Data Processing Agreement

1. Overview and parties

This Data Processing Agreement (the Agreement) forms part of the service arrangements between:

ParlyReply Ltd is referred to in this Agreement as the Supplier, and the parliamentary office or other customer is referred to as the Customer. Each may be referred to individually as a Party and together as the Parties.

The background to this Agreement is that the Supplier provides a casework management platform and related services to the Customer, and in doing so processes personal data on the Customer's behalf in accordance with UK data protection laws.

2. Processing details

2.1 Purpose of processing

The Supplier processes personal data for the purpose of providing and supporting the Customer's use of the Supplier's casework management platform. This includes functionality such as:

• email triage and routing
• case creation and management
• constituent record management
• AI search and research features
• SLA tracking and analytics
• related technical support and maintenance

2.2 Scope and nature of the processing

The Supplier processes personal data about the Customer's constituents, staff, and other third parties in digital form. This may include:

• collection and receipt of correspondence and case data
• classification and triage of messages
• association of data with case records
• drafting assistance and AI-supported features
• storage, retrieval, and display within the platform
• deletion in line with agreed retention policies

Processing is carried out solely as necessary to enable the Customer to manage casework and other duties through the platform.

2.3 Categories of data subjects

• Constituents (individuals who live in the constituency and contact the MP or office)
• The Customer's employees and office staff (e.g. MPs, caseworkers, researchers, assistants)
• Third parties referenced in correspondence or casework (e.g. public bodies, companies, other individuals)

2.4 Categories of personal data

• Identification details (such as name, postal address, postcode, date of birth)
• Contact details (such as email address, phone number, preferred contact method)
• Casework-related information (content of correspondence, attachments, case history, notes, categories, tags)
• Metadata (message headers, time of contact, IP address where provided)
• Engagement and case status information (assigned staff, SLA dates, case outcomes)

2.5 Special category data and criminal offence data

In the context of constituency casework, the Customer Personal Data may include special category data and data relating to criminal convictions or offences, for example:

• health data (such as NHS numbers, conditions, GP details)
• racial or ethnic origin
• political opinions and affiliations
• religious or philosophical beliefs
• trade union membership
• sexual orientation
• information relating to criminal convictions or offences where referenced in casework

The Customer, as data controller, determines the lawful basis for processing such data. In a parliamentary context this will typically include:

• Article 6(1)(e) UK GDPR – processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority; and
• Article 9(2)(g) UK GDPR together with Data Protection Act 2018 Schedule 1, Part 2, paragraph 23 – processing necessary for reasons of substantial public interest, namely elected representatives responding to requests from individuals.

The Supplier, acting as processor, processes such data only on the documented instructions of the Customer.

2.6 Duration of processing

The Supplier processes Customer Personal Data for the duration that it provides casework management services to the Customer, and for as long as is necessary to fulfil the Purpose, subject to agreed data retention and deletion policies and any legal requirements.

3. Definitions and interpretation

In this Agreement, the following expressions have the meanings set out below:

• Agreement – this Data Processing Agreement, including the Contract Details and any schedules.
• Customer Personal Data – personal data processed by the Supplier on behalf of the Customer under this Agreement, as described in the Processing Details.
• Data Protection Laws – all applicable data protection and privacy legislation in force in the United Kingdom, including the UK GDPR, Data Protection Act 2018, and the Privacy and Electronic Communications Regulations, in each case as amended or replaced.
• Data controller, data processor, personal data, processing, and appropriate technical and organisational measures – have the meanings given in the UK GDPR.
• DP Regulator – a valid supervisory authority under UK GDPR, in the UK normally the Information Commissioner's Office (ICO).
• Personal Data Breach – a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
• Purpose – the purpose for processing Customer Personal Data, as described in the Processing Details.
• Sub-Processor – any processor engaged by the Supplier (or another Sub-Processor) to carry out processing activities in respect of the Customer Personal Data.

References to a person include an individual, company, partnership or other legal entity. Headings do not affect interpretation. References to legislation include any amendments or replacements. Words such as "including" do not limit the preceding words. References to writing include email (but not other forms of electronic communication such as instant messaging).

4. Data protection roles and relationship

The Parties acknowledge that, in respect of Customer Personal Data:

• the Customer is the data controller; and
• the Supplier is the data processor.

Each Party will comply with its respective obligations under Data Protection Laws in relation to personal data that is shared or processed under this Agreement. Nothing in this Agreement relieves a Party of its own obligations under those laws.

5. Data processing obligations

5.1 Records of processing

Each Party will maintain records indicating how it processes personal data under its responsibility and will make such records available to a DP Regulator on request, to the extent required by Data Protection Laws.

5.2 Supplier obligations as processor

To the extent the Supplier processes Customer Personal Data on behalf of the Customer, the Supplier shall:

• process Customer Personal Data only on the documented instructions of the Customer, including as necessary for the Purpose, unless required to do otherwise by applicable law (in which case the Supplier will notify the Customer where permitted);
• implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage, including measures relating to confidentiality, integrity, availability, resilience, backup and recovery, and regular testing of controls;
• maintain the confidentiality of Customer Personal Data, ensure that only authorised personnel with appropriate confidentiality obligations have access to it, and not disclose it to third parties except as permitted by this Agreement;
• assist the Customer in responding to data subject rights requests, as described in the section on Data Subject Rights;
• promptly (and in any event within 24 hours) notify the Customer upon becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide information as reasonably required to report the incident to a DP Regulator and to notify affected data subjects where required by law.

6. Sub-processors

The Customer provides its prior general authorisation for the Supplier to appoint Sub-Processors to process Customer Personal Data, provided that the Supplier:

• ensures that any Sub-Processor is subject to obligations that are materially similar to those imposed on the Supplier under this Agreement and complies with applicable Data Protection Laws;
• remains responsible to the Customer for the acts and omissions of its Sub-Processors as if they were its own; and
• maintains an up-to-date list of current Sub-Processors and notifies the Customer in advance of any intended changes, allowing the Customer to object on reasonable and documented data protection grounds, in which case the Parties will discuss a suitable way forward in good faith.

7. Data subject rights and regulator communications

7.1 Referral of requests

If the Supplier receives any request, complaint, or other communication from a data subject relating to Customer Personal Data (including rights of access, rectification, erasure, restriction, portability, or objection), the Supplier shall:

• promptly (and in any event within five days of receipt) forward it to the Customer; and
• not respond directly to the data subject except on the documented instructions of the Customer, unless required to do so by law.

7.2 Assistance

The Supplier will provide all reasonable assistance to enable the Customer to respond to data subject requests in accordance with Data Protection Laws. Routine support that can be delivered as part of ordinary service provision (for example, providing access to records or clarifying how data is processed) will be provided at no additional charge. Where assistance goes beyond routine support (for example, complex or repeated requests), the Supplier may charge reasonable additional costs, agreed in advance.

7.3 Regulator communications

If the Supplier receives any communication from the Information Commissioner's Office or any other supervisory authority that relates to Customer Personal Data, it shall promptly notify the Customer and cooperate as reasonably required.

8. International transfers

The Supplier may transfer Customer Personal Data outside the UK and EEA as required to process the data for the Purpose, provided that all such transfers are made in accordance with Data Protection Laws. This may include the use of appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses.

The Customer will promptly comply with any reasonable request from the Supplier required to put such safeguards in place.

9. Audit

The Supplier will make available to the Customer such information as is reasonably required to demonstrate compliance with this Agreement and Data Protection Laws, and will allow for:

• one audit or inspection in each twelve-month period at the Customer's cost; and
• an additional audit at no extra cost where an actual or suspected Personal Data Breach has occurred.

Audits must be notified with at least 30 days' written notice (except in the case of a suspected breach) and conducted so as to minimise disruption. The Supplier shall also ensure that relevant Sub-Processors provide information reasonably required to demonstrate compliance.

10. Termination and effect of termination

This Agreement remains in effect for the duration of processing and until all obligations in respect of Customer Personal Data have been discharged.

Where the Supplier no longer requires Customer Personal Data for the Purpose, it shall, at the written direction of the Customer and within 30 days of termination:

• return all Customer Personal Data to the Customer as a secure, encrypted archive; or
• delete all Customer Personal Data from its systems, except where retention is required by law.

Following completion of return or deletion, the Supplier shall provide written confirmation of the steps taken. Customer Personal Data is considered deleted where it can no longer be used or reasonably reconstructed.

Where the Supplier is required by law to retain any Customer Personal Data, it will notify the Customer of that requirement and ensure that such data is kept securely and used only for the required purpose.

11. Liability and indemnity

11.1 Customer indemnity (controller)

The Customer shall indemnify and keep indemnified the Supplier against all claims, costs, damages, expenses, and liabilities (including reasonable legal fees) arising out of or in connection with:

• any breach by the Customer of Data Protection Laws; or
• the Supplier's processing of Customer Personal Data in accordance with the Customer's documented instructions, where such instructions infringe Data Protection Laws.

11.2 Supplier indemnity (processor)

The Supplier shall indemnify and keep indemnified the Customer against all claims, costs, damages, expenses, and liabilities (including reasonable legal fees) arising out of or in connection with any breach by the Supplier (or its authorised Sub-Processors) of this Agreement or of its direct obligations under Data Protection Laws applicable to processors.

11.3 Limitations of liability

The indemnities in this Agreement are subject to the following limitations:

• neither Party excludes or limits its liability for fraud, fraudulent misrepresentation, or any other liability which cannot lawfully be excluded; and
• subject to the above, each Party's total aggregate liability under this Agreement (including under the indemnities) shall not exceed the total fees paid or payable by the Customer to the Supplier under the principal service agreement in the twelve months preceding the event giving rise to the claim.

12. General terms

• Costs: each Party is responsible for its own legal and other costs in relation to the preparation and performance of this Agreement.
• Survival: clauses relating to international transfers, audit, termination, liability, and other provisions intended to survive termination will continue to apply after this Agreement ends.
• Relationship of the Parties: the Parties are independent businesses and nothing in this Agreement creates a partnership, agency, or employment relationship.
• Third party rights: this Agreement is not intended to give rights to anyone other than the Parties, except as permitted by law.
• Assignment and other dealings: no Party may assign or encumber rights or obligations under this Agreement without the other Party's written consent, except as expressly permitted.
• Entire Agreement: this Agreement, together with documents referred to in it, constitutes the entire agreement between the Parties regarding its subject matter.
• Variation: any amendment must be in writing and signed by authorised signatories of both Parties.
• Severability: if any provision is found to be invalid or unenforceable, it will be modified or deleted to the extent necessary, and the remaining provisions will continue in full force.
• Waiver: a delay or omission in exercising a right or remedy is not a waiver of that right or remedy.
• Notices: notices must be in writing and sent to the addresses set out in the Contract Details or as otherwise notified. Letters are deemed delivered three business days after posting within the UK; emails on the same day (or next business day if sent after 5pm or on a non-business day).
• Governing law: this Agreement is governed by the law of England and Wales, and the courts of England and Wales have exclusive jurisdiction over any disputes.

Schedule 1 – Current sub-processors

The following organisations are authorised to act as sub-processors for the ParlyReply service:

This list may be updated from time to time in accordance with the “Sub-processors” section of this Agreement.