Data processing terms
Last updated
These Data Processing Terms (“DPT”) form part of the agreement between Studio Sixty-One Limited (“Rampt”, “Processor”) and the workshop that subscribes to the Rampt platform (“Customer”, “Controller”). They apply whenever Rampt processes personal data on the Customer’s behalf. If there is a conflict between these terms and the General Terms on the subject of data protection, these terms win.
1. Definitions
Terms such as controller, processor, personal data, processing, data subject, personal data breach and supervisory authority have the meanings given in the UK GDPR. Data Protection Law means the UK GDPR, the Data Protection Act 2018, and PECR, each as amended.
2. Roles of the parties
For personal data about the Customer’s own customers (vehicle owners), their vehicles, and related job records processed through Rampt, the Customer is the controller and Rampt is the processor. Each party will comply with its obligations under Data Protection Law. The Customer is responsible for the lawfulness of the data it puts into Rampt, including having a valid basis and any required consent for the personal data it processes and the messages it sends.
3. Rampt’s obligations as processor
Rampt will:
- Process only on instructions. Process the Customer’s personal data only on the Customer’s documented instructions, which include use of the platform’s features and this DPT, unless required otherwise by law (in which case Rampt will tell the Customer first, if lawful to do so).
- Confidentiality. Ensure that people authorised to process the data are under a duty of confidentiality.
- Security. Implement the technical and organisational measures set out in Annex B, appropriate to the risk, in line with Article 32.
- Sub-processors. Only engage the sub-processors listed in Annex C, or others notified under section 4, and impose data protection terms on them equivalent to these.
- Assist with data subject rights. Taking account of the nature of the processing, help the Customer respond to data subject requests, using the platform’s features where possible.
- Assist with compliance. Help the Customer meet its obligations on security, breach notification, data protection impact assessments and prior consultation, given the information available to Rampt.
- Breach. Notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s data, with the information the Customer reasonably needs to meet its own notification duties.
- Deletion or return. On the end of the service, delete or return the Customer’s personal data as set out in section 6, subject to any legal retention requirement.
- Audit. Make available the information reasonably needed to demonstrate compliance with Article 28, and allow for and contribute to audits, subject to reasonable notice, confidentiality, and frequency limits.
4. Sub-processors
The Customer gives general authorisation for Rampt to engage the sub-processors in Annex C. Rampt will give the Customer prior notice of any intended addition or replacement, giving the Customer a fair chance to object on reasonable data protection grounds. If an objection cannot be resolved, the Customer may terminate the affected service.
5. International transfers
Rampt will not transfer the Customer’s personal data outside the UK except where a lawful transfer mechanism is in place, such as an adequacy decision, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, with supplementary measures where needed. Current transfer positions are noted in Annex C.
6. Deletion and return
On termination or expiry, the Customer may export its data through the platform for [30] days. After that period, Rampt will delete the Customer’s personal data from active systems within [a defined period], and from backups in the ordinary backup cycle, except where retention is required by law.
7. Liability
Liability under this DPT is subject to the limitations and exclusions in the General Terms.
Annex A — Details of the processing
- Subject matter: provision of the Rampt workshop management platform.
- Duration: the term of the Customer’s subscription, plus the deletion period in section 6.
- Nature and purpose: hosting, storing, organising, transmitting and displaying data so the Customer can manage bookings, jobs, vehicle health checks, customer communications, invoicing and related workshop operations.
- Types of personal data: names, contact details (phone, email), addresses, vehicle registration and related vehicle data, MOT and service history, job and repair records, health check media (photos, video, voice), invoices, communication history, and messaging consent status.
- Categories of data subjects: the Customer’s own customers (vehicle owners and contacts) and, where entered by the Customer, other individuals connected to a job.
- Special category data: none intended. The Customer should not enter special category data except where strictly necessary and lawful.
Annex B — Technical and organisational measures
- Encryption of personal data in transit and at rest.
- Multi-tenant isolation: strict per-workshop data separation enforced at the database layer (row-level security).
- Access control: role-based access control, least-privilege internal access, and authentication controls on accounts.
- Resilience and backups: regular backups and measures to restore availability after an incident.
- Logging and monitoring: audit logging of key actions and monitoring for security events.
- Vendor management: data protection terms with all sub-processors.
- Testing and review: periodic review of the effectiveness of these measures.
Annex C — Sub-processors
| Sub-processor | Purpose | Location / transfer basis |
|---|---|---|
| [Vercel] | Hosting | [confirm] |
| [Neon] | Database | [confirm] |
| [Resend] | Email delivery | [confirm] |
| [sent.dm] | SMS / WhatsApp / RCS delivery | [confirm] |
| [Stripe] | Payments | [confirm] |