Home » Data Processing Addendum

Last updated: 29th April 2026

Important: This Data Processing Addendum forms part of our Terms of Service where Newt Labs processes personal data on behalf of a customer. It applies automatically where relevant to the services we provide.

This Data Processing Addendum applies where Newt Labs Ltd processes personal data on behalf of a customer in connection with WordPress support, maintenance, hosting, backups, development, troubleshooting, security, performance, migration, monitoring and related website services.

By purchasing, using, renewing, or continuing to use our services, or by instructing Newt Labs to access, support, host, maintain, back up, develop, troubleshoot, secure, migrate, monitor, or otherwise work on your website or related systems, you agree to this Addendum where it applies.

If you are entering into this Addendum on behalf of an organisation, you confirm that you have authority to bind that organisation to this Addendum.

1. Parties

1.1. Newt Labs Ltd, a company registered in England and Wales under company number 11777807, whose registered office is 22 Sheepwash Way, Longstanton, Cambridge, CB24 3GZ, is referred to in this Addendum as Newt Labs, we, us, our, or the Processor.

1.2. The person, business, charity, organisation, or other customer receiving services from Newt Labs is referred to in this Addendum as the Customer, you, your, or the Controller.

1.3. The Controller and Processor are together referred to as the Parties.

2. Purpose of this Addendum

2.1. This Addendum sets out the terms that apply when Newt Labs processes personal data on behalf of the Customer.

2.2. The purpose of this Addendum is to ensure that such processing is carried out in accordance with UK data protection law, including the UK GDPR and the Data Protection Act 2018.

2.3. This Addendum applies only to personal data processed by Newt Labs on behalf of the Customer. It does not apply where Newt Labs processes personal data as an independent controller for its own business administration, billing, payment records, legal compliance, accounting, tax records, marketing, customer relationship management, security, or internal management purposes.

3. Definitions

3.1. In this Addendum:

Controller means the organisation that determines the purposes and means of processing personal data.

Processor means the organisation that processes personal data on behalf of the Controller.

Personal Data means any information relating to an identified or identifiable living individual.

Processing means any operation performed on Personal Data, including accessing, viewing, storing, backing up, restoring, modifying, transferring, deleting, securing, or otherwise using Personal Data.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

Services means the WordPress support, maintenance, hosting, backups, development, troubleshooting, security, performance, migration, monitoring and related website services provided by Newt Labs to the Customer.

Sub-processor means another processor engaged by Newt Labs to assist with processing Personal Data on behalf of the Customer.

UK data protection law means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable UK laws relating to data protection and privacy.

4. Roles of the Parties

4.1. The Customer is the Controller of Personal Data held within, submitted through, or processed by the Customer’s website, hosting account, database, files, backups, logs, forms, plugins, user accounts, orders, memberships, comments, and related systems, where applicable.

4.2. Newt Labs acts as Processor where it accesses or processes that Personal Data to provide the Services.

4.3. The Customer is responsible for ensuring that it has a lawful basis for collecting, using, retaining, and instructing Newt Labs to process Personal Data.

4.4. Newt Labs will process Personal Data only as necessary to provide the Services and in accordance with this Addendum and the Customer’s documented instructions.

4.5. Newt Labs may act as an independent controller for Personal Data it processes for its own business purposes, including client account management, billing, payment records, legal compliance, accounting, tax records, business administration, security, and customer relationship management.

5. Processing Details

5.1. The subject matter, duration, nature and purpose of Processing, types of Personal Data, and categories of data subjects are set out in Schedule 1.

5.2. The technical and organisational security measures are set out in Schedule 2.

5.3. The authorised Sub-processors and service providers are set out in Schedule 3.

6. Documented Instructions

6.1. Newt Labs will process Personal Data only on the Customer’s documented instructions, unless required to do otherwise by applicable law.

6.2. The Customer’s documented instructions include:

  1. this Addendum;
  2. the agreement between the Parties;
  3. support requests, tickets, emails, or written instructions provided by the Customer;
  4. instructions reasonably necessary for Newt Labs to provide the Services; and
  5. instructions given through agreed systems, tools, or support channels.

6.3. If Newt Labs believes that an instruction infringes UK data protection law, Newt Labs will inform the Customer, unless prohibited by law.

6.4. The Customer is responsible for ensuring that its instructions are lawful. Newt Labs is not responsible for determining whether the Customer’s instructions are lawful, except where Newt Labs is required to notify the Customer of an instruction that Newt Labs believes infringes UK data protection law.

