Legal

Data Processing Agreement

Last updated: June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Lowkey (“Processor”, “we”) and any client or platform subscriber (“Controller”, “you”) who instructs us to process personal data on their behalf. It satisfies the requirements of GDPR Article 28 and applies where the Controller is subject to applicable data-protection law (including but not limited to GDPR, UK GDPR, and PIPEDA).

If you require a signed copy of this DPA, email contact@lowkeyagency.com with the subject “DPA Request”.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable data-protection law.
  • "Processing" has the meaning given in applicable data-protection law.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by Lowkey to Process Personal Data under instruction from the Controller.
  • "Applicable Law" means GDPR, UK GDPR, PIPEDA, and any other data-protection law applicable to the Processing.

2. Scope and Nature of Processing

We process Personal Data only as necessary to deliver the Services described in the applicable statement of work or platform subscription, and strictly on your documented instructions. The subject matter, duration, nature, and purposes of Processing are determined by the service agreement and this DPA.

Categories of Data Subjects may include: your end-customers, site visitors, employees, and business contacts, depending on the scope of the engagement.

Categories of Personal Data typically include: name, email address, company, IP address, and usage data, as further specified in the applicable statement of work.

3. Controller Obligations

You, as the Controller, represent and warrant that:

  • You have a lawful basis for processing each category of Personal Data you provide or instruct us to process.
  • Data Subjects have been informed of the Processing as required by Applicable Law.
  • Your instructions to us comply with Applicable Law.
  • You will not instruct us to process Personal Data in a manner that would violate Applicable Law.

4. Processor Obligations

We, as Processor, agree to:

  • Process Personal Data only on your documented instructions, unless required to do so by Applicable Law (in which case we will notify you unless legally prohibited).
  • Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality.
  • Implement appropriate technical and organisational security measures (see Section 7).
  • Not engage Sub-processors without your prior general or specific written authorisation.
  • Assist you, by appropriate technical and organisational measures, in responding to Data Subject rights requests.
  • Assist you in ensuring compliance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultation.
  • Delete or return all Personal Data to you at your choice at the end of the service relationship, and delete existing copies unless Applicable Law requires otherwise.
  • Make available all information necessary to demonstrate compliance with this DPA.

5. Sub-processors

Our current sub-processor list is published on the Trust Center. We will notify you at least 30 days before adding or replacing a Sub-processor. You may object within 14 days; if we cannot accommodate your objection, you may terminate the affected service without penalty.

We impose data-protection obligations on each Sub-processor by contract no less protective than this DPA.

6. International Transfers

Where we transfer Personal Data outside the EEA, UK, or Canada to a country without an adequacy decision, we ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses (2021) or equivalent mechanisms. Details of transfer mechanisms are available on request.

7. Security Measures

We maintain administrative, technical, and physical safeguards appropriate to the nature and sensitivity of the Personal Data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls and least-privilege principles for internal systems.
  • Regular dependency and vulnerability scanning.
  • Logical separation of customer data in multi-tenant environments.
  • Incident response procedures and security monitoring.

See our Security page for a full description of our practices.

8. Data Breach Notification

We will notify you without undue delay — and in any case within 72 hours of becoming aware — of any Personal Data breach that is likely to result in a risk to the rights and freedoms of Data Subjects. Notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed. Send breach reports to contact@lowkeyagency.com.

9. Audit Rights

We will make available to you all information reasonably necessary to demonstrate compliance with this DPA, and will permit and contribute to audits by you or a qualified third party appointed by you, subject to reasonable notice (at least 30 days), confidentiality obligations, and cost sharing.

10. Term and Termination

This DPA takes effect on the date you first use the Services and remains in force until all Personal Data processed under it has been returned or deleted. On termination of the service relationship, we will delete or return all Personal Data within 30 days unless retention is required by Applicable Law.

11. Governing Law

This DPA is governed by the same law as the principal agreement between us. Where no such agreement exists, the laws of the Province of Ontario, Canada apply.

This DPA is provided for informational purposes. A signed DPA may be required to satisfy certain regulatory obligations. Contact us for a countersigned copy.