Skip to content
Start free
Legal · updated 2026-05-02

Data Processing Addendum (UK)

Plain-English version. Your jurisdiction-specific terms appear at the bottom of the document. Switch jurisdictions if you'd prefer different rules.

Plain-English drafts. These pages are written for clarity, not as substitute legal advice. For binding interpretation, the version executed via dpo@qrnfctap.com on letterhead controls.

Data Processing Addendum

Last updated: 2026-05-02 · Version 1.0

This Data Processing Addendum ("DPA") forms part of the Terms of Service between QR NFC Tap Ltd ("Processor", "QR NFC Tap") and the customer ("Controller", "you") that has signed up for a paid subscription. It is incorporated into the Terms of Service by reference. Where the Controller is a B2B customer subject to GDPR, UK GDPR, or any equivalent regime, this DPA describes the parties' obligations regarding personal data that QR NFC Tap processes on the Controller's behalf.

⚠️ This is a draft template based on the EDPB-recommended structure for Article 28 GDPR processor agreements. Have your solicitor review and execute before relying on it as a binding instrument.

1. Definitions

Capitalised terms not defined here have the meanings given in GDPR Article 4 / UK GDPR Article 4.

  • "Controller Personal Data" — personal data that the Controller (or its End-Users) provides to or generates within the Service, where QR NFC Tap acts as Processor.
  • "End-User Data" — personal data of natural persons whose data the Controller collects via the Service (e.g. scanners of the Controller's QR codes, customers of the Controller's restaurant menu).
  • "Sub-processor" — a third party engaged by QR NFC Tap to process Controller Personal Data on its behalf.
  • "Personal Data Breach" — has the meaning in GDPR Article 4(12).

2. Roles

  • The Controller determines the purposes and means of processing Controller Personal Data and End-User Data.
  • QR NFC Tap acts as Processor in respect of Controller Personal Data and End-User Data.
  • Where QR NFC Tap processes data for its own purposes (account management, billing, fraud prevention, security), QR NFC Tap acts as independent Controller. The Privacy Policy at /privacy governs that processing.

3. Subject matter, duration, nature, and purpose

  • Subject matter: provision of the QR NFC Tap service (QR code generation, hosting of dynamic QR landing pages, scan analytics, wallet pass generation, related services).
  • Duration: from the start of the Controller's subscription until termination + the retention periods stated in the Privacy Policy.
  • Nature and purpose: hosting, processing, transmitting, and analysing Controller Personal Data and End-User Data as instructed by the Controller via the Service's standard configuration and the Controller's account settings.
  • Categories of data subjects: Controller's authorised users, Controller's customers / scanners / leads.
  • Categories of personal data: as configured by the Controller (typically: name, email, phone, business profile content, scan analytics — country/device/time, optionally photos).

4. QR NFC Tap's obligations as Processor

QR NFC Tap shall:

  1. Process Controller Personal Data only on documented instructions from the Controller (the Service configuration as the Controller has set it; this DPA; the Terms; lawful court orders, in which case QR NFC Tap will tell the Controller unless legally prohibited).
  2. Ensure that personnel authorised to process Controller Personal Data are bound by confidentiality undertakings.
  3. Implement appropriate technical and organisational measures (TOMs) to ensure security of processing — see Annex 2.
  4. Engage Sub-processors only with prior general authorisation (section 5).
  5. Assist the Controller in fulfilling data-subject rights requests (Articles 12-22), and obligations on security, breach notification, DPIAs, and prior consultation (Articles 32-36) — taking into account the nature of processing and information available to QR NFC Tap.
  6. Delete or return all Controller Personal Data at the end of the provision of services, unless EU/UK/applicable law requires storage.
  7. Make available to the Controller all information necessary to demonstrate compliance with Article 28; allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Sub-processors

The Controller authorises QR NFC Tap to engage Sub-processors. The current list is at /privacy (section 5). QR NFC Tap will:

  • Inform the Controller of any intended changes (additions or replacements) at least 30 days in advance via email to the Controller's account-admin address;
  • Give the Controller the opportunity to object on reasonable grounds related to data protection;
  • If the objection cannot be resolved, the Controller may terminate the affected services without penalty (pro-rata refund of any prepaid fees for the affected period).

6. Personal Data Breach

QR NFC Tap will notify the Controller of any Personal Data Breach affecting Controller Personal Data without undue delay after becoming aware (target: within 24 hours), providing:

  • Description of the nature of the breach (categories + approximate number of data subjects + records affected);
  • Likely consequences;
  • Measures taken or proposed to address the breach and mitigate effects;
  • Contact details for the QR NFC Tap data-protection contact.

7. Data subject rights

QR NFC Tap will provide tools (via the Controller's dashboard) for the Controller to fulfil its data-subject rights obligations directly. Where a data subject contacts QR NFC Tap directly, QR NFC Tap will redirect them to the Controller and notify the Controller within 3 business days.

8. International transfers

QR NFC Tap and Sub-processors are located in the EEA, UK, and US. For transfers outside the EEA / UK to a country without adequacy:

  • QR NFC Tap relies on EU Standard Contractual Clauses (Module 3: processor-to-sub-processor, June 2021), with UK addendum where applicable;
  • QR NFC Tap has completed Transfer Impact Assessments for high-volume transfers;
  • DPF certification relied on for DPF-certified vendors.

The Controller and QR NFC Tap hereby agree to the SCCs as if executed by both parties, with the modules and clauses appropriate to the Controller's jurisdiction (see Annex 1).

9. Liability

The liability provisions in the Terms of Service apply. Liability for personal-data-related claims is not capped below the limit imposed by mandatory law (GDPR Article 82 cannot be excluded).

10. Term and termination

This DPA is effective from the date the Controller's subscription begins and continues until the Controller's subscription terminates. Provisions that should reasonably survive (confidentiality, return/deletion, audit rights, liability) survive.

11. Conflict

In case of conflict between this DPA and the Terms, this DPA prevails for matters relating to the processing of Controller Personal Data.

Annex 1 — Standard Contractual Clauses

Where the Controller is in the EEA / UK and QR NFC Tap or a Sub-processor processes Controller Personal Data outside an adequacy area, the EU SCCs (June 2021) Module 2 (controller-to-processor) apply between the Controller and QR NFC Tap, and Module 3 (processor-to-sub-processor) applies between QR NFC Tap and Sub-processors. The UK addendum issued by the ICO (effective 21 March 2022) is incorporated by reference for UK-origin transfers.

The parties' details, transfer details, and TOMs are populated as set out in this DPA and the Privacy Policy.

Annex 2 — Technical and organisational measures (TOMs)

QR NFC Tap maintains the following TOMs:

Encryption

  • TLS 1.3 for all data in transit
  • AES-256 for data at rest in databases and object storage
  • HTTPS-only delivery; HSTS preload

Access control

  • Role-based access for QR NFC Tap staff
  • Multi-factor authentication mandatory
  • Production credentials in a secret-management system, rotated quarterly
  • Quarterly access review

Pseudonymisation / minimisation

  • Scanner IPs truncated to /24 (IPv4) / /48 (IPv6) after country resolution
  • Logs purged within 14 days
  • Backups retained 30 days, encrypted

Resilience

  • Daily encrypted backups, off-site
  • Quarterly disaster-recovery drill
  • Multi-region failover (planned 2026 H2)

Audit + monitoring

  • Application + access logs centralised
  • Real-time alerts on anomalous access patterns
  • Annual penetration test by a CREST-certified firm
  • Bug-bounty programme: security@qrnfctap.com

Process

  • Privacy-by-design review for new features
  • Documented incident-response runbook with 24-hour breach-notification SLA
  • Subprocessor due-diligence checklist before engagement
  • Personnel trained on data-protection annually

To execute this DPA: email dpo@qrnfctap.com with subject "DPA execution request" and your registered company name + contracting party + signatory. We will return a counter-signed PDF within 3 business days.

Need anything else?

Contact options.

Privacy / DSAR Access, deletion, correction dpo@qrnfctap.com →
Abuse / takedown Phishing, IP, illegal content abuse@qrnfctap.com →
Security disclosure Responsible-disclosure programme security@qrnfctap.com →
DPA (B2B Article 28) Sign for your company View DPA template →
Start free Shop cards