This Data Processing Agreement (“DPA”) forms part of the agreement (the “Principal Agreement”) between Innkept (“we”, “us”, “processor”) and the customer that has agreed to the Principal Agreement (the “Operator”, “you”, “controller”).
1. Definitions
The following terms have the meanings given in the UK GDPR or the Data Protection Act 2018, except as otherwise defined below:
- UK GDPR means the United Kingdom General Data Protection Regulation as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018.
- Applicable Data Protection Laws means UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (“PECR”), and any other data protection laws applicable to the parties.
- Personal Data, Processing, Controller, Processor, Data Subject and Personal Data Breach have the meanings given in UK GDPR.
- Sub-processor means any third party engaged by Innkept to Process Personal Data on behalf of the Operator.
- Restricted Transfer means a transfer of Personal Data outside the United Kingdom that requires an Article 46 UK GDPR transfer mechanism.
- UK Addendum means the ICO's International Data Transfer Addendum to the European Commission's Standard Contractual Clauses (issued 2 February 2022).
- UK Data Bridge means the UK Extension to the EU-US Data Privacy Framework, as recognised by the UK adequacy regulations made under section 17A of the Data Protection Act 2018 (effective 12 October 2023).
2. Roles and scope
The parties agree that, with respect to the Personal Data processed under the Principal Agreement:
- The Operator is the controller;
- Innkept is the processor; and
- Innkept will Process Personal Data only on the documented instructions of the Operator (including those set out in the Principal Agreement and the Operator's configuration of the platform), unless required to do otherwise by Applicable Data Protection Laws.
The subject matter, duration, nature and purpose of the Processing, the categories of Personal Data, and the categories of Data Subjects are set out in Annex A.
3. Processing of Personal Data
Innkept shall:
- Process Personal Data only on the Operator's documented instructions, including with regard to Restricted Transfers, unless required to do otherwise by Applicable Data Protection Laws (in which case Innkept shall inform the Operator of that legal requirement before Processing, unless the law prohibits doing so on important grounds of public interest);
- Ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Take all measures required pursuant to Article 32 UK GDPR (security of processing) — see Section 7 and Annex B;
- Respect the conditions referred to in Section 6 for engaging another processor;
- Taking into account the nature of the Processing, assist the Operator by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Operator's obligation to respond to requests for exercising the Data Subject's rights;
- Assist the Operator in ensuring compliance with the obligations pursuant to Articles 32 to 36 UK GDPR taking into account the nature of Processing and the information available to Innkept;
- At the choice of the Operator, delete or return all Personal Data to the Operator after the end of the provision of services relating to Processing, and delete existing copies unless retention is required by Applicable Data Protection Laws; and
- Make available to the Operator all information necessary to demonstrate compliance with the obligations laid down in Article 28 UK GDPR and allow for and contribute to audits, including inspections, conducted by the Operator or another auditor mandated by the Operator (see Section 9).
4. Data subject rights
Innkept shall, taking into account the nature of the Processing, assist the Operator by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Operator's obligations to respond to requests by Data Subjects exercising their rights under Chapter III of the UK GDPR.
Specifically, Innkept provides:
- Right to be informed — the configuration mechanism by which Operators can supply their own privacy notice URL to be linked from the widget contact step.
- Right of access and portability — the Operator dashboard exposes all Personal Data held about a Data Subject, downloadable on request to legal@innkept.com.
- Right to erasure — the “Anonymize this lead” action on the lead detail page redacts name, email, phone, IP address, user agent, UTM/click identifiers, GA identifiers, and source URL, and nulls associated widget event payloads. The lead row is preserved with a synthetic identifier so historical analytics totals remain accurate.
- Right to restrict / object / rectify — the lead detail page exposes the underlying record for in-place edit; objections to marketing should be honoured by removing the marketing-email opt-in flag and ceasing further communications.
If a Data Subject contacts Innkept directly, we will, where we can identify the Operator concerned, forward the request to the Operator without undue delay and assist with the response as required by this DPA.
5. Personal Data Breach notification
Innkept shall notify the Operator without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Operator data. The notification will:
- Describe the nature of the breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
- Communicate the name and contact details of our data protection contact (dpo@innkept.com) where more information can be obtained;
- Describe the likely consequences of the breach; and
- Describe the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Operator remains responsible for any notification to the ICO required under Article 33 UK GDPR and to Data Subjects required under Article 34 UK GDPR.
6. Sub-processors
The Operator gives Innkept general written authorisation to engage Sub-processors. The current list of Sub-processors is published at https://innkept.co.uk/legal/sub-processors and forms part of this DPA.
Innkept shall:
- Provide at least 30 days' prior written notice of any intended changes to Sub-processors via the email address subscribed to the change-notification list at the URL above and to the Operator's legal notification email on file. The Operator may object on reasonable grounds within 30 days of notification;
- If the Operator reasonably objects, the parties will work in good faith to resolve the objection. If no resolution is reached, the Operator may terminate the affected portion of the service without penalty by giving 30 days' written notice;
- Impose on each Sub-processor data protection obligations no less protective than those in this DPA, by way of a written contract;
- Remain fully liable to the Operator for the performance of each Sub-processor's obligations.
7. Security of Processing
Innkept implements appropriate technical and organisational measures as required by Article 32 UK GDPR. These measures are described in Annex B and include, at minimum:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
- Truncation of IP addresses to /24 (IPv4) or /48 (IPv6) at the point of capture, in line with Article 29 Working Party guidance;
- Access controls based on the principle of least privilege; multi-factor authentication on administrator accounts;
- Regular backups with point-in-time recovery; resilience and continuity testing;
- Vulnerability management; logging and monitoring of access to Personal Data;
- Default-deny firewalling; principle of least exposure for any internet-facing service.
8. International transfers
Where Innkept Processes Personal Data outside the United Kingdom, Innkept will ensure that the transfer is made under an Article 46 UK GDPR transfer mechanism, including (as applicable):
- The UK Data Bridge for Sub-processors that have self-certified to the EU-US Data Privacy Framework and the UK Extension thereof;
- The UK Addendum in conjunction with the European Commission's Standard Contractual Clauses; or
- The IDTA as a stand-alone instrument.
The transfer mechanism applicable to each Sub-processor is identified in the Sub-processor list. The Operator authorises Innkept to enter into the applicable transfer mechanism with each Sub-processor on behalf of the Operator where required by the structure of the transfer.
For Restricted Transfers in respect of which Innkept itself is the data exporter, the parties agree that the UK Addendum (Module 2: Controller-to-Processor) is hereby incorporated by reference, with this DPA acting as the “Tables” required by Part 1 of the Addendum.
9. Audits
Innkept will make available to the Operator on reasonable request the information necessary to demonstrate compliance with this DPA. In lieu of an on-site audit, Innkept may provide:
- Up-to-date third-party attestations or certifications (such as ISO 27001 or SOC 2);
- A summary of recent penetration test results;
- A description of technical and organisational measures.
Where the Operator can demonstrate that the foregoing is insufficient to evidence compliance with a specific obligation, Innkept will permit an on-site audit by the Operator or an independent auditor mutually agreed in writing, conducted during normal business hours, no more than once per calendar year unless required by an authority.
To assist Operators who carry out a Data Protection Impact Assessment covering the service, a pre-filled DPIA template is available.
10. Return or deletion of Personal Data
On termination of the Principal Agreement, the Operator may export Personal Data via the dashboard. Innkept will delete Personal Data in its possession within 90 days of termination, save for:
- Backup data, which will be deleted in line with our backup retention schedule (currently 35 days); and
- Data we are required to retain by Applicable Data Protection Laws, in which case Innkept will continue to protect that data in accordance with this DPA.
11. Liability
Each party's liability under or in connection with this DPA is governed by the limitation of liability clause in the Principal Agreement.
12. Governing law
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.
Annex A — Description of Processing
Subject matter and duration
Provision of the Innkept embeddable quote configurator and associated dashboard for the duration of the Operator's subscription.
Nature and purpose of Processing
Collection of enquiry data from visitors to the Operator's website via an embedded JavaScript widget; storage and presentation of that enquiry data to the Operator's authorised users; conversion of enquiry data into a quote and proposal; transmission of enquiry data to integrations the Operator has configured; and aggregation into operator-facing analytics.
Categories of Personal Data
- Always: name, email address, optional phone number, event date, guest count, event type, selected items, GDPR consent flag, pseudonymous session identifier, truncated IP address (last octet zeroed for IPv4 / last 80 bits zeroed for IPv6), user-agent string.
- When marketing consent is granted: Google Analytics client and session identifiers from the host page's
_ga/_ga_*cookies, Meta browser identifier from the_fbpcookie, Google Ads click identifier (gclid) and Meta click identifier (fbclid) from URL parameters, full referrer URL and full landing-page URL. - When the Operator enables marketing-email opt-in: a flag indicating the Data Subject consented to receive marketing communications from the Operator.
Categories of Data Subjects
Members of the public who visit a website on which the Operator has embedded the Innkept widget and engage with it. Typically prospective customers of the Operator's venue or catering services.
Sensitive data
The platform is not designed to collect special category data (Article 9 UK GDPR) or criminal offence data (Article 10 UK GDPR). Free-text fields (such as internal notes) are not pre-populated and the Operator is responsible for ensuring such categories of data are not entered into them without an appropriate lawful basis and additional condition.
Frequency and duration
Continuous, for the duration of the Principal Agreement. Raw widget event records are retained for the period configured by the Operator (default 365 days, range 30 days to 3 years); lead and quote records are retained for the duration of the subscription unless erased earlier on Operator instruction.
Annex B — Technical and organisational measures
Innkept implements the following measures, in line with Article 32 UK GDPR. We review and update these measures periodically.
- Pseudonymisation and encryption. TLS 1.2+ for data in transit; provider-level AES-256 encryption for data at rest in databases, object storage, and backups. IP addresses are truncated at the point of capture before storage. Email addresses on anonymised lead records are replaced with a synthetic, non-routable address.
- Confidentiality, integrity, availability, resilience. Multi-tenant database with row-level access scoped by company; logical isolation between operators. Daily backups with 35-day retention and tested restore procedures. Multi-AZ database deployment with automatic failover.
- Restoration of availability and access. Documented incident response runbook. Recovery time objective (RTO) of 4 hours; recovery point objective (RPO) of 24 hours.
- Regular testing and evaluation. Automated dependency vulnerability scanning; quarterly review of access controls; periodic third-party penetration testing.
- Access control and identification. Multi-factor authentication mandatory on production-environment access; principle of least privilege; access logging with immutable retention; quarterly access review.
- Disposal. Personal Data is logically deleted on operator request and physically purged from backups within the backup retention window (currently 35 days).
- Staff training. Personnel with access to Personal Data receive data protection training on engagement and at least annually thereafter, and are bound by written confidentiality obligations.
- Sub-processor governance. Each Sub-processor is contracted under terms no less protective than this DPA. The list is publicly maintained at https://innkept.co.uk/legal/sub-processors.
Questions about this DPA: legal@innkept.com. Data protection contact: dpo@innkept.com.
See also: Sub-processor list · DPIA template · Privacy notice.