7. Confidentiality

7.1. Newt Labs will ensure that anyone authorised to process Personal Data on behalf of the Customer is subject to appropriate confidentiality obligations.

7.2. Newt Labs will restrict access to Personal Data to those employees, contractors, freelancers, suppliers, Sub-processors, and authorised support team members who need access to provide the Services.

7.3. Newt Labs will ensure that persons authorised to process Personal Data are aware of the confidential nature of the Personal Data and their obligations in relation to it.

8. Security Measures

8.1. Newt Labs will implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure.

8.2. These measures may include, where appropriate:

  1. access controls and least privilege access;
  2. secure password and credential management, including the use of a password manager where appropriate;
  3. two factor authentication where available and appropriate;
  4. secure handling of client credentials, including secure submission methods where available;
  5. use of encrypted connections where available;
  6. secure backup, restoration and migration processes;
  7. restricted access to support systems, hosting systems, password management systems, backup systems and internal tools;
  8. reasonable malware, security and vulnerability precautions;
  9. internal procedures for handling support requests, website access and client credentials;
  10. deletion, removal or restriction of client credentials when no longer required; and
  11. use of reputable hosting, infrastructure, backup, support, password management, monitoring, security, communication and payment providers.

8.3. The specific measures used may vary depending on the Services purchased by the Customer, the systems involved, the tools available, and the access provided to Newt Labs.

9. Sub-processors

9.1. The Customer gives Newt Labs general written authorisation to use Sub-processors and service providers, including hosting providers, infrastructure providers, backup providers, support systems, security tools, monitoring tools, payment providers, email providers, password management systems, and other providers where reasonably necessary to provide the Services.

9.2. Newt Labs may also use authorised employees, contractors, freelancers and support team members to provide the Services. Such personnel may be based in the United Kingdom or internationally and will be subject to appropriate confidentiality obligations and access controls.

9.3. Newt Labs will ensure that Sub-processors are subject to written terms that provide an appropriate level of protection for Personal Data.

9.4. Newt Labs remains responsible to the Customer for the performance of its Sub-processors in relation to the Processing of Personal Data.

9.5. Newt Labs will maintain a list of authorised Sub-processors and service providers in Schedule 3 or otherwise make such list available to the Customer on request.

9.6. Newt Labs may update its Sub-processors from time to time. Where required by UK data protection law, Newt Labs will provide reasonable notice of material changes to Sub-processors and give the Customer a reasonable opportunity to object.

9.7. If the Customer objects to a new Sub-processor on reasonable data protection grounds, the Parties will work together in good faith to resolve the concern. If the concern cannot reasonably be resolved, either Party may terminate the affected Services in accordance with the main agreement.

10. International Transfers

10.1. Newt Labs will not transfer Personal Data outside the United Kingdom unless appropriate safeguards are in place or the transfer is otherwise permitted under UK data protection law.

10.2. Where Sub-processors, service providers, contractors, freelancers, or support team members process Personal Data outside the United Kingdom, Newt Labs will take reasonable steps to ensure that appropriate safeguards are in place, such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.

11. Assistance with Data Subject Rights

11.1. Taking into account the nature of the Processing and the information available to Newt Labs, Newt Labs will provide reasonable assistance to the Customer in responding to requests from individuals exercising their data protection rights.

11.2. This may include reasonable assistance with locating, exporting, correcting, restricting, or deleting Personal Data held within the Customer’s website, database, files, backups, user accounts, forms, plugins, or related systems.

11.3. If Newt Labs receives a request directly from an individual relating to Personal Data processed on behalf of the Customer, Newt Labs will, where appropriate, refer the request to the Customer and will not respond to the request unless instructed by the Customer or required by law.

12. Personal Data Breaches

12.1. Newt Labs will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed by Newt Labs on behalf of the Customer.

12.2. Newt Labs will provide reasonable information available to it to assist the Customer in assessing the Personal Data Breach, including where reasonably available:

  1. the nature of the Personal Data Breach;
  2. the categories and approximate number of affected data subjects;
  3. the categories and approximate number of affected Personal Data records;
  4. the likely consequences of the Personal Data Breach; and
  5. measures taken or proposed to address the Personal Data Breach.

12.3. Newt Labs will provide reasonable assistance to the Customer in relation to the Customer’s obligations to notify the ICO or affected individuals, where required by law.

