The full text of the agreement is reproduced below for your reference.
Data Processing Agreement
This Data Processing Agreement ("DPA") is made on the date of last signature below between:
Parties
- Taylor Liesnham trading as Mochify of Suite RA01, 195-197 Woodhouse Road, London, E17 3NU, England ("Supplier"); and
- [Company name], a company incorporated in England and Wales under No. [Company number], whose registered office is at [Address line 1], [Address line 2], [County], [Postcode] ("Customer").
(each a "party" and together the "parties")
Background
- The Supplier is a provider of image compression, optimisation, and format conversion services, processing image files in-memory with zero data retention on behalf of the Customer ("Services").
- The parties entered into an agreement for the provision of services on [DATE] ("Agreement").
- The parties have agreed to enter into this DPA in relation to the processing of personal data by the Supplier in the course of providing the Services. The terms of this DPA are intended to apply in addition to and not in substitution of the terms of the Agreement.
Agreement
Meanings
- In this DPA, the following words are defined:
| Term | Definition |
|---|---|
| Affiliate | Any entity that directly or indirectly controls, or is controlled by, or is under common control with the subject entity. "Control" means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. |
| Data Protection Law | (a) All laws and regulations applicable to the Processing of Personal Data under the Agreement, including EU Directive 95/46/EC, the GDPR and laws implementing or supplementing the GDPR; and (b) to the extent applicable, the data protection or privacy laws of any other country. |
| GDPR | (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("EU GDPR"); and (b) the EU GDPR as implemented or adopted under the laws of the United Kingdom ("UK GDPR"). |
| Personnel | In relation to a party, those of its employees, workers, agents, consultants, contractors, sub-contractors, representatives or other persons employed or engaged by that party. |
| Sub-processor | Any entity appointed by or on behalf of the Supplier to process Personal Data on behalf of the Customer under this DPA. |
| Working Day | Any day, other than a Saturday, Sunday, or public holiday in England and Wales. |
- Terms such as "Data Subject", "Processing", "Personal Data", "Controller", "Processor", "Supervisory Authority" and "Personal Data Breach" shall have the same meaning as ascribed to them in the Data Protection Law.
- In this DPA unless the context requires a different interpretation: (a) the singular includes the plural and vice versa; (b) "including" is understood to mean "including without limitation"; (c) reference to any statutory provision includes any modification or amendment of it; (d) the headings do not form part of this DPA; and (e) "writing" or "written" will include email unless otherwise stated.
Processing Customer Personal Data
- For the purpose of Data Protection Law, the Customer shall be the Controller and the Supplier shall be the Processor.
- The Supplier and each Supplier Affiliate shall: (a) comply with all applicable Data Protection Law in the Processing of Customer Personal Data; and (b) only Process Personal Data on the Customer's documented instructions, unless Processing is required by applicable law.
- The Supplier shall take reasonable steps to ensure the reliability of Personnel who have access to Personal Data, ensuring such Personnel is subject to a strict duty of confidentiality and Processes Personal Data only for the purpose of delivering the Services.
Security
- The Supplier will establish data security in relation to the Processing of Personal Data under this DPA, guaranteeing a protection level appropriate to the risk. Such measures may include: (a) pseudonymisation and encryption of Personal Data; (b) ongoing confidentiality, integrity, availability and resilience of processing systems; (c) ability to restore availability of Personal Data in a timely manner in the event of an incident; and (d) a process for regularly testing and evaluating the effectiveness of technical and organisational measures.
- In assessing the appropriate level of security, the Supplier shall take into account any risks presented by the Processing, in particular from a Personal Data Breach.
- The Supplier has laid down the technical and organisational measures in Schedule 2 of this DPA. The Supplier may implement alternative adequate measures from time to time and shall notify the Customer in writing where it has done so.
Sub-Processors
- The Customer authorises the Supplier to appoint the Sub-processors listed in Schedule 3 (if any) and any new Sub-processors in accordance with the subsequent provisions.
- With respect to each Sub-processor, the Supplier shall: (a) carry out appropriate due diligence prior to Processing; (b) enter into a written agreement incorporating terms substantially similar to those in this DPA meeting the requirements of Article 28(3) of UK GDPR; and (c) remain fully liable to the Customer for all acts or omissions of such Sub-processor.
- The Supplier shall give the Customer prior written notice of the appointment of any new Sub-processor.
- If within 30 days of receipt of such notice the Customer notifies the Supplier of any objections: (a) the parties will work in good faith to make available a commercially reasonable change; and (b) if such a change cannot be made within 30 days, the Customer may serve written notice to terminate the Agreement to the extent that the provision of the Services is affected.
