Data Processing Agreement
About this page
A Data Processing Agreement (DPA) is a legal contract between you as the data controller and PollSpark as your data processor. It sets out how we handle personal data collected through your sessions on your behalf, in compliance with Article 28 of the UK GDPR and the Data Protection Act 2018.
Who Needs a DPA
A DPA is appropriate for any organisation using PollSpark to collect personal data from staff, students, service users or members of the public. This includes NHS trusts, universities, colleges, local authorities and housing associations.
What Our DPA Covers
Our DPA covers the nature, purpose and duration of processing, the types of personal data processed and categories of data subjects, our obligations as processor covering confidentiality, security, sub-processors, breach notification, data subject rights and end-of-contract deletion, UK data residency confirmation, a full sub-processor list with locations, audit rights, and governing law under England and Wales.
Key Facts
| Item | Detail |
|---|---|
| Data storage location | UK only (Supabase, West London region) |
| Data transfers outside the UK | None in the ordinary course of service |
| Sub-processors | Supabase (UK), Vercel (UK/EU edge), Stripe (UK/EU), Resend (EU) |
| Breach notification | Within 72 hours of becoming aware |
| Data deletion on contract end | Within 90 days |
| Governing law | England and Wales |
Requesting a DPA
Email hello@pollspark.co.uk with your organisation name. We will respond within 5 working days. If your organisation has its own DPA template for review, please include it in your email.