12.4. Newt Labs’ notification of a Personal Data Breach is not an admission of fault or liability.

13. Assistance with Compliance

13.1. Taking into account the nature of the Processing and the information available to Newt Labs, Newt Labs will provide reasonable assistance to the Customer with its obligations relating to:

  1. security of Processing;
  2. Personal Data Breach notifications;
  3. data protection impact assessments; and
  4. consultation with the ICO, where required.

13.2. Newt Labs may charge a reasonable fee for assistance that goes beyond the normal scope of the Services, unless the assistance is required due to Newt Labs’ breach of this Addendum.

14. Return or Deletion of Personal Data

14.1. At the end of the Services, the Customer may request that Newt Labs return or delete Personal Data processed on behalf of the Customer, unless Newt Labs is required or permitted by law to retain it.

14.2. Newt Labs will take reasonable steps to return or delete Personal Data within a reasonable period after the end of the Services or after receiving the Customer’s written request.

14.3. The Customer acknowledges that some Personal Data may remain in backups, logs, archives, support records, or business records for a limited period until deleted in accordance with Newt Labs’ normal retention processes, unless earlier deletion is technically possible and reasonably requested.

14.4. Newt Labs may retain Personal Data where necessary for legal, accounting, tax, dispute resolution, security, fraud prevention, or legitimate business record purposes, provided that Newt Labs acts as an independent controller for such retained records where applicable.

15. Audits and Information

15.1. Newt Labs will make available to the Customer information reasonably necessary to demonstrate compliance with this Addendum.

15.2. The Customer may request reasonable information about Newt Labs’ Processing activities, security measures, and use of Sub-processors.

15.3. Any audit or inspection must be:

  1. limited to what is reasonably necessary to verify compliance with this Addendum;
  2. subject to reasonable prior written notice;
  3. carried out during normal business hours;
  4. conducted in a way that does not disrupt Newt Labs’ business, systems, security, or other clients;
  5. subject to confidentiality obligations; and
  6. limited so that it does not require Newt Labs to disclose confidential information, security-sensitive information, or information relating to other clients.

15.4. Newt Labs may charge a reasonable fee for supporting audits, unless the audit is required due to Newt Labs’ breach of this Addendum.

16. Customer Responsibilities

16.1. The Customer is responsible for:

  1. complying with UK data protection law in relation to its own collection and use of Personal Data;
  2. ensuring that it has a lawful basis for Processing Personal Data;
  3. providing appropriate privacy notices to data subjects;
  4. ensuring that Personal Data provided to Newt Labs is accurate, lawful, relevant and limited to what is necessary;
  5. ensuring that its instructions to Newt Labs are lawful;
  6. managing its own users, customers, members, staff, subscribers, donors, website visitors and other data subjects; and
  7. deciding what Personal Data should be collected, retained, deleted, or otherwise processed through its website and related systems.

16.2. The Customer must not provide Newt Labs with access to Personal Data that is unnecessary for the Services.

16.3. The Customer must not intentionally provide Newt Labs with special category data or criminal offence data unless this is necessary for the Services and the Customer has confirmed the lawful basis, condition for processing, and safeguards that apply.

17. Liability

17.1. The liability of each Party under this Addendum is subject to the exclusions and limitations of liability set out in the main agreement between the Parties, unless otherwise required by law.

17.2. Nothing in this Addendum excludes or limits liability where it would be unlawful to do so.

18. Conflict

18.1. If there is a conflict between this Addendum and the main agreement, this Addendum will take precedence to the extent that the conflict relates to the Processing of Personal Data on behalf of the Customer.

18.2. All other terms of the main agreement remain unchanged.

19. Governing Law

19.1. This Addendum is governed by the laws of England and Wales.

19.2. The courts of England and Wales have exclusive jurisdiction over any dispute arising from or in connection with this Addendum.

Schedule 1: Processing Details

1. Subject matter of Processing

The provision of WordPress support, maintenance, hosting, backups, development, troubleshooting, migration, security, performance, monitoring and related website services by Newt Labs to the Customer.

2. Duration of Processing

For the duration of the Customer’s agreement with Newt Labs, plus any additional period during which Personal Data is retained in backups, support records, logs, archives, legal records, accounting records, or other systems in accordance with Newt Labs’ retention practices or legal obligations.

