Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

• Data Processor: TekSpert Ltd (Company No. 16711813), 110 Pall Mall, Chorley, PR7 2LB ("Processor")
• Data Controller: The agency subscribing to Agency Chat ("Controller")

This DPA supplements and forms part of the Agency Chat Terms of Service.

The Processor processes personal data on behalf of the Controller for the purpose of providing the Agency Chat messaging platform. Processing includes:

• Storage and transmission of messages between agency users and creators.
• Authentication of creators via TikTok OAuth, including storage of TikTok profile data.
• Generation and storage of audit logs.
• Delivery of push notifications and transactional emails.

• Agency staff (owners, admins, managers)
• TikTok creators onboarded by the agency

• Names, email addresses, and professional roles
• TikTok usernames, display names, avatar URLs, open_id identifiers
• Message content (text, attachments)
• IP addresses and device information
• Authentication tokens and session data

The Processor shall:

• Process personal data only on documented instructions from the Controller.
• Ensure that persons authorised to process the data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures (see §8).
• Not engage sub-processors without prior written consent of the Controller.
• Assist the Controller in responding to data subject rights requests.
• Delete or return all personal data upon termination of the agreement, within 30 days.
• Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach.

The Controller shall:

• Ensure a lawful basis exists for all processing instructed.
• Provide clear and transparent privacy notices to data subjects.
• Respond to data subject requests within statutory timeframes.

All data is processed and stored on servers located in the United Kingdom. The Processor shall not transfer personal data outside the UK without prior written consent.

The Processor implements the following measures:

• TLS 1.2+ encryption for data in transit.
• Encrypted storage volumes for data at rest.
• Argon2id password hashing with OWASP-recommended parameters.
• Four-layer tenant isolation (database, middleware, API, socket).
• Redis-backed rate limiting and session management.
• ClamAV file scanning for uploaded attachments.
• Two-factor authentication for privileged accounts.

This DPA remains in effect for the duration of the Controller's subscription to Agency Chat. Upon termination, the Processor will delete all Controller data within 14 days (with a further 30-day period for hard deletion of message content upon creator erasure requests).

For DPA-related enquiries, contact dpa@tekspert.co.uk.