Skip to main content
Data Processing Addendum

Data Processing Addendum (DPA)

Our GDPR Article 28-compliant DPA governs how IdentityFirst processes personal data on behalf of customers. Download the template or request an e-signature envelope.

Download DPA (PDF) Request DocuSign

Background

What is a Data Processing Addendum?

Why a DPA is required

  • Under UK GDPR Article 28 and EU GDPR Article 28, where a data processor (IdentityFirst) processes personal data on behalf of a controller (the Customer), a written DPA is mandatory.
  • The DPA sets out the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects.
  • It provides contractual guarantees that IdentityFirst will only process data on documented instructions from the Customer and will implement appropriate technical and organisational security measures.
  • Without a signed DPA, a Customer cannot lawfully use IdentityFirst to process personal data under GDPR. We recommend executing the DPA before going live.

Key Terms

Summary of key DPA terms

The key provisions of our standard DPA are summarised below. The full signed DPA governs in the event of any inconsistency.

  1. 1. Processing scope and nature
    IdentityFirst processes: identity records (user accounts, entitlements, access history), audit logs generated during platform operation, and connector metadata (source system names, connector configuration). Processing is performed solely to deliver the contracted IdentityFirst service. No processing for IdentityFirst’s own commercial purposes is permitted without explicit Customer consent.
  2. 2. Data subjects
    The data subjects are employees, contractors, service accounts and other identities within the Customer’s IT estate whose identity data is sourced through IdentityFirst connectors. IdentityFirst does not collect or process data subjects’ personal data outside of what is provided by the Customer through authorised connectors.
  3. 3. Duration of processing
    Processing continues for the duration of the contract term. Identity records are deleted within 30 days of contract termination or on written request, except where retention is required by law. Audit logs are retained for a minimum of 7 years to satisfy legal obligations; these cannot be deleted during the retention period due to their HMAC-chained immutable structure.
  4. 4. Processing basis
    Processing is performed on the basis of contract performance (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for audit log retention. IdentityFirst acts as data processor; the Customer is the data controller and is responsible for the lawfulness of the original collection of personal data from data subjects.
  5. 5. Technical and organisational security measures
    Security measures include: Cyber Essentials certification; SOC 2 Type II audit in progress (2026); TLS 1.3 for all data in transit with HSTS enforced; AES-256 encryption at rest for PostgreSQL, Redis and blob storage; HMAC-SHA256 immutable audit chain; role-based access control with JWT Bearer authentication; per-tenant isolation enforced at middleware layer; Redis-backed atomic rate limiting; SSRF-guarded outbound connections.
  6. 6. Sub-processors
    IdentityFirst uses the sub-processors listed at /trust-centre/sub-processors. Customers are notified at least 30 days before any sub-processor is added or changed. Customers who have executed a DPA have the right to object to a new sub-processor in writing within the 30-day notice period.
  7. 7. Data subject rights assistance
    IdentityFirst assists the Customer in fulfilling data subject rights requests. Subject access requests (DSARs) are fulfilled within 30 calendar days via the API endpoint /api/tenants/{id}/dsar-request or by contacting dpo@identityfirst.net. Erasure requests are fulfilled within 5 business days (subject to legal retention obligations). Rectification within 10 business days. Portability responses are provided in structured JSON format.
  8. 8. Personal data breach notification
    IdentityFirst will notify the Customer without undue delay, and in any event within 48 hours of becoming aware of a personal data breach affecting Customer data. Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed to address the breach. IdentityFirst maintains an incident response plan and the security team is contactable at security@identityfirst.net.
  9. 9. International transfers
    Personal data is processed in the customer-selected cloud region. Where transfers outside the UK or EU/EEA are required (e.g., GitHub for CI/CD build logs containing no customer personal data), Standard Contractual Clauses (SCCs) under UK GDPR Schedule 21 / EU Decision 2021/914 are used. No customer identity data is transferred outside the contracted region.
  10. 10. Governing law and jurisdiction
    The DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales for any disputes arising under this DPA, subject to any mandatory provisions of applicable data protection law.

Get the DPA

Download or sign

DPA Template (PDF)

Download the full DPA for review by your legal team. The template includes all annexes: processing activities schedule, security measures, standard contractual clauses and sub-processor list.

Request PDF
DocuSign e-Signature

Request a DocuSign envelope pre-populated with your company details. Typical turnaround: 1 business day. Both parties receive a certified copy on completion.

Request DocuSign

Contact

Legal & DPO contacts

Legal / DPA
legal@identityfirst.net

DPA negotiation, custom contract terms, Standard Contractual Clauses, legal review.

Data Protection Officer
dpo@identityfirst.net

GDPR enquiries, DSAR requests, data subject rights, breach notification.

ICO Registration
ZC031428

IdentityFirst Ltd (Company No. 16387720). Morpeth, Northumberland, UK.