3. Nature and purpose of Processing

Newt Labs may process Personal Data for the purpose of providing the Services, including:

  1. accessing the Customer’s WordPress website;
  2. accessing the Customer’s hosting account, server, database, files, logs, backups, staging site, plugins, themes, forms, users, settings and related systems;
  3. providing website support and troubleshooting;
  4. applying WordPress core, plugin and theme updates;
  5. investigating and fixing website issues;
  6. performing malware scans, security checks and cleanups;
  7. creating, storing, restoring and managing backups;
  8. migrating websites between servers or hosting providers;
  9. creating and using staging environments;
  10. improving website performance;
  11. installing, configuring or testing plugins, themes or integrations;
  12. monitoring uptime, performance, security or website health;
  13. communicating with the Customer through support systems, email or other agreed channels; and
  14. performing other related activities reasonably necessary to provide the Services.

4. Types of Personal Data

The Personal Data processed may include:

  1. names;
  2. email addresses;
  3. phone numbers;
  4. postal addresses;
  5. usernames;
  6. user IDs;
  7. account details;
  8. passwords or credentials where provided for support purposes;
  9. IP addresses;
  10. device, browser and log data;
  11. website form submissions;
  12. comments;
  13. order, booking, donation, subscription, membership or customer records;
  14. support communications;
  15. website content containing Personal Data;
  16. database records;
  17. analytics or monitoring data;
  18. any Personal Data contained in backups, staging copies, files, media, plugins, themes, logs or integrations; and
  19. any other Personal Data stored in, submitted through, or processed by the Customer’s website or related systems.

5. Categories of data subjects

The Personal Data may relate to:

  1. the Customer’s staff;
  2. the Customer’s website administrators and users;
  3. the Customer’s customers;
  4. the Customer’s members;
  5. the Customer’s subscribers;
  6. the Customer’s donors;
  7. the Customer’s students, parents, teachers or service users, where applicable;
  8. the Customer’s suppliers, partners or contacts;
  9. website visitors;
  10. people who submit forms through the Customer’s website;
  11. people who place orders, bookings, donations or enquiries through the Customer’s website; and
  12. any other individuals whose Personal Data is stored in or processed through the Customer’s website or related systems.

6. Special category data

The Services are not intended to require the Processing of special category data.

However, depending on the Customer’s website and the data stored within it, Newt Labs may incidentally access special category data if the Customer stores such data on its website, in its database, in backups, in forms, in user accounts, or in support communications.

The Customer is responsible for ensuring that any special category data stored within its website or provided to Newt Labs is processed lawfully and protected appropriately.

Schedule 2: Technical and Organisational Measures

Newt Labs may use the following technical and organisational measures where appropriate to the Services:

1. Access control

  1. Access to client systems is restricted to authorised personnel.
  2. Access is granted only where needed to provide the Services.
  3. Access is managed on a least privilege basis where possible.
  4. Access may be removed when no longer required.
  5. Client credentials are handled through approved internal processes.

2. Credential management

  1. Passwords and credentials are stored using a secure password management system where appropriate.
  2. Credentials should not be shared by normal email where avoidable.
  3. Secure submission methods may be used to collect client access details.
  4. Access details are removed, restricted, or archived when no longer required, depending on the nature of the client relationship.

3. Authentication

  1. Two factor authentication is used where available and appropriate.
  2. Strong passwords are encouraged or used where Newt Labs creates credentials.
  3. Shared access is avoided where individual access can reasonably be used.

4. Backups and restoration

  1. Backups may be created or managed as part of the Services.
  2. Backups are used for restoration, migration, troubleshooting, security and continuity purposes.
  3. Backup retention depends on the Service, hosting provider, backup system and client setup.

5. Website security

  1. WordPress core, plugin and theme updates may be applied as part of the Services.
  2. Malware scans, security checks, firewall configuration, login protection and other hardening steps may be used where included in the Services.
  3. Security issues identified during support may be reported to the Customer where appropriate.

6. Hosting and infrastructure

  1. Hosting environments are managed using reputable infrastructure, hosting and server management providers.
  2. Access to hosting systems is limited to authorised personnel.
  3. Server-level access is restricted where possible.

7. Support systems

  1. Support requests are handled through approved support channels.
  2. Support tickets may contain client contact details, website information, access instructions and issue details.
  3. Support records may be retained for business continuity, legal, quality, training, dispute resolution and service history purposes.

8. Internal procedures

  1. Team members and contractors are expected to follow internal support, access and security procedures.
  2. Access to client data is limited to what is needed for the relevant task.
  3. Client data is not intentionally accessed outside the scope of the Services.

9. Data minimisation

  1. Newt Labs aims to access and process only the Personal Data needed to provide the Services.
  2. Customers should avoid sending unnecessary Personal Data to Newt Labs.

10. Incident handling

  1. Suspected security incidents are reviewed and investigated where appropriate.
  2. Customers are notified without undue delay where Newt Labs becomes aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer.

Schedule 3: Authorised Sub-processors and Service Providers

Newt Labs may use the following Sub-processors and service providers to deliver the Services.

The Customer gives Newt Labs general written authorisation to use these Sub-processors and similar replacement providers where reasonably necessary to provide the Services, subject to the terms of this Addendum.

Where a provider acts as an independent controller rather than a processor for a particular activity, such as some payment processing activities, that provider is included here for transparency.

ProviderPurposePossible Personal Data processedLocation / transfer notes
DigitalOceanCloud hosting infrastructure, servers, storage, networking and related hosting services where used.Website files, databases, backups, server logs, IP addresses, user/customer records, website content and other data stored on hosted sites.Data location depends on selected server/storage region. May involve international transfers depending on provider operations and support access.
SpinupWPServer control panel, server management, site management, deployments, backups and related hosting administration where used.Website URLs, server details, access tokens/keys, backup configuration, site files, databases, logs and related technical data.Used to manage WordPress hosting and backups. SpinupWP supports storing site backups using providers such as DigitalOcean Spaces.
DigitalOcean SpacesObject storage for backups, assets and related website storage where used.Website files, media, database backups, site backups, assets, logs and related website data.Data location depends on selected Spaces region.
ManageWPWordPress management, updates, backups, security checks, performance checks, uptime monitoring and reporting where used.Website URLs, WordPress admin access tokens, site metadata, plugin/theme/core update data, backups, database contents, files, logs, security/performance information and reports.ManageWP backup storage may use selected US or EU data centres. Newt Labs uses the Europe storage region where available.
Amazon Web Services / Amazon S3 via ManageWPBackup storage infrastructure used by ManageWP where ManageWP backups are enabled.Website files, database backups, media, logs and other backup data.Newt Labs uses the Europe storage region option where available.
SucuriWebsite security scanning, malware detection, firewall/security services and related checks where used.Website URLs, scan results, security logs, IP addresses, malware/security data, website files or traffic data where firewall, scanning or cleanup services are used.Data processed depends on the Sucuri service used. May involve international transfers.
CloudflareDNS, CDN, firewall, caching, performance and security services where enabled for a client site.DNS records, IP addresses, traffic data, request logs, security events, cached website content and related technical data.Data processed depends on client configuration. May involve international transfers.
Help ScoutSupport desk, client communication and ticket management.Names, email addresses, support messages, website URLs, issue details, attachments, access instructions, client contact information and service history.Used for support communications. Data location and transfers depend on Help Scout’s services and configuration.
1PasswordSecure password and credential management.Website, hosting, domain, plugin, third-party service and account credentials, URLs, notes, contact names and related access information.Used to securely store client credentials. Data location and transfers depend on 1Password’s services and configuration.
Google WorkspaceEmail, calendar, documents, internal administration and client communication.Names, email addresses, message content, attachments, calendar information, documents and related business records.Used for email and business administration. Data location and transfers depend on Google’s services and configuration.
StripePayment processing and billing where used.Names, email addresses, billing addresses, payment details, transaction records, invoices and payment identifiers.Stripe may act as an independent controller or processor depending on the activity. Included for transparency.
GoCardlessDirect debit payment processing and billing where used.Names, email addresses, billing details, bank/payment details, mandate information, transaction records and payment identifiers.GoCardless may act as an independent controller or processor depending on the activity. Included for transparency.
PayPalPayment processing and billing where used.Names, email addresses, billing details, payment details, transaction records and payment identifiers.PayPal may act as an independent controller or processor depending on the activity. Included for transparency.
Authorised Newt Labs employees, contractors, freelancers and support team membersDelivery of WordPress support, maintenance, hosting, backups, development, troubleshooting, security, performance, migration and related services.Client website data, support information, access credentials, website files, databases, backups, logs, user/customer records and any Personal Data reasonably necessary for assigned work.Personnel may be based in the UK or internationally. Access is limited to what is needed for the relevant task and is subject to confidentiality, access control and internal procedures.