Data Processing Agreement

Last updated: 13 June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Renyu (“Renyu”, “Processor”) and the customer organisation (“Customer”, “Controller”) that has agreed to run a Renyu programme (the “Order”). It governs the processing of personal data carried out by Renyu on the Customer’s behalf, and is designed to meet the requirements of Article 28 of the UK GDPR.

Renyu is a trading name. Our registered company name and number will be added here on incorporation. This DPA is a working framework and should be reviewed by a qualified legal adviser before signature.

1. Definitions

“UK GDPR”, “controller”, “processor”, “data subject”, “personal data”, “processing” and “personal data breach” have the meanings given in the UK GDPR and the Data Protection Act 2018. Where this DPA conflicts with the Order on data protection matters, this DPA prevails.

2. Roles of the parties

For the personal data processed under a programme, the Customer is the controller and Renyu is the processor. Renyu will process that personal data only on the Customer’s documented instructions, including the instructions set out in this DPA and the Order, unless required to do otherwise by law (in which case Renyu will inform the Customer first where legally permitted).

3. Subject matter and details of processing

• Subject matter: delivery of a Renyu team engagement programme.
• Duration: the term of the programme, plus any agreed period for reporting and return or deletion of data.
• Nature and purpose: hosting and administering competitions, calculating points, levels and leaderboards, enabling a participation feed, and administering the guaranteed donation.
• Types of personal data: participant name, work email, team or organisation, logged actions, points, levels, streaks, badges, leaderboard position, and content participants choose to upload.
• Categories of data subject: the Customer’s employees or participants enrolled in the programme.

4. Renyu’s obligations

• Process personal data only on documented instructions from the Customer.
• Ensure that persons authorised to process the personal data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (see section 7).
• Respect the conditions in section 5 for engaging sub-processors.
• Assist the Customer, taking into account the nature of processing, in responding to data subject requests and in meeting its obligations regarding security, breach notification, data protection impact assessments, and prior consultation with the ICO.
• At the Customer’s choice, delete or return all personal data at the end of the programme, and delete existing copies unless retention is required by law.
• Make available to the Customer the information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits on reasonable notice.

5. Sub-processors

The Customer gives general authorisation for Renyu to engage sub-processors (such as hosting, database, and email delivery providers) to deliver the Services. Renyu will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible to the Customer for their performance. Renyu will give the Customer reasonable notice of any intended addition or replacement of a sub-processor, and the Customer may object on reasonable data protection grounds.

6. International transfers

Renyu will not transfer personal data outside the UK except where an adequacy decision applies or appropriate safeguards are in place (such as the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses), and will inform the Customer of such transfers.

7. Security

Taking into account the state of the art, costs, and the nature, scope and purposes of processing, Renyu will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include access controls, encryption in transit, secured hosting and database infrastructure, and measures to restore availability after an incident.

8. Personal data breaches

Renyu will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s data, and will provide the information reasonably available to help the Customer meet its own breach notification obligations.

9. Data subject requests

If Renyu receives a request from a data subject relating to the Customer’s data, it will direct the request to the Customer and will not respond directly except on the Customer’s instructions or as required by law. Renyu will provide reasonable assistance to enable the Customer to respond.

10. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Order and our Terms of Service.

11. Term

This DPA takes effect when the Order is signed and continues for as long as Renyu processes personal data on the Customer’s behalf. Sections intended to survive (including confidentiality and deletion or return of data) continue after it ends.

12. Contact

Questions about this DPA can be sent via the contact form on our website. A dedicated contact email will be added here on incorporation.