Data processing
Our role
When Imageplus processes personal data in the course of delivering services to a client, it acts as data processor under GDPR Article 28. The client is the data controller. Imageplus processes personal data only on the documented instructions of the controller and for no other purpose.
Our commitments
Imageplus commits to the following in every engagement involving personal data processing:
- Processing personal data only on documented instructions from the client, except where access is necessary for the legitimate purpose of technical support, troubleshooting or operational maintenance of the services
- Confidentiality obligations on all persons authorised to process personal data
- Appropriate technical and organisational security measures
- Sub-processor controls in line with Article 28 GDPR
- Assistance to the client in responding to data subject rights requests
- Notification of personal data breaches without undue delay
- Return or deletion of personal data at engagement end
- Cooperation with audits and information requests
Standard DPA
These commitments are formalised in the Imageplus Standard Data Processing Agreement. The Standard DPA applies by default to all engagements. Where a mutually agreed DPA is in place, that document prevails.
Engagement-specific arrangements
For larger or more complex engagements, data processing terms are documented in the applicable SLA, statement of work or bespoke DPA. Engagement-specific arrangements are agreed before work starts.