Skip to content

This is the reference copy of the Terrain Apps Data Processing Agreement ("DPA"). For Terrain Apps customers the operative data-processing terms are set out in the signed Master Software Services Agreement; this standalone version restates them and is available countersigned on request from terraincafm@gmail.com.

1. Parties and roles

This DPA is between Terrain Systems Ltd, a company registered in England & Wales (company number 17234123) with its registered office at Broad Street, Great Cambourne, Cambridge, England, CB23 6HE (the "Processor", "we"), and the customer identified in the applicable agreement (the "Controller", "you"). It applies where we process personal data on your behalf in providing your Terrain Apps deployment (the "Service") and forms part of the agreement between us (the "Agreement"). Terms defined in the UK GDPR have the same meaning here.

2. Scope and duration

This DPA applies to all personal data within Customer Data that we process on your behalf in providing the Service, and lasts for the duration of the Agreement plus any period until deletion or return of that data under clause 9. The subject matter, nature, purpose and details of processing are set out in Annex A.

3. Our obligations as processor

We will:

  • process personal data only on your documented instructions (including as set out in the Agreement and this DPA), unless required by law to do otherwise, in which case we will inform you before processing unless the law prohibits it;
  • inform you if, in our opinion, an instruction infringes UK data protection law;
  • ensure that persons authorised to process the personal data are bound by confidentiality obligations;
  • implement and maintain the technical and organisational measures in Annex B, appropriate to the risk, as required by Article 32 UK GDPR;
  • assist you, taking into account the nature of the processing, in responding to data-subject rights requests, by appropriate technical and organisational measures insofar as this is possible;
  • assist you in meeting your obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of the processing and the information available to us;
  • notify you without undue delay after becoming aware of a personal data breach affecting your personal data, providing the information described in clause 7;
  • delete or return personal data at the end of the Agreement in accordance with clause 9; and
  • make available the information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as described in clause 8.

4. Subprocessors

You give general written authorisation for us to engage the subprocessors listed at /legal/subprocessors (Annex C). We will give you at least 30 days' written notice of any intended addition or replacement, during which you may object on reasonable data-protection grounds; if we cannot resolve a reasonable objection, you may terminate the affected Service. We impose data protection obligations on each subprocessor materially equivalent to those in this DPA, and we remain fully liable to you for their performance.

5. International transfers

We will not transfer personal data outside the United Kingdom unless an appropriate safeguard is in place: UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses. Current transfer destinations are shown on the subprocessor list.

6. Data-subject requests

If we receive a request from a data subject relating to personal data we process on your behalf, we will not respond directly (except to direct the individual to you) and will pass the request to you without undue delay.

7. Personal data breaches

Our breach notification under clause 3 will, so far as the information is reasonably available, describe the nature of the breach, the categories and approximate numbers of data subjects and records concerned, the likely consequences, the measures taken or proposed, and recommended actions for you. We will cooperate with you in investigating and mitigating the breach. Notification is not an admission of fault.

8. Audits

No more than once in any 12-month period, and on at least 30 days' written notice, you may audit our compliance with this DPA. We will first satisfy audit requests through written responses, documentation and completed security questionnaires; where these are insufficient, we will permit a remote or on-site audit during business hours, at your cost, subject to confidentiality and without access to other customers' data.

9. Deletion and return

At the end of the Agreement, and on request made within 30 days, we will make Customer Data available for export in a commonly used format. After that period, we will delete personal data processed on your behalf within 90 days, including from backups in the ordinary course of the backup cycle, unless retention is required by law. Because each deployment runs on its own isolated database, authentication application and storage, deletion covers the whole deployment.

10. Liability and order of precedence

Liability under this DPA is subject to the limitations and exclusions in the Agreement. If this DPA conflicts with the Agreement on data-protection matters, this DPA prevails. This DPA is governed by the laws of England & Wales.

Annex A: Details of processing

Subject matterProvision of your Terrain Apps deployment, a bespoke internal software tool, including hosting, support, maintenance, backup and incident management.
DurationThe term of the Agreement, plus the deletion period in clause 9.
Nature and purposeHosting, storage, display, transmission, report generation, user authentication, optional AI-assisted text enhancement via a third-party LLM subprocessor, support and system administration, as necessary to provide the Service.
Categories of data subjectsYour staff and other authorised users; reviewers; contractors and building or site contacts; individuals appearing incidentally in photographs or documents you upload.
Categories of personal dataNames, work contact details, job titles and organisations; authentication identifiers; content entered into the Service (audit records, findings, observations, comments, scores, recommendations, building and asset records); photographs; digital signatures; workflow and audit-trail records; technical usage data.
Special category dataNone intended. You must not enter special category data without establishing a lawful basis and informing us in writing.

Annex B: Technical and organisational measures

  • Encryption in transit (TLS) for all connections; encryption at rest through our database and storage providers.
  • Per-deployment isolation: each customer's Service runs on its own dedicated database, authentication application and file storage, with no pooling of data across deployments.
  • Role-based access control and multi-factor authentication through a managed identity provider.
  • Private file storage served only via short-lived signed links.
  • Centrally managed, encrypted secrets; credentials never committed to code.
  • Audit logging of actions on records; staff access on a need-to-know basis, authenticated and logged.
  • Routine backups of production systems and documented recovery procedures.
  • Continuous error, performance and uptime monitoring with personal data excluded by default; security patching and vulnerability management.

Further detail is published in our Security & Trust Centre. We may update these measures provided the overall level of protection is not materially reduced.

Annex C: Authorised subprocessors

The authorised subprocessors, their services and locations are listed at /legal/subprocessors, which forms part of this DPA.