Data Processing Agreement

Last Updated: 02 December 2025

This Data Processing Agreement ("DPA") forms part of the agreement between Fortyx Technologies Ltd ("Processor," "Fortyx," "we," or "us") and the customer ("Controller," "you," or "your") for the provision of Fortyx's products and services (the "Services").

Processor: Fortyx Technologies Ltd, Company Number: 16036977, 37 Harebell Road, Emersons Green, Bristol BS16 7LY, United Kingdom. Email: contact@fortyx.co.

Controller: The customer who has entered into a service agreement with Fortyx Technologies Ltd.

1. Definitions

  • Controller: The entity that determines the purposes and means of processing personal data — the customer using Fortyx's Services.
  • Processor: The entity that processes personal data on behalf of the Controller — Fortyx Technologies Ltd.
  • Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
  • Processing: Any operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • Subprocessor: A third party engaged by Fortyx to process personal data on behalf of the Controller.
  • Data Protection Law: All applicable legislation relating to the processing of personal data, including the UK GDPR, the Data Protection Act 2018, and any successor legislation.
  • Data Subject: An identified or identifiable natural person whose personal data is processed.

2. Roles of the Parties

The Customer acts as the Controller and Fortyx acts as the Processor in respect of the personal data processed under this DPA. Fortyx will only process personal data on behalf of and in accordance with the documented instructions of the Controller, unless required by applicable law.

3. Scope, Nature, and Purpose of Processing

Purpose of Processing

Fortyx processes personal data in connection with the provision of its email security, data loss prevention (DLP), and related cybersecurity services, including:

  • Email threat detection and analysis (phishing, impersonation, malware)
  • AI-generated content detection
  • Data loss prevention policy enforcement
  • Security event logging and alerting
  • Risk scoring and reporting
  • Technical support and troubleshooting

Nature of Processing

Processing operations include:

  • Collection, storage, and retrieval of data
  • Automated analysis and classification
  • Logging, monitoring, and alerting
  • Encryption and pseudonymisation
  • Deletion and anonymisation upon termination or request

Types of Personal Data

  • Email metadata (sender, recipient, subject line, timestamps)
  • Email content processed for security analysis and DLP policy enforcement
  • Employee and end-user identifiers (names, email addresses, user IDs)
  • Device and network information associated with endpoint DLP
  • Activity logs and audit trails generated through use of the Services

Categories of Data Subjects

  • Employees and staff of the Controller
  • Contractors and third-party users of the Controller's email systems
  • External senders and recipients of emails processed by the Services

4. Customer Instructions

Fortyx shall process personal data only on documented instructions from the Controller, unless required to do so by applicable law. If Fortyx is required by law to process personal data other than on the Controller's instructions, Fortyx will inform the Controller of that legal requirement before processing, unless prohibited from doing so.

The Controller's instructions are defined by the service agreement and this DPA. Any additional instructions must be agreed in writing.

5. Confidentiality

Fortyx shall ensure that all personnel authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is restricted to personnel who need it to perform their duties.

6. Security Measures

Fortyx shall implement appropriate technical and organisational measures ("TOMs") to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing, and evaluating the effectiveness of security measures
  • Access controls and role-based permissions
  • Regular vulnerability scanning and penetration testing
  • Monitoring, audit logging, and alerting
  • Secure development lifecycle practices

Further details are provided in Schedule 1 below.

7. Subprocessors

Fortyx relies on only one subprocessor:

  • Amazon Web Services (AWS): Cloud infrastructure provider used for hosting, storage, and compute. AWS processes data in accordance with its own data processing addendum and maintains certifications including ISO 27001, SOC 2, and others. Data is hosted in the AWS EU (London) region (eu-west-2) unless otherwise agreed.

Fortyx shall not engage additional subprocessors without the prior written authorisation of the Controller. Fortyx will notify the Controller of any intended changes to subprocessors, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, the parties shall work together in good faith to find a resolution.

Fortyx shall impose the same data protection obligations as set out in this DPA on any subprocessor by way of a written contract and shall remain fully liable to the Controller for the performance of each subprocessor's obligations.

8. International Data Transfers

Fortyx shall not transfer personal data outside the United Kingdom unless appropriate safeguards are in place in accordance with applicable data protection law. Where transfers are necessary, Fortyx shall ensure they are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (UK IDTA) or UK Addendum to the EU SCCs
  • Adequacy decisions, where applicable

Details of any international transfers will be provided to the Controller upon request.

9. Data Subject Rights

Fortyx shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection. Fortyx shall promptly notify the Controller if it receives a request from a data subject and shall not respond to such requests directly unless authorised by the Controller.

10. Breach Notification

Fortyx shall notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach. The notification shall include, to the extent available:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects and records concerned
  • The likely consequences of the breach
  • The measures taken or proposed to address and mitigate the breach

Fortyx shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

11. Audit Rights

Fortyx shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection law. Fortyx shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

  • The Controller shall provide at least 30 days' written notice.
  • Audits shall be conducted no more than once annually, unless required by a supervisory authority.
  • The auditor must agree to appropriate confidentiality obligations.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt Fortyx's operations.

12. Return and Deletion of Data

Upon termination or expiry of the service agreement, Fortyx shall, at the choice of the Controller, delete or return all personal data processed on behalf of the Controller, and delete existing copies unless applicable law requires retention.

Fortyx operates a 90-day backup cycle. Data held in backups will be securely deleted in accordance with this cycle after termination, unless a shorter period is agreed in writing. Fortyx shall certify deletion upon the Controller's request.

13. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the service agreement. Nothing in this DPA excludes or limits either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited by law.

14. Duration

This DPA shall remain in effect for the duration of the service agreement between the Controller and Fortyx. Obligations that by their nature should survive termination (including confidentiality, data deletion, and liability provisions) shall continue in force after termination.

Schedule 1: Technical and Organisational Measures

The following measures are implemented by Fortyx Technologies Ltd to protect personal data:

Organisational Measures

  • Information security policies and procedures
  • Staff training on data protection and security awareness
  • Confidentiality agreements with all personnel
  • Defined roles and responsibilities for data protection
  • Incident response plan and breach notification procedures
  • Vendor and subprocessor due diligence and management
  • Regular review and update of security policies

Technical Measures

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls (RBAC) and least-privilege principles
  • Multi-factor authentication (MFA) for administrative access
  • Network segmentation and firewall protections
  • Regular vulnerability scanning and penetration testing
  • Continuous monitoring, logging, and alerting (SIEM)
  • Automated backup and disaster recovery procedures
  • Secure development lifecycle (SDLC) practices
  • Endpoint protection and device management

Contact Us

For questions about this Data Processing Agreement or to exercise any rights under it, please contact us:

Fortyx Technologies Ltd
Email: contact@fortyx.co
37 Harebell Road, Emersons Green, Bristol BS16 7LY, United Kingdom
Company Number: 16036977