GDPR

Data Processing Agreement

This DPA is designed for customer organisations that need a processor agreement for TapTick under GDPR-style data protection obligations.

Last updated: 10 March 2026

1. Parties and purpose

This Data Processing Agreement forms part of the TapTick contract between Fit2Trade Ltd and the customer organisation using TapTick. It applies where TapTick processes personal data on behalf of that customer.

2. Roles of the parties

For customer data processed through TapTick, the customer organisation acts as the controller and Fit2Trade Ltd acts as the processor, except where Fit2Trade Ltd separately acts as a controller for its own business administration, security, billing, or legal compliance purposes.

3. Subject matter, duration and nature of processing

The subject matter of the processing is the provision of the TapTick SaaS platform. The duration of processing lasts for the period during which TapTick processes customer personal data to provide the service and any agreed post-termination retention period.

Processing activities may include collection, storage, organisation, retrieval, consultation, transmission, backup, deletion, and other operations required to provide the service.

4. Categories of data and data subjects

Data subjects

  • customer employees, managers, contractors, and authorised users;
  • individuals who may appear in uploaded operational images or comments.

Types of personal data

  • names, email addresses, user roles, initials, identifiers, timestamps, and activity records;
  • comments, uploaded images, and other operational content entered by customer users.

5. Processor obligations

Fit2Trade Ltd will:

  • process personal data only on documented instructions from the customer, unless required by law to do otherwise;
  • ensure persons authorised to process personal data are subject to confidentiality obligations;
  • implement appropriate technical and organisational measures;
  • assist the customer, taking into account the nature of the processing, with appropriate requests relating to data subjects, security, breach response, impact assessments, and supervisory authority engagement;
  • delete or return personal data at the end of the provision of services, unless law requires retention.

6. Customer obligations

The customer is responsible for determining the lawful basis for processing, providing notices to individuals where required, setting retention requirements, and ensuring that use of TapTick complies with applicable data protection law.

7. Security measures

Measures may include encrypted transport, authentication controls, role-based permissions, logging, and use of reputable managed infrastructure providers. Security measures may evolve over time provided they do not materially reduce overall protection for customer data.

8. Subprocessors

The customer authorises Fit2Trade Ltd to use subprocessors to deliver the service. Current subprocessors are listed on the Subprocessor List. Fit2Trade Ltd will remain responsible for the performance of its subprocessor obligations to the extent required by law and contract.

9. International transfers

Where personal data is transferred outside the EEA or UK, Fit2Trade Ltd will seek to ensure an appropriate transfer mechanism is in place, such as Standard Contractual Clauses or another recognised safeguard.

10. Personal data breaches

Fit2Trade Ltd will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data and will provide reasonable cooperation to support the customer's own assessment and reporting obligations.

11. Audit and information rights

On reasonable written request, Fit2Trade Ltd will make available information reasonably necessary to demonstrate compliance with this DPA. Any audit rights must be exercised in a proportionate way that avoids undue disruption, protects other customers, and respects confidentiality and security obligations.

12. Return and deletion

On termination, customer data may be exported by the customer during any available access window. After that, Fit2Trade Ltd may delete the data after a reasonable retention period unless law requires otherwise.

13. Liability and order of precedence

Unless expressly stated otherwise in this DPA, liability is governed by the main TapTick contract. If this DPA conflicts with the main TapTick terms on data protection matters, this DPA will take precedence for those matters.

14. Governing law

This DPA is governed by the laws of Ireland.