Skip to content

Data Processing Addendum

Last updated: 24 April 2026

This DPA forms part of the agreement between FreshGeo Ltd (“Processor”) and the Customer (“Controller”) and applies whenever FreshGeo processes Personal Data on behalf of the Controller.

Contact: dpa@freshgeo.com.

1. Subject matter and duration

FreshGeo processes Personal Data the Controller submits through the FreshGeo API and dashboard, for the duration of the subscription plus up to 30 days for deletion.

2. Nature and purpose

To provide the data-API service: receive queries, match against FreshGeo’s dataset, return enriched results, maintain logs for billing and security.

3. Types of Personal Data

Typically: names, business email addresses, business phone numbers, company details, IP addresses, job titles and any other fields the Controller chooses to submit.

4. Categories of data subjects

Typically: the Controller’s prospects, customers, employees and end users. The Controller decides who they query.

5. Processor obligations

FreshGeo will:

  1. Process Personal Data only on documented instructions from the Controller (the Agreement, API calls, dashboard configuration).
  2. Ensure personnel with access are under confidentiality obligations.
  3. Apply the security measures summarised below.
  4. Assist the Controller with data subject requests, DPIAs and regulator enquiries.
  5. Notify the Controller of a personal data breach without undue delay and within 72 hours of becoming aware.
  6. Delete or return Personal Data at the end of the subscription per section 10.
  7. Make available information needed to demonstrate compliance.

6. Sub-processors

The Controller authorises FreshGeo to use sub-processors listed at freshgeo.com/subprocessors. FreshGeo will:

  • Impose equivalent data-protection obligations on each sub-processor.
  • Give 30 days’ notice before adding or changing one.
  • Remain liable for sub-processor acts and omissions.

7. International transfers

Where FreshGeo transfers Personal Data outside the UK/EEA, the parties rely on:

  • The UK International Data Transfer Agreement (IDTA), and
  • The EU Standard Contractual Clauses (Module 2, Controller-to-Processor, 2021),

each incorporated by reference, with FreshGeo as data importer and the Controller as data exporter.

8. Security measures

FreshGeo maintains:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control with SSO and MFA.
  • Network segmentation and firewalling.
  • Centralised logging and anomaly detection.
  • Annual third-party penetration testing.
  • Quarterly access reviews and vendor reviews.
  • Documented incident response.
  • SOC 2 Type II audit in progress; report available under NDA.
  • ISO 27001 alignment underway for 2026.

The current security overview is at freshgeo.com/security.

9. Audit rights

FreshGeo provides its SOC 2 report (under NDA) annually, which satisfies standard audit requirements. Enterprise Controllers with a documented regulatory obligation may request an on-site audit once per 12 months, at their cost, on 30 days’ notice, during business hours, limited to FreshGeo’s processing of their data.

10. Return and deletion

Within 30 days of termination, FreshGeo will delete Controller Personal Data from live systems. Encrypted backups are purged on a rolling 35-day cycle. On written request, FreshGeo will provide a one-time export in a standard format before deletion.

11. Liability

Liability under this DPA is subject to the limits in the Agreement (Terms of Service, section 9).

12. Order of precedence

If this DPA conflicts with the Agreement, this DPA wins for data protection matters.

Contact

dpa@freshgeo.com