Last Updated: V1 May 2026
This Data Processing Agreement ("DPA") forms part of, and is governed by, the Platform Subscription Agreement (the "Agreement") between you (the "Customer") and SelectionWise Ltd. ("SelectionWise"), a company registered in England and Wales (Company No. 14872048), with registered office at Unit 4, Fairway Court, Amber Close, Tamworth, B77 4RP.
This DPA sets out the terms on which SelectionWise processes Personal Data on behalf of the Customer in connection with the Platform. In the event of any conflict between this DPA and the Agreement in respect of the processing of Personal Data, this DPA prevails.
Capitalised terms used but not defined in this DPA have the meaning given to them in the Agreement.
"Applicable Data Protection Law" means the UK General Data Protection Regulation, the Data Protection Act 2018, and any other data protection or privacy laws applicable to the processing of Personal Data under this DPA.
"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", and "Process/Processing" have the meanings given in Applicable Data Protection Law.
"Customer Personal Data" means Personal Data within Customer Data that SelectionWise processes on behalf of Customer under the Agreement.
"Subprocessor" means any third party engaged by SelectionWise to process Customer Personal Data on behalf of Customer.
"UK IDTA" means the United Kingdom International Data Transfer Agreement issued by the Information Commissioner's Office under section 119A of the Data Protection Act 2018, as updated from time to time.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries.
For Customer Personal Data, Customer is the Controller and SelectionWise is the Processor. Each party will comply with its respective obligations under Applicable Data Protection Law.
Customer:
The subject matter of the processing is the provision of the Platform under the Agreement. The duration of the processing is the term of the Agreement, plus any retention period set out in Section 10 (Return or Deletion).
SelectionWise processes Customer Personal Data for the following purposes:
The Personal Data processed under this DPA typically includes:
The Data Subjects whose Personal Data may be processed under this DPA typically include:
SelectionWise shall process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by Applicable Data Protection Law (in which case SelectionWise shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).
Customer's documented instructions are set out in this DPA and the Agreement. Customer may issue additional written instructions consistent with the Agreement; SelectionWise will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
SelectionWise shall ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons, SelectionWise implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include:
SelectionWise shall review and, where appropriate, update these measures from time to time. SelectionWise may modify security measures provided that doing so does not materially reduce the level of protection.
Customer provides general authorisation for SelectionWise to engage Subprocessors to process Customer Personal Data, subject to the following conditions:
Taking into account the nature of the processing, SelectionWise shall assist Customer, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling Customer's obligation to respond to requests for exercising Data Subject rights (access, rectification, erasure, restriction, portability, objection).
If SelectionWise receives a Data Subject request relating to Customer Personal Data, SelectionWise will, where lawful to do so, forward the request to Customer without undue delay and will not respond to the request itself except on Customer's instructions.
SelectionWise shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known at the time:
SelectionWise will provide reasonable further information as it becomes available. SelectionWise's notification is not, and shall not be construed as, an acknowledgement of fault or liability.
SelectionWise shall provide Customer with reasonable assistance, taking into account the nature of the processing and the information available to SelectionWise, with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Applicable Data Protection Law.
SelectionWise shall maintain records of processing activities carried out on behalf of Customer in accordance with Article 30(2) of the UK GDPR. SelectionWise will make such records available to Customer on reasonable request to demonstrate compliance with this DPA.
SelectionWise shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including by providing copies of independent third-party audit reports or certifications where available.
Where Customer reasonably considers that the information made available is insufficient, Customer may, on giving at least 30 days' prior written notice and not more than once in any 12-month period (except where required by a supervisory authority or following a Personal Data Breach), conduct an audit of SelectionWise's compliance with this DPA. Audits shall be carried out during normal business hours, shall not unreasonably interfere with SelectionWise's operations, and shall be subject to reasonable confidentiality obligations. The cost of any such audit shall be borne by Customer.
To the extent that SelectionWise transfers Customer Personal Data outside the United Kingdom or the European Economic Area, SelectionWise shall ensure that such transfers are subject to appropriate safeguards under Applicable Data Protection Law, which may include:
Customer authorises SelectionWise to enter into such transfer mechanisms on Customer's behalf where necessary to give effect to this Section 5.
SelectionWise engages the following Subprocessors to process Customer Personal Data in connection with the Platform. The location indicates where the Subprocessor's services are primarily provided from; some Subprocessors may store or process Personal Data in additional jurisdictions in the course of providing their services.
| Subprocessor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage, and serverless functions. Hosts the majority of Customer Personal Data. | USA (Supabase Inc., contracting entity); data hosted in Amazon Web Services, West Europe / London region (eu-west-2). |
UK IDTA / SCCs with UK Addendum |
| Netlify, Inc. | Hosting of the Platform web application (frontend). Processes IP addresses and request metadata in the course of serving the application. | USA | UK IDTA / SCCs with UK Addendum |
| Stripe Payments Europe Ltd. / Stripe, Inc. | Payment processing. Stripe acts as an independent controller for card data; SelectionWise does not store cardholder data. | Ireland (EU customers) / USA | Stripe is a controller in its own right for payment data; UK IDTA / SCCs apply to any incidental processor activities. |
SelectionWise will update this list and notify Customer of changes in accordance with Section 4.3.
On termination or expiry of the Agreement, and at Customer's choice expressed in writing within 30 days of termination, SelectionWise shall:
The discontinuation provisions of Section 8.4 of the Agreement apply additionally in respect of a SelectionWise-initiated discontinuation of the Platform.
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement (including Section 5.6 of the Agreement). For the avoidance of doubt, fines imposed by a supervisory authority directly on a party shall be borne by that party except to the extent caused by the other party's breach of this DPA.
This DPA takes effect from the date of acceptance of the Agreement and continues for the duration of the Agreement. Provisions which by their nature should survive (including Sections 7, 8 and 10) shall survive termination of this DPA.
In the event of any conflict between this DPA and the Agreement in respect of the processing of Personal Data, this DPA prevails.
SelectionWise may update this DPA from time to time, including to reflect changes in Applicable Data Protection Law, in the Subprocessor List, or in the Platform. SelectionWise will give at least 30 days' notice of material changes by email to account administrators. Continued use of the Platform after the effective date of changes constitutes acceptance.
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising from this DPA, subject to the dispute resolution procedures in the Agreement.
If any provision of this DPA is held to be unenforceable, the remainder shall continue in effect.
No third party has any rights under this DPA.
Questions about this DPA, requests to exercise Data Subject rights via SelectionWise, or notifications about Personal Data Breaches should be addressed to:
SelectionWise Ltd.
Unit 4, Fairway Court
Amber Close
Tamworth
B77 4RP
Email: info@selectionwise.com
Company Registration: 14872048
This DPA should be read in conjunction with: