This Data Processing Agreement (DPA) is an important legal document that forms part of your main agreement with Ingenious Pixies Ltd. It explains exactly how we, Pixie (the "Processor"), handle the personal data you (the "Controller" or "Customer") provide to us when using the Pixie platform and related services (the "Services").
Our goal is to ensure we meet the strict requirements of data protection laws like the UK GDPR and EU GDPR.0.
If there is any conflict between this DPA and your main Services agreement, this DPA will generally take priority.
1. Key Definitions
| Legal Term | Simple Meaning |
|---|---|
| Controller / Customer / You | Your company, the entity that decides why and how personal data is processed. |
| Processor / Pixie / We | Ingenious Pixies Ltd, the entity that processes personal data on your behalf as part of providing the Services. |
| Personal Data | Any information that relates to an identified or identifiable person that we process for you (e.g., an employee's name and email). |
| Processing | Any operation we perform on Personal Data (e.g., collecting, storing, using, disclosing). |
| Applicable Data Protection Law | All relevant data privacy laws, including UK GDPR, Data Protection Act 2018, and EU GDPR. |
| Personal Data Breach | A security incident leading to accidental or unlawful destruction, loss, alteration, or unauthorised access to Personal Data. |
| Sub-processor | Any third party (like a cloud hosting provider) that Pixie uses to help process Personal Data for you. |
Scaleup Score, Domains, and Benchmarks are terms specific to the Pixie Services (diagnostic scoring and comparison metrics).
2. Scope and Purpose of Processing
What this DPA covers: It governs how Pixie handles Personal Data only for the purpose of delivering the Services to you.
What Personal Data is used for: Pixie processes Personal Data only to:
Provide, secure, maintain, and support the Services.
Generate diagnostic reports and benchmark comparisons (like the Scaleup Score).
Prevent fraud and ensure platform security.
Follow your documented instructions, as set out in your agreements.
Duration: Processing continues for the term of your main Services agreement until the data is deleted or returned to you.
3. Types of Data We Process
We only process the types of Personal Data necessary for you to use the Services. This may include:
Account/Identity Data: Names, business emails, job titles, and user preferences for your authorized users.
Business Contact Data: Your company's name, address, and billing contacts.
Connected Service Data: Business metrics or transaction identifiers connected through integrations (e.g., from a CRM system) that may be linked to an individual.
Questionnaire Responses: Information provided directly by a founder/user that may include professional background.
Usage and Technical Data: IP addresses, logs, and analytics related to platform use.
Support Data: Communications when you contact Pixie support.
Important Note: The Services are not designed to process sensitive data (like health information, political opinions, or criminal offence data). You must not submit this type of data unless we have agreed to it specifically and in writing.
4. Your Responsibilities as Controller
As the Controller, you are responsible for:
Determining the purpose of the data processing.
Making sure you have a legal basis (like consent or legitimate interest) for giving Personal Data to Pixie.
Maintaining the accuracy and legality of the Personal Data you provide.
Ensuring your instructions to Pixie comply with data protection laws.
5. Pixie's Responsibilities as Processor
Pixie will:
Process Personal Data only on your documented instructions.
Keep all Personal Data confidential.
Maintain appropriate technical and organisational security measures (detailed in Annex 1).
Only use other companies (Sub-processors) in compliance with Section 8.
Assist you in responding to data subject requests (Section 10).
Help you comply with your security, breach notification, and impact assessment obligations.
Delete or return all Personal Data when the agreement ends (Section 12).
7. Personal Data Breach Notification
If a Personal Data Breach occurs (an incident leading to accidental or unlawful loss or access to Personal Data):
We will notify you without undue delay, and in any event, within 48 hours of becoming aware of the breach.
The notification will include details about the nature of the breach, the number of people/records affected, the likely consequences, and the measures we are taking.
We will cooperate with you to investigate and remediate the breach.
8. Using Sub-processors
You give Pixie a general authorization to use third parties (Sub-processors) to help provide the Services (like cloud hosting).
Pixie will maintain a list of all Sub-processors.
Notice of Changes: We will provide you with at least 30 days' notice of any new or replacement Sub-processor that will handle Personal Data.
Right to Object: You have the right to object to a new Sub-processor on reasonable data protection grounds. If we can't resolve your objection, you may terminate the affected Services without penalty.
Our Liability: Pixie remains responsible for the actions of our Sub-processors.
9. International Data Transfers
Pixie will not transfer Personal Data outside the UK or EEA unless a lawful transfer mechanism is in place, such as:
Adequacy Decisions (from the UK Government or European Commission).
UK International Data Transfer Agreement (IDTA) or UK Addendum.
EU Standard Contractual Clauses (SCCs).
We will conduct Transfer Impact Assessments (TIAs) and implement extra measures as needed to ensure data protection.
10. Assistance with Data Subject Requests
You are primarily responsible for responding to requests from individuals (data subjects) to exercise their rights (e.g., access, deletion).
Pixie will assist you with these requests as reasonably possible, for example, by helping you locate or export the data.
We will respond to your requests for assistance within 5 business days.
If a data subject contacts Pixie directly, we will inform them to contact you, the Controller.
11. Audit Rights and Compliance
Pixie will provide information to demonstrate our compliance with this DPA. This may include third-party audit reports (like SOC 2 or ISO 27001) if available.
Your Right to Audit: You can conduct an audit no more than once per year with 30 days' prior written notice, unless there is a confirmed data breach or supervisory authority requirement.
Audits must be limited in scope and conducted to minimize disruption to our operations.
12. End of Agreement: Data Return and Deletion
When your agreement ends, Pixie will, at your choice, either return all Personal Data to you or delete it.
This process will be completed within 30 days of termination/expiry.
We may keep residual copies in encrypted backups for a limited period until they are overwritten, but they will be isolated and protected.
Annex 1: Technical and Organisational Security Measures
This Annex outlines the security controls Pixie has in place.A. Access Control
Authentication: We support Multi-Factor Authentication (MFA) for user accounts and require it for administrative access to production systems.
Access Management: We use role-based access control (RBAC) and the principle of least privilege, meaning personnel only have access to the data they absolutely need for their job.
Monitoring: Access and administrative actions are logged and reviewed periodically.
B. Data Protection
Encryption in Transit: Data is protected using secure protocols (TLS 1.2 or higher) when moving between your device and our services.
Encryption at Rest: Personal Data is encrypted when stored using industry-standard methods like AES-256.
Data Segregation: Your data is logically separated from other customers' data (tenant isolation).
Backup: Backups are encrypted and stored securely.
C. Infrastructure Security
We use a reputable cloud hosting provider (e.g., AWS/GCP).
We rely on the cloud provider's certifications (like SOC 2 Type II) for the physical security of the data centers.
We use network security controls (firewalls, segmentation) and monitoring for threat detection.
We perform vulnerability scanning and apply security patches.
We conduct penetration testing regularly (typically at least annually).
D. Operational Security
Personnel: Employees and contractors with data access undergo appropriate screening and receive regular security and privacy awareness training.
Secure Development: We follow a secure software development lifecycle, including code reviews and separation of development and production environments.
Incident Response: We have a defined process for tracking, triaging, and resolving security incidents.
Business Continuity: We maintain plans for disaster recovery to ensure service availability and data recovery.
Last updated: March 2026