DATA PROCESSING AGREEMENT
This Agreement is entered into by and between:Client Max Limited, a company incorporated in England and Wales with registered office at Lower Ground Floor, 122 Bath Road, Cheltenham, Gloucestershire, United Kingdom, GL53 7JX, company number 15722060 (the “Processor” or “Client Max”)ANDThe customer or user of Client Max’s services who has accepted the Client Max Terms of Service (the “Controller” or “Client”).This Data Processing Agreement (“Agreement”) forms part of the Terms of Service between the parties.
Controller: The party that determines the purposes and means of processing personal data.Processor: The party that processes personal data on behalf of the Controller.Data Subject: An individual whose personal data is processed.Personal Data: Any information relating to an identified or identifiable natural person.Sub-processor: Any third party engaged by the Processor to assist in fulfilling its obligations.Services: The software platform and related services provided by Client Max as described in the Terms of Service.
Client Max will process Personal Data only as necessary to deliver the Services under the Terms of Service. The nature and purpose of the processing include: storage, transmission, automation, analytics, and communications as directed by the Controller.
Client Max agrees to:
Only process personal data on documented instructions from the Controller, unless required by law.Ensure all staff with access to personal data are bound by confidentiality.Implement appropriate technical and organisational security measures (e.g., encryption, access control).Notify the Controller without undue delay upon becoming aware of a personal data breach.Assist the Controller in complying with their obligations (e.g. responding to Data Subject Access Requests).At the end of the agreement, delete or return all personal data unless required to retain it by law.Maintain records of processing activities.
The Controller agrees to:
Ensure that any data shared with Client Max is lawfully obtained and processed.Provide lawful instructions and cooperate with the Processor.Not use the platform to process special category or sensitive data unless lawfully permitted and consented.Remain responsible for Data Subject rights under GDPR.
Client Max may engage sub-processors, including:
GoHighLevel / HighLevel Inc. (CRM platform provider)Twilio & Lead Connector (communication tools)Amazon Web Services (data hosting)Other sub-processors necessary for the provision of the service.
Client Max will ensure sub-processors are subject to the same data protection obligations. The Controller will be notified of any changes to sub-processors and may object on reasonable grounds.A current list of authorised sub-processors is available at: clientmax.com/subprocessorsWe will notify Controllers by email at least 14 days in advance of any intended changes.
Some data may be processed or stored outside the UK. In such cases, Client Max will ensure that appropriate safeguards (e.g. Standard Contractual Clauses or UK Addendum) are in place to protect personal data.
Client Max will promptly notify the Controller if it receives a request from a data subject and will not respond directly without the Controller’s consent, unless legally required. Client Max will assist the Controller in responding to requests related to data access, correction, erasure, portability, and objection.
Client Max has implemented security measures appropriate to the risk, including:
Role-based access controlsData encryption in transitSecure cloud infrastructureActivity logging and auditingRegular data backups
More details available upon request.
The Controller has the right to request information to verify Client Max’s compliance with this DPA. Client Max will make available relevant documentation or cooperate with audits as reasonably required, subject to confidentiality obligations.
Liability is governed by the main Terms of Service. This DPA does not change or expand the parties’ liabilities under those terms.
This DPA remains in force for as long as Client Max processes personal data on behalf of the Controller. Upon termination of the main agreement, Client Max will delete or return personal data unless retention is legally required.
This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the English courts.
By using the Client Max platform and agreeing to the Terms of Service, the Controller is also deemed to have accepted the terms of this Data Processing Agreement.