Clear data roles
The client normally controls the purpose; WebCOSS processes documented instructions.

Controller/processor terms for client personal data and UK–India delivery
Use the contents panel to move between clauses or search this document.
Read the policyThe client normally controls the purpose; WebCOSS processes documented instructions.
Confidentiality, safeguards and breach-notification duties are defined.
The DPA supports authorised delivery across the UK, India and approved providers.
This Addendum applies where WebCOSS processes client personal data as part of development, hosting, maintenance, support, migration or operation of a client service.
Try a different word or clear the search to show the complete policy.
This Data Processing Addendum ('DPA') forms part of the contract between WebCOSS and the Client where WebCOSS processes personal data on the Client's behalf. It applies to the extent required by applicable data-protection law. Defined terms have the meaning in the Terms or applicable law.
The Client is the controller or Data Fiduciary and WebCOSS is the processor or Data Processor for Client Personal Data, except where WebCOSS independently determines purposes and means for its own account management, security, billing, legal compliance, or service improvement using appropriately aggregated or de-identified data.
WebCOSS will process Client Personal Data only on the Client's documented instructions, including the contract, configuration, support requests, and authorised user actions, unless law requires otherwise. If lawful, WebCOSS will notify the Client before processing required by law. WebCOSS will promptly inform the Client if an instruction appears to violate applicable data-protection law.
WebCOSS will ensure that personnel authorised to process Client Personal Data are subject to confidentiality obligations and receive appropriate privacy and security guidance. Access will be limited to personnel who need it for the Services.
WebCOSS will implement reasonable technical and organisational measures appropriate to the risk and the Service, which may include access control, least privilege, authentication, encryption in transit, secure development, logging, malware protection, patching, backups, vulnerability handling, incident response, and supplier controls. Specific measures or certifications apply only if stated in the Order.
The Client remains responsible for its configuration, authorised users, endpoints, lawful data collection, retention settings, and security controls outside WebCOSS's management.
The Client gives general authorisation for WebCOSS to use sub-processors needed to provide the Services, including hosting, cloud, backup, content-delivery, communications, support, monitoring, analytics, development, and security providers and specialist contractors.
WebCOSS will impose data-protection obligations appropriate to the processing. On request, WebCOSS will provide available information about material sub-processors. For a Subscription Service where ongoing processor access is material, WebCOSS will provide reasonable notice of a new sub-processor and consider a substantiated objection based on data-protection risk. If the parties cannot resolve the objection, the Client may terminate the affected Service as its exclusive remedy.
The Client authorises processing in the UK, India, and other locations used by approved sub-processors. Each party will comply with transfer restrictions applicable to it. Where WebCOSS initiates a restricted transfer of UK personal data and no adequacy regulation applies, the parties will use an appropriate UK transfer mechanism, which may include the International Data Transfer Agreement or the UK Addendum, together with a transfer risk assessment and supplementary measures where required.
The parties will cooperate with requirements applicable to transfers of Indian personal data as relevant provisions and government directions take effect.
Taking account of the nature of processing, WebCOSS will provide reasonable assistance through appropriate technical and organisational measures for the Client to respond to requests to access, correct, erase, restrict, port, object, withdraw consent, or exercise other applicable rights. WebCOSS may refer a requester to the Client unless instructed otherwise. Assistance beyond standard functionality may be charged where lawful.
WebCOSS will notify the Client without undue delay after becoming aware of a personal-data breach affecting Client Personal Data. As information becomes available, the notice will describe the nature of the incident, likely consequences, affected data and individuals where known, mitigation taken or proposed, and a contact for follow-up.
WebCOSS's notification is not an admission of fault. The Client is responsible for determining and making notices to regulators, affected individuals, and others, unless the parties agree otherwise or law directly requires WebCOSS to notify.
Taking account of the nature of processing and information available, WebCOSS will provide reasonable assistance with security, breach response, data-protection impact assessments, prior consultations, records, and regulatory enquiries relating to the Services. Additional or unusual assistance may be charged at agreed rates where permitted.
At the end of the Service, WebCOSS will, at the Client's choice and subject to payment, return or delete Client Personal Data within a reasonable period, except data retained in backups until normal overwrite or data that law requires WebCOSS to keep. During retention, the DPA continues to apply and processing is limited to storage, security, legal compliance, and deletion.
WebCOSS will make available information reasonably necessary to demonstrate compliance with this DPA. No more than once each year, unless a breach or regulator reasonably requires more, the Client may request a remote audit based on questionnaires, policies, reports, and evidence. An on-site audit requires at least 30 days' notice, must avoid disruption and exposure of other clients' data, and is at the Client's cost unless a material breach by WebCOSS is found.
Audit rights do not require WebCOSS to disclose trade secrets, vulnerability details that would create security risk, privileged information, or another client's confidential data.
The contract's liability limits apply to this DPA to the maximum extent permitted by law. If this DPA conflicts with the Terms about processing Client Personal Data, this DPA prevails. A signed DPA or mandatory transfer clause prevails over this standard DPA.