data processing

1. Who's who

In this agreement:

• Pumpd means Berth Living Ltd (trading as Pumpd.uk), a company registered in England and Wales. Pumpd is the data processor.
• Customer means the marina (or marina group) that has signed up for a Pumpd subscription. The Customer is the data controller for personal data about its residents and visiting boaters.
• UK GDPR means the UK General Data Protection Regulation, as supplemented by the Data Protection Act 2018.
• Personal Data, Processing, Sub-processor, Data Subject, Personal Data Breach have the meanings given in UK GDPR.

2. Scope & subject matter

This agreement applies whenever Pumpd processes Personal Data on behalf of the Customer in connection with the Pumpd platform. It governs the relationship between the parties under Article 28 of UK GDPR.

Subject matter: processing of Personal Data to operate the Pumpd pump-out booking service.
Duration: for the term of the Customer's subscription, plus any retention period required by law.
Nature of processing: storage, organisation, retrieval, transmission, deletion, and analysis necessary to deliver the service.
Purpose: to allow residents and visitors to book marina pump-out services and for the Customer to manage those bookings.

3. Categories of data & data subjects

Categories of Personal Data:

• Identification data: name, email address, telephone number
• Mooring data: vessel name, berth number, marina assignment
• Authentication data: bcrypt-hashed password, optional two-factor authentication secret and recovery codes
• Booking history: dates, times, status, free-text notes
• Communication logs: emails sent, push-notification subscriptions
• Technical data: IP addresses, browser user-agent strings, error logs

Categories of Data Subject:

• Berth holders (residents) at the Customer's marinas
• Visiting boaters who book pump-outs at the Customer's marinas
• Customer staff who use the Pumpd dashboard

Pumpd does not process special-category data (health, religion, biometrics, political views, etc.). Card payment data is processed by Stripe, not Pumpd, and is outside the scope of this agreement.

4. Pumpd's obligations as processor

Pumpd will:

• Only process Personal Data on the Customer's documented instructions. These instructions are set out in the MSA, this DPA, and the operational configuration the Customer makes via the Pumpd dashboard. Pumpd will tell the Customer if it believes an instruction infringes UK GDPR.
• Keep Personal Data confidential. Everyone with access (employees, contractors) is bound by confidentiality obligations.
• Apply appropriate technical and organisational security measures as required by Article 32. The full security posture is published at pumpd.uk/security; the core measures are:
  • TLS 1.2+ encryption in transit; AES-256 encryption at rest
  • Bcrypt-hashed passwords; mandatory two-factor authentication for platform administrators
  • Role-based access control with tenant scoping; comprehensive audit logging of privileged actions
  • Daily encrypted backups with point-in-time recovery; EU/UK data residency
• Assist the Customer in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) without undue delay.
• Assist the Customer in meeting its obligations under Articles 32 to 36 of UK GDPR, including security of processing (Art. 32), breach notification to the Customer and to data subjects where required (Arts. 33-34), Data Protection Impact Assessments (Art. 35), and prior consultation with the Information Commissioner's Office where required (Art. 36). Pumpd will provide reasonable cooperation, taking into account the nature of the processing and the information available to Pumpd.
• Notify the Customer of any Personal Data Breach without undue delay and in any event within 72 hours of becoming aware. The notification will describe the nature of the breach, the categories and approximate numbers of data subjects and records affected, the likely consequences, and the measures taken or proposed.
• Make available all information necessary for the Customer to demonstrate compliance with Article 28, including by allowing and contributing to audits.

5. Sub-processors

The Customer authorises Pumpd to engage the following Sub-processors:

• Vercel Inc. for application hosting (EU/US, GDPR-compliant)
• Neon (or equivalent Postgres host) for the primary database (EU region)
• Stripe Payments UK Ltd for visitor payment processing and the Customer's subscription billing
• Resend Inc. for transactional email delivery

The up-to-date list is maintained at pumpd.uk/privacy. Pumpd will give the Customer at least 30 days' notice of any intended addition or replacement of Sub-processors, by email to the Customer's billing contact. If the Customer reasonably objects on data-protection grounds, the parties will work together in good faith to find a solution; if no solution can be reached, the Customer may terminate the subscription without penalty for the period the objected Sub-processor would be processing the Customer's data.