Data Subject Rights
- The Supplier shall assist the Customer in implementing appropriate technical and organisational measures for the fulfilment of the Customer's obligation to respond to Data Subject requests under Data Protection Law.
- The Supplier shall: (a) promptly (and within 24 hours) notify the Customer if it receives a request from a Data Subject; and (b) fully cooperate with and assist the Customer in relation to any such request.
Personal Data Breaches
- The Supplier shall: (a) notify the Customer without undue delay (no later than 72 hours) upon becoming aware of any Personal Data Breach; (b) provide sufficient information to enable the Customer to evaluate the impact; (c) provide the Customer with such assistance as reasonably requested; and (d) cooperate with the Customer to assist in the evaluation, investigation, mitigation and remediation of each Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
- The Supplier shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities pursuant to Articles 35 and 36 of the UK GDPR, limited to the Processing of Personal Data under this DPA.
Return and Deletion of Personal Data
- The Supplier shall, within 30 days of the expiry or termination of the Agreement, delete or return all copies of Personal Data Processed on behalf of the Customer.
- The Supplier may retain Personal Data to the extent required by applicable law, notifying the Customer of any such requirement and ensuring the confidentiality of such data.
- The Customer may require the Supplier to provide written certification confirming compliance with this section.
Audits
- The Supplier shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA.
- The Supplier shall allow for and contribute to audits, including inspections, by the Customer (or any auditor mandated by the Customer), provided the Customer gives reasonable notice and makes all reasonable endeavours to avoid disruption.
- Such audit rights may be exercised only once in any calendar year during the term of the Agreement and for a period of 3 years following expiry or termination.
Liability
- Nothing in this DPA limits or excludes either party's liability for death or personal injury caused by its negligence, or fraud or fraudulent misrepresentation.
- Subject to the preceding clause, the total liability of either party for any non-compliance with this DPA shall be subject to any limitation regarding monetary damages set forth in the Agreement.
General Terms
- This DPA shall be coterminous with the Agreement.
- No party may assign, transfer or sub-contract to any third party the benefit and/or burden of this DPA without the prior written consent of the other party.
- No variation of this DPA will be valid or binding unless recorded in writing and signed by or on behalf of both parties.
- The Contracts (Rights of Third Parties) Act 1999 does not apply to this DPA.
- Any notice to be delivered under this DPA must be in writing and delivered by pre-paid first class post or hand delivery to the other party's registered address or place of business, or sent by email.
Governing Law and Jurisdiction
- This DPA will be governed by and interpreted according to the law of England and Wales and all disputes shall be subject to the exclusive jurisdiction of the English and Welsh courts.
Signatures
| Supplier (Data Processor) | Customer (Data Controller) |
|---|---|
| Taylor Liesnham | Owner | Mochify | [Name] | [Title] | [Company] |
| Signature: ___________________________ | Signature: ___________________________ |
| Date: ___________________________ | Date: ___________________________ |
Schedule 1 — Processing Activities
Nature and purpose of Processing: The Supplier will Process Personal Data as necessary to provide the Services pursuant to the Agreement, and as further instructed by the Customer.
Types of Personal Data:
- Image file metadata, which may incidentally include EXIF data such as geolocation, device identifiers, and photographer information embedded within uploaded image files.
Categories of Data Subject:
- Customers of the Customer (including their staff)
- Other people that the Customer deals with
Obligations and rights of the Customer: Set out in the Agreement and this DPA.
Schedule 2 — Technical and Organisational Measures
The Supplier will conduct the activities covered by this DPA in compliance with its Information Security Policy and data protection policies, available online at: https://mochify.app/privacy
The Supplier also has the following technical and organisational measures in place:
- Uploaded image files are processed entirely in-memory and are not retained after processing is complete, ensuring zero data persistence — with the sole exception of the Model Context Protocol (MCP) integration, where the processed result (never the original upload) is stored by a Sub-processor (see Schedule 3) for no more than approximately five minutes to enable delivery via a short-lived download link, after which it is automatically and permanently deleted.
- All data in transit is encrypted using HTTPS/TLS. Server access is restricted to authorised personnel only, with access controls and secure authentication in place.
Schedule 3 — Sub-Processors
The Customer agrees that the Supplier may sub-contract certain obligations under this DPA to the following Sub-processors:
- Cloudflare, Inc. — temporary storage of processed image outputs (for no more than approximately five minutes, after which they are automatically deleted) to enable delivery via short-lived download links. Applies only to images processed through the Supplier's Model Context Protocol (MCP) integration; the standard web, API and CLI services use no Sub-processor for image data.