This Data Processing Agreement (DPA) forms part of your main agreement with Ingenious Pixies Ltd. It explains exactly how we, Pixie (the “Processor”), handle the personal data you (the “Controller” or “Customer”) provide to us when using the Pixie platform and related services.
Our goal is to meet the strict requirements of data protection laws including UK GDPR and EU GDPR. If there is any conflict between this DPA and your main Services agreement, this DPA will generally take priority.
1. Key definitions
| Term | Meaning |
|---|---|
| Controller / Customer / You | Your company - the entity that decides why and how personal data is processed. |
| Processor / Pixie / We | Ingenious Pixies Ltd - processes personal data on your behalf as part of providing the Services. |
| Personal data | Any information relating to an identified or identifiable person that we process for you. |
| Processing | Any operation performed on personal data (collecting, storing, using, disclosing, etc.). |
| Applicable data protection law | All relevant laws including UK GDPR, Data Protection Act 2018, and EU GDPR. |
| Personal data breach | A security incident leading to accidental or unlawful destruction, loss, alteration, or unauthorised access to personal data. |
| Sub-processor | Any third party (e.g. a cloud hosting provider) that Pixie uses to help process personal data for you. |
2. Scope and purpose
This DPA governs how Pixie handles personal data solely for the purpose of delivering the Services. Pixie processes personal data only to:
- Provide, secure, maintain, and support the Services.
- Generate diagnostic reports and benchmark comparisons (including the Scaleup Score).
- Prevent fraud and ensure platform security.
- Follow your documented instructions as set out in your agreements.
Processing continues for the term of your main Services agreement until the data is deleted or returned.
3. Types of data we process
We only process personal data necessary to provide the Services. This may include:
- Account / identity data - Names, business emails, job titles, and user preferences.
- Business contact data - Company name, address, and billing contacts.
- Connected service data - Business metrics or identifiers from integrations (e.g. CRM systems) that may be linked to an individual.
- Questionnaire responses - Information provided directly by a founder or user that may include professional background.
- Usage and technical data - IP addresses, logs, and analytics.
- Support data - Communications when you contact Pixie support.
Important: The Services are not designed to process sensitive data (health information, political opinions, criminal offence data, etc.). You must not submit this type of data unless agreed specifically and in writing.
4. Your responsibilities as Controller
- Determining the purpose of data processing.
- Ensuring you have a legal basis for providing personal data to Pixie.
- Maintaining the accuracy and legality of the personal data you provide.
- Ensuring your instructions to Pixie comply with data protection laws.
5. Pixie’s responsibilities as Processor
Pixie will:
- Process personal data only on your documented instructions.
- Keep all personal data confidential.
- Maintain appropriate technical and organisational security measures (see Annex 1).
- Only use sub-processors in compliance with Section 8.
- Assist you in responding to data subject requests.
- Help you comply with your security, breach notification, and impact assessment obligations.
- Delete or return all personal data when the agreement ends.
6. Personal data breach notification
If a personal data breach occurs, Pixie will:
- Notify you without undue delay, and in any event within 48 hours of becoming aware.
- Provide details including the nature of the breach, the records affected, likely consequences, and the measures being taken.
- Cooperate with you to investigate and remediate the breach.
7. Using sub-processors
- You give Pixie general authorisation to use third-party sub-processors (such as cloud hosting providers) to help deliver the Services.
- Pixie maintains a list of all current sub-processors.
- We will provide at least 30 days’ notice of any new or replacement sub-processor that will handle personal data.
- You have the right to object to a new sub-processor on reasonable data protection grounds. If we cannot resolve your objection, you may terminate the affected Services without penalty.
- Pixie remains responsible for the actions of its sub-processors.
8. International data transfers
Pixie will not transfer personal data outside the UK or EEA unless a lawful transfer mechanism is in place, such as:
- Adequacy decisions from the UK Government or European Commission.
- UK International Data Transfer Agreement (IDTA) or UK Addendum.
- EU Standard Contractual Clauses (SCCs).
9. Assistance with data subject requests
- You are primarily responsible for responding to data subject rights requests (access, deletion, portability, etc.).
- Pixie will assist you as reasonably possible within 5 business days of your request.
- If a data subject contacts Pixie directly, we will direct them to you as the Controller.
10. Audit rights and compliance
- Pixie will provide information to demonstrate compliance with this DPA, including third-party audit reports where available.
- You may conduct an audit no more than once per year with 30 days’ prior written notice.
- Audits must be limited in scope and conducted to minimise disruption to our operations.
11. End of agreement - data return and deletion
- When your agreement ends, Pixie will, at your choice, return all personal data to you or delete it within 30 days.
- Residual copies in encrypted backups may be retained for a limited period until overwritten, but will be isolated and protected.
Annex 1: Technical and organisational security measures
A. Access control
- Multi-Factor Authentication (MFA) required for administrative access to production systems.
- Role-based access control (RBAC) and the principle of least privilege applied throughout.
- Access and administrative actions are logged and reviewed periodically.
B. Data protection
- Data in transit protected using TLS 1.2 or higher.
- Personal data at rest encrypted using AES-256 or equivalent.
- Customer data logically separated from other customers’ data (tenant isolation).
- Backups are encrypted and stored securely.
C. Infrastructure security
- We use Google Cloud Platform as our primary cloud hosting provider.
- Network security controls (firewalls, segmentation) and threat detection monitoring are in place.
- Vulnerability scanning and security patch management are applied regularly.
- Penetration testing is conducted at least annually.
D. Operational security
- Personnel with data access undergo appropriate screening and regular security and privacy training.
- Secure software development lifecycle including code reviews and environment separation.
- Defined incident response process for tracking, triaging, and resolving security incidents.
- Business continuity and disaster recovery plans are maintained.
Last updated: March 2026