Sub-processor flow-down obligations. Pumpd imposes data-protection obligations on each Sub-processor by written contract that are no less onerous than those Pumpd owes the Customer under this DPA, including the obligations to (i) process only on documented instructions, (ii) maintain confidentiality, (iii) implement Article 32 security measures, and (iv) assist with data-subject rights and breach notification. This satisfies Article 28(4) of UK GDPR.

Pumpd remains fully liable to the Customer for the acts and omissions of its Sub-processors as if they were its own.

6. International transfers

Pumpd hosts application and database infrastructure in the UK/EEA by default. Where a Sub-processor is based outside the UK/EEA (for example certain Stripe and Resend operations in the United States), transfers are made under appropriate safeguards: UK International Data Transfer Agreement, UK Addendum to the EU Standard Contractual Clauses, or an applicable adequacy decision. No Personal Data is transferred outside the UK/EEA without one of these safeguards in place.

7. Data-subject requests

If Pumpd receives a request directly from a Data Subject relating to data Pumpd processes for the Customer (for example, a resident emailing Pumpd asking to be deleted), Pumpd will not respond substantively itself. Instead Pumpd will, where reasonably possible, forward the request to the Customer within 5 working days so the Customer can respond.

Pumpd has built dedicated tooling to help the Customer action these requests at low cost:

• Data export (Article 20 portability): self-service CSV download of all records Pumpd holds for the Customer's marina(s), available from the Settings page.
• Erasure (Article 17): anonymisation flow that nulls personal identifiers (name, email, phone, boat, berth, password, 2FA secrets) while preserving anonymised booking records so the Customer can retain its compliance audit trail. Where legitimate retention bases do not apply, a hard delete option is available.
• Access & rectification (Articles 15, 16): residents and staff can view and edit their own data from their account dashboard.

8. Audit rights

The Customer may audit Pumpd's compliance with this agreement once per twelve-month period (more frequently if reasonably required following a confirmed Personal Data Breach or material change in the service). Audits will:

• Be conducted on reasonable prior notice (no less than 30 working days for routine audits)
• Be conducted during normal business hours and in a manner that does not unreasonably disrupt Pumpd's operations
• Be limited to information and systems strictly necessary to verify compliance
• Not give the auditor access to other customers' data or to confidential commercial information

In most cases, Pumpd will satisfy the audit obligation by providing a current SOC 2 report, ISO 27001 certificate, Cyber Essentials certificate, or equivalent independent attestation. The Customer bears its own audit costs unless a material breach is identified.

9. Return & deletion on termination

On termination of the Customer's subscription, the Customer may export all Personal Data within 30 days using the self-service CSV export. After that 30-day window:

• Active Personal Data will be deleted from production systems within a further 30 days.
• Backup copies will be deleted within 90 days as backup-rotation cycles complete.
• Anonymised statistical data and audit-log entries (which do not contain Personal Data after anonymisation) may be retained indefinitely.
• Personal Data Pumpd is legally required to retain (for example, financial records under UK tax law) will be retained for the statutory period and then deleted.

On the Customer's written request, Pumpd will provide written confirmation that deletion has been completed.

10. Liability & indemnity

Each party's liability under this DPA is subject to the limitation-of-liability provisions in the Master Service Agreement. Nothing in this DPA limits liability where it cannot lawfully be limited (for example, liability for personal injury, fraud, or fraudulent misrepresentation). The parties acknowledge that each is responsible for the consequences of its own infringement of UK GDPR.

11. Order of precedence

If there is any conflict between this DPA and the Master Service Agreement, this DPA prevails on data-protection matters. On all other matters the MSA prevails.

12. Changes to this DPA

Pumpd may update this DPA to reflect changes in law, regulator guidance, or the service. Material changes will be notified to the Customer's billing contact by email at least 30 days before they take effect. Where Pumpd updates this DPA, the version attached as Schedule 1 to an existing signed MSA continues to apply to that MSA unless the Customer accepts the update.

13. Contact

For data-protection questions, breach reports, or to request a signed copy of this DPA on letterhead, contact hello@pumpd.uk. Berth Living Ltd is registered with the UK Information Commissioner's Office as a data controller.