View on GitHub →

Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between Fenn Agritech Ltd (“Processor”), a company registered in England and Wales, and the customer entering into the Agreement (“Controller”), together “the parties.”

This DPA forms part of the subscription agreement between the parties (“the Agreement”) and governs Processor’s processing of personal data on behalf of Controller in connection with the Fenn platform and related services (“the Services”). Where this DPA conflicts with the Agreement, this DPA prevails with respect to the processing of personal data.

Definitions

Controller: The party that determines the purposes and means of processing personal data. In this DPA, Controller refers to the customer using the Services.

Processor: The party that processes personal data on behalf of and under the instructions of the Controller. In this DPA, Processor refers to Fenn Agritech Ltd.

Personal data: Any information relating to an identified or identifiable natural person, as defined under UK GDPR.

Processing: Any operation performed on personal data, whether or not by automated means, including collection, storage, use, and deletion.

Data subject: The identified or identifiable natural person to whom personal data relates.

Sub-processor: A third party engaged by Processor to process personal data on Processor’s behalf in connection with the Services.

Security incident: A confirmed or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Services: The Fenn platform and related services provided under the Agreement.

Processing Instructions

Processor processes personal data only on Controller’s documented instructions, unless required to do otherwise by UK law. If an instruction appears to breach UK GDPR or other applicable data protection law, Processor will tell Controller.

The subject matter, duration, nature, and purpose of processing, the types of personal data, and the categories of data subjects are set out in Annex 1.

Security Measures

Processor implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in accordance with UK GDPR Article 32.

Farm operational data is encrypted on the customer’s device with customer-managed keys before it reaches Processor’s systems. Processor stores only ciphertext and has no technical means to decrypt or access this data without the customer’s explicit authorization.

Account data, including names, login credentials, and contact details, is processed in plaintext as required to operate the Services, including authentication, account recovery, billing, and support.

Processor’s broader security measures are documented in its Information Security Policy and Access Control Policy, and include risk-based access control, multi-factor authentication, encryption, supplier security assessment, and incident management. These measures are reviewed and updated as standards and threats evolve.

Sub-processors

Controller provides general authorization for Processor to engage sub-processors to support the provision of the Services. Processor’s current sub-processors are listed in the Fenn Sub-processor List, which is incorporated by reference into this DPA.

Processor imposes data protection obligations on each sub-processor that are no less protective than those set out in this DPA, through a written agreement, and assesses each sub-processor’s security before engagement.

Processor provides 30 days’ advance notice before engaging a new sub-processor, sent to the data protection contact designated in Controller’s account. Controller may object in writing to a new sub-processor within 30 days of notification. If no objection is received within this period, the new sub-processor is deemed accepted.

If Controller raises a reasonable objection, Processor will take commercially reasonable steps to address it, which may include providing an alternative sub-processor or adjusting how the affected data is processed. If Processor cannot reasonably accommodate the objection, Controller may terminate the affected Services and receive a pro-rata refund of prepaid fees.

Processor remains liable to Controller for the performance of each sub-processor’s obligations under this DPA.

Data Subject Rights Assistance

Processor assists Controller in responding to data subject requests under UK GDPR, including access, rectification, erasure, restriction, portability, and objection.

Where a data subject submits a request directly to Processor concerning data processed on Controller’s behalf, Processor shall promptly notify Controller and shall not respond directly to the data subject unless instructed to do so by Controller or required by law.

Account data is held in plaintext and Processor can directly support access, correction, and deletion requests concerning it. Farm operational data is encrypted with customer-managed keys and is not accessible to Processor; Controller remains responsible for fulfilling data subject requests concerning this data.

Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a security incident affecting personal data processed under this DPA. Processor’s notification shall include, to the extent known at the time, the nature of the incident, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Processor shall provide further information as it becomes available.

Controller is solely responsible for assessing whether a security incident is notifiable to the Information Commissioner’s Office or to affected data subjects, and for making any such notification within the timescales required under UK GDPR.

Processor shall cooperate with Controller and provide reasonable assistance as necessary for Controller to comply with its breach notification obligations.

Return and Deletion of Data on Termination

On termination or expiry of the Agreement, Controller’s data remains available for export for 60 days. During this window, Processor uses the data only to support export and account recovery.

At the end of the 60-day window, Processor permanently deletes Controller’s account data and farm operational data from production systems. Deleted data ages out of all backups within 30 days, in line with Processor’s rolling backup cycle. Processor does not selectively restore deleted data from backup once this process is complete.

Processor automatically sends Controller a deletion confirmation when production deletion completes, recording the account, the date of deletion, and the categories of data removed.

Billing and invoice records are retained for 6 years from the date of issue to meet HMRC requirements, notwithstanding termination of the Agreement.

Audit Rights

Controller may request information reasonably necessary to verify Processor’s compliance with this DPA, including evidence of Processor’s security measures and alignment with ISO 27001:2022. Processor will provide such information on reasonable request, no more than once per year unless required following a security incident or by a supervisory authority.

Where Controller requires an on-site audit, Controller will give Processor reasonable advance notice, and the audit will take place during business hours in a manner that does not unreasonably disrupt Processor’s operations. Controller is responsible for its own costs in conducting an audit.

Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

Annex 1: Details of Processing

Subject matter: Processing personal data to provide the Fenn platform.

Duration: For the term of the customer’s contract, plus the retention periods set out in the Return and Deletion of Data on Termination section above.

Nature and purpose of processing: Account management, authentication, billing, support, and operation of field management, compliance record-keeping, and sustainability reporting features.

Categories of data subjects:

  • Controller’s authorized users (farm staff, account administrators)
  • Individuals identified within farm operational data submitted by Controller

Categories of personal data:

  • Account data: names, email addresses, login credentials, role and contact details
  • Billing data: invoicing and payment contact details
  • Farm operational data: any personal data Controller includes in field, crop, or compliance records, encrypted with customer-managed keys and inaccessible to Processor

Special category data: Personal data within farm operational data is encrypted on Controller’s device with Controller-managed keys before it reaches Processor. Processor has no technical means to access, view, or categorize this data, including any special category data Controller may choose to include. Controller is responsible for ensuring its own use of the Services complies with the additional requirements that apply to special category data under UK GDPR.

Revision History

VersionDateAuthