Data Processing Agreement (DPA)
This Data Processing Agreement outlines how Data Tiles Ltd processes personal data on behalf of customers using the Latttice platform in accordance with applicable data protection laws.
Last Updated: 13 March 2026
Introduction
This Data Processing Agreement ("DPA") forms part of the Software as a Service Agreement or other applicable agreement between Data Tiles Ltd, a company incorporated in England and Wales ("Data Tiles", "Processor"), and the customer using Data Tiles software platforms, including the Latttice platform ("Customer", "Controller").
This DPA governs the processing of Personal Data by Data Tiles on behalf of the Customer in connection with the provision of Data Tiles software platforms and related services.
This DPA is intended to ensure compliance with applicable data protection laws including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection or privacy laws.
1. Definitions
For the purposes of this Data Processing Agreement:
"Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection laws.
"Processing" means any operation performed on Personal Data, whether by automated means or not, including collection, storage, organisation, use, disclosure, or deletion.
"Controller" means the entity that determines the purposes and means of processing Personal Data.
"Processor" means the entity that processes Personal Data on behalf of the Controller.
"Applicable Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and any other applicable data protection or privacy legislation governing the processing of Personal Data.
2. Roles of the Parties
For the purposes of applicable data protection laws, the Customer acts as the Controller of any Personal Data processed through Data Tiles software platforms.
Data Tiles acts as the Processor, processing Personal Data only on behalf of and in accordance with the instructions of the Customer.
The Customer is responsible for determining the purposes and legal basis for processing Personal Data and for ensuring that it has the necessary rights and permissions to provide such data to Data Tiles for processing.
3. Scope of Processing
Data Tiles will process Personal Data solely for the purpose of providing Data Tiles software platforms and related services in accordance with the applicable agreement with the Customer.
The nature, scope, and purpose of the processing are determined by the Customer through its use of the Software.
Processing activities may include the storage, analysis, transformation, or retrieval of Customer Data as required to deliver the services.
Data Tiles will not process Personal Data for its own purposes and will only process such data in accordance with the documented instructions of the Customer.
4. Processing Instructions
Data Tiles will process Personal Data only on documented instructions from the Customer, including instructions provided through the Customer’s use of the Software.
If Data Tiles believes that a processing instruction from the Customer infringes applicable data protection laws, Data Tiles will inform the Customer without undue delay.
Data Tiles will not process Personal Data for purposes other than those specified in this DPA or the applicable agreement between the parties.
5. Confidentiality
Data Tiles will ensure that any personnel authorised to process Personal Data are subject to appropriate confidentiality obligations.
Such personnel will only process Personal Data as necessary to perform their responsibilities in connection with the provision of the Software.
Data Tiles will take reasonable steps to ensure that access to Personal Data is limited to individuals who require such access for the performance of their duties.
6. Security Measures
Data Tiles will implement appropriate technical and organisational measures designed to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
Such measures may include safeguards such as:
• access controls • encryption where appropriate • infrastructure security protections • monitoring systems • incident response procedures
Data Tiles will take reasonable steps to ensure that its systems and services maintain an appropriate level of security consistent with industry standards.
7. Subprocessors
Data Tiles may engage third-party service providers ("Subprocessors") to assist in the provision and operation of Data Tiles software platforms, including cloud infrastructure providers and related service vendors.
Data Tiles will ensure that any Subprocessors engaged to process Personal Data on behalf of the Customer are subject to contractual obligations that provide a level of data protection consistent with this Data Processing Agreement and applicable data protection laws.
Data Tiles remains responsible for the performance of its Subprocessors in relation to their processing of Personal Data.
A list of Subprocessors may be made available to Customers upon request.
8. International Data Transfers
Where Personal Data is transferred outside the United Kingdom or the European Economic Area, Data Tiles will ensure that appropriate safeguards are in place in accordance with applicable data protection laws.
Such safeguards may include:
• Standard Contractual Clauses approved by relevant authorities • adequacy decisions recognised by applicable regulators • other lawful transfer mechanisms designed to ensure Personal Data remains adequately protected.
9. Data Subject Rights
To the extent legally permitted, Data Tiles will provide reasonable assistance to the Customer in responding to requests from individuals exercising their rights under applicable data protection laws.
Such rights may include:
• the right of access • correction • deletion • restriction of processing • data portability • objection to processing.
Where Data Tiles receives a request directly from a data subject relating to Personal Data processed on behalf of the Customer, Data Tiles will notify the Customer without undue delay and will not respond to the request unless required by law.
10. Data Breach Notification
Data Tiles will notify the Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer Data.
Where possible, Data Tiles will provide information reasonably available regarding:
• the nature of the breach • categories of data affected • the likely consequences of the breach • measures taken or proposed to address the breach.
Data Tiles will provide reasonable assistance to the Customer in investigating and responding to the breach where required under applicable data protection laws.
11. Data Retention and Deletion
Data Tiles will retain Personal Data only for as long as necessary to provide the Software and related services in accordance with the applicable agreement with the Customer.
Upon termination of the applicable agreement, Data Tiles will delete or return Personal Data processed on behalf of the Customer unless retention is required by applicable law.
Customers remain responsible for exporting any data they wish to retain prior to termination of the service.
12. Audit Rights
Where required by applicable data protection laws, Data Tiles will make available to the Customer information reasonably necessary to demonstrate compliance with this Data Processing Agreement.
Any audit or inspection requested by the Customer must:
• be conducted with reasonable notice • occur during normal business hours • not unreasonably disrupt Data Tiles operations • not compromise the security of other customers.
Data Tiles may satisfy audit requirements by providing relevant certifications, security documentation, or other compliance materials where appropriate.
13. Liability
Each party’s liability arising out of or related to this Data Processing Agreement will be subject to the limitations of liability set out in the applicable Software as a Service Agreement or other governing agreement between the parties.
Nothing in this Data Processing Agreement limits or excludes liability where such limitation or exclusion is not permitted under applicable law.
14. Governing Law
This Data Processing Agreement shall be governed by and construed in accordance with the laws of England and Wales.
Any disputes arising out of or in connection with this Data Processing Agreement shall be subject to the jurisdiction provisions set out in the applicable Software as a Service Agreement or other governing agreement between the parties.
Annex 1 – Details of Processing
Nature and Purpose of Processing
Data Tiles processes Personal Data solely for the purpose of providing Data Tiles software platforms and related services, including data storage, processing, analysis, transformation, and retrieval as required to deliver the Software.
Categories of Personal Data
Personal Data processed through the platform may include information uploaded or provided by the Customer, which may include identifiers, business contact information, or other data contained within Customer Data.
Categories of Data Subjects
Data subjects may include the Customer’s:
• employees • contractors • customers • partners • other individuals whose Personal Data is included within Customer Data.
Duration of Processing
Personal Data will be processed for the duration of the applicable agreement between the Customer and Data Tiles and retained only as necessary to provide the services or comply with applicable legal obligations.
Contact Information
If you have questions regarding this Data Processing Agreement, please contact:
Data Tiles Ltd
Website https://www.data-tiles.com
Email letstalkdata@data-tiles.io
Last updated