Note: this DPA is currently in template form pending external solicitor review (target: post-launch).
This Data Processing Agreement ("DPA") forms part of the service agreement between PatchPilot Ltd ("Processor") and the Customer ("Controller") and governs processing of personal data by the Processor on behalf of the Controller under UK GDPR and the Data Protection Act 2018.
1. Definitions
Terms used but not defined take the meaning assigned in UK GDPR. "Processing", "Personal Data", "Controller", "Processor", "Data Subject", "Supervisory Authority" have the meanings in Article 4 UK GDPR.
2. Subject Matter and Duration
- Subject matter: provision of the PatchPilot endpoint management and compliance service.
- Duration: for the term of the underlying service agreement plus any retention window mandated by clause 9.
3. Nature and Purpose of Processing
The Processor processes Personal Data solely to:
- Enrol Controller's endpoint devices.
- Collect device inventory, configuration, patch state, and security telemetry.
- Apply patches and configuration changes authorised by the Controller.
- Produce audit, drift, and compliance reports for the Controller.
- Retain encrypted backups of Controller's tenant data for recovery purposes.
4. Categories of Data Subjects
- Employees, contractors, and other authorised end users of the Controller whose devices are enrolled.
- Administrators of the Controller who log into the PatchPilot console.
5. Categories of Personal Data
Processed
- Device inventory: hostname, OS version, hardware identifiers, installed software list.
- Event logs: Windows event log excerpts relevant to patch, Defender, and ASR events.
- User account identifiers: Windows local/AD usernames, SIDs, admin console email addresses.
- Network identifiers: IP addresses, MAC addresses of enrolled devices.
- Authentication metadata: session timestamps, IP of admin login, user agent.
Not processed
- File contents, document bodies, email content.
- Browsing history.
- Biometric, health, or special category data.
6. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including for transfers to a third country, unless required otherwise by UK or EU law (in which case, notify the Controller first, unless prohibited from doing so).
- Ensure authorised personnel are bound by confidentiality.
- Implement appropriate technical and organisational measures under Article 32 UK GDPR.
- Engage Sub-processors only under clause 8 of this DPA.
- Assist the Controller with Data Subject Access Requests (the DSAR flow in PatchPilot provides direct tooling).
- Assist with Article 32-36 obligations (security, breach notification, impact assessments, prior consultation).
- On termination, return or delete all Personal Data at the Controller's choice within 30 days, except where UK law requires retention.
- Make available all information necessary to demonstrate compliance and allow audits per clause 10.
7. Controller Obligations
The Controller:
- Warrants it has a lawful basis under Article 6 UK GDPR to process the Personal Data it provides to the Processor.
- Is responsible for informing Data Subjects of the processing (privacy notice).
- Will provide instructions to the Processor in writing via the PatchPilot console or support channels.
8. Sub-processors
The Controller grants general authorisation for the Sub-processors listed at /sub-processors. The Processor will notify the Controller of any intended change at least 30 days in advance. The Controller may object within 14 days; unresolved objection gives the Controller a right to terminate the affected service.
9. Data Transfers
PatchPilot's primary hosting is in the United Kingdom (OVH UK region). Transfers outside the UK rely on UK adequacy decisions where available, or the UK International Data Transfer Addendum (IDTA) to the EU SCCs. The current transfer map is in the sub-processor list.
10. Audits
The Controller may audit Processor compliance once per 12 months (or more if legally required, or following a breach). The Processor will cooperate and may satisfy audit requirements through third-party attestations (SOC 2, ISO 27001).
11. Breach Notification
The Processor will notify the Controller without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach affecting Controller data, with information required under Article 33(3) UK GDPR.
12. Liability
Liability for breach of this DPA follows the limitations in the underlying service agreement.
13. Term and Termination
This DPA terminates automatically with the underlying service agreement. Clauses that must survive (confidentiality, return/deletion, audit cooperation for the retention window) survive termination.
14. Governing Law
This DPA is governed by the laws of England and Wales.
15. Signatures
| Party | Name | Role | Date | Signature |
|---|
| Processor | [PatchPilot Ltd officer] | [role] | | |
| Controller | [Customer officer] | [role] | | |
Appendix A — Technical and Organisational Measures
See PatchPilot's security whitepaper, available on request from legal@patchpilot.co.uk.
Appendix B — Approved Sub-processors
See /sub-processors.
Contact
For questions about this DPA, contact legal@patchpilot.co.uk or write to: PatchPilot Ltd, United Kingdom.