together with the UK International Data Transfer Addendum or International Data Transfer Agreement where required
  • Another lawful transfer mechanism recognised under Data Protection Laws

The Processor shall make information about the applicable transfer mechanism available to the Controller on request, subject to confidentiality obligations.

8. Security Incidents

The Processor shall notify the Controller without undue delay after becoming aware of a Security Incident affecting Personal Data processed under this DPA, and will aim to provide initial notice within 24 hours where feasible.

The notification shall include, to the extent the information is then available:

  1. A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records concerned
  2. The name and contact details of the point of contact for further information
  3. A description of the likely consequences
  4. A description of the measures taken or proposed to address the incident

The Processor may provide information in phases as it becomes available. The Processor shall co-operate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.

9. Audits

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including by providing relevant security documentation on request.

If the information made available is not sufficient for the Controller to verify compliance, the Controller may, no more than once per year and on at least 30 days' written notice, conduct or commission a reasonable audit of the Processor's relevant processing activities.

Any audit shall:

  1. Be limited to information, systems, and records relevant to the Processor's obligations under this DPA
  2. Be conducted during normal business hours and in a manner that does not unreasonably interfere with the Processor's operations
  3. Be subject to appropriate confidentiality obligations
  4. Not require access to information relating to other customers, the Processor's trade secrets, or systems unrelated to the Service
  5. Be conducted at the Controller's expense, unless the audit identifies a material breach of this DPA
  6. Use an independent third-party auditor who is not a competitor of the Processor, if the audit is performed by a third party

The parties shall use remote review and documentation review first. On-site access will be required only where reasonably necessary and where less intrusive means are insufficient.

10. Data Deletion and Return

On termination of the Service, the Processor shall, at the Controller's election:

  1. Return the relevant Personal Data to the Controller in a commonly used, machine-readable format; or
  2. Delete the relevant Personal Data and confirm deletion in writing on request

The Processor shall complete deletion of live production data within 30 days of termination, except where retention is required by applicable law, in which case the Processor shall continue to protect the retained data in accordance with this DPA.

Backup copies shall be deleted or overwritten in accordance with the Processor's standard backup rotation schedule, which does not exceed 30 days.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Customer Agreement, except to the extent such limitations are prohibited by Data Protection Laws.

12. Term

This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. Obligations that by their nature should survive termination, including confidentiality, data deletion, international transfer, audit, and liability obligations, shall survive.

Annex 1 - Details of Processing

Subject matter and duration

The processing of Personal Data through the SquirrelStack platform for the duration of the Controller's subscription and any limited post-termination period required to return or delete data.

Nature and purpose of processing

The Processor provides a suite of business tools. Personal Data is processed as necessary to deliver the features activated by the Controller, including:

  • Collecting and aggregating website visitor analytics
  • Storing and managing help desk conversations and support tickets
  • Storing and managing CRM contacts, companies, deals, and activities
  • Managing project tasks, stories, and assignments
  • Monitoring website uptime and tracking application errors
  • Syncing data from third-party platforms connected by the Controller
  • Scheduling bookings and sending associated notifications

Categories of Data Subjects

  • The Controller's employees and authorised users
  • The Controller's website visitors
  • The Controller's customers and contacts
  • The Controller's support correspondents

Types of Personal Data

  • Name, email address, phone number, and job title
  • Company name and domain
  • Device information, browser type, and country derived from IP address
  • IP addresses masked to subnet level for analytics
  • Support conversation content
  • CRM activity records and deal information
  • Project and task descriptions, comments, and assignments
  • Booking details, including name, email, and scheduled time
  • Application error reports, request context, and stack traces

Special categories of data

The Service is not intended for the routine processing of special categories of Personal Data or criminal offence data. The Controller must not submit such data unless the parties have agreed in writing on the nature of the data, the purpose of the processing, and the additional safeguards that will apply.

If the Processor becomes aware that such data has been submitted without prior agreement, the Processor may take reasonable steps to restrict access to, delete, or securely isolate the data, and will notify the Controller where appropriate.

Annex 2 - Technical and Organisational Measures

The Processor implements the following measures to protect Personal Data:

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • Sensitive data at rest, including API keys, OAuth tokens, and SMTP credentials, is encrypted using Rails application-level encryption
  • Database backups are encrypted

Access control

  • Authentication via OAuth 2.0 with optional password-based access
  • Account-level data isolation enforced at the application layer through policy-based authorisation
  • Administrative access to infrastructure is restricted to authorised personnel

Data minimisation

  • Analytics data is collected without cookies and with IP addresses masked to the subnet level
  • Visitor tokens are generated server-side with daily-rotating salts to reduce cross-day linkability
  • Bot traffic is excluded from analytics data where detected

Monitoring and incident response

  • Application error monitoring and alerting
  • Audit logging of significant account actions
  • Uptime monitoring of Service availability
  • Incident investigation and remediation procedures

Business continuity

  • Automated database backups with point-in-time recovery
  • Backup retention period of up to 30 days
  • Infrastructure deployed across multiple availability zones where supported by the hosting environment

Annex 3 - Sub-processors

The following Sub-processors are engaged by the Processor:

Sub-processor Purpose Location Transfer safeguard
Cloudflare, Inc. CDN, DDoS protection, DNS, and file storage (R2) United States / Global Adequacy regulations where available, or SCCs with UK Addendum / IDTA as applicable
Scaleway SAS Transactional email delivery France No restricted transfer for EEA-hosted processing
Stripe, Inc. Payment processing and billing United States Adequacy regulations where available, or SCCs with UK Addendum / IDTA as applicable
Google LLC OAuth authentication United States Adequacy regulations where available, or SCCs with UK Addendum / IDTA as applicable
MailerSend (Mailgun Technologies, Inc.) Transactional email delivery United States / EU Adequacy regulations where available, or SCCs with UK Addendum / IDTA as applicable
OpenAI, LLC AI-powered conversation summarisation United States Adequacy regulations where available, or SCCs with UK Addendum / IDTA as applicable

Where the Controller connects optional third-party integrations such as Google Ads, Google Search Console, LinkedIn Ads, HubSpot, Help Scout, Xero, Slack, or Zoom, data is shared with those platforms on the Controller's instructions and under the Controller's own agreements with those providers. These platforms act as independent controllers or separate processors to the Controller, and are not Sub-processors of the Processor for the purposes of this DPA.

Contact

For questions about this DPA, please contact us at:

Future Mill Limited
Email: [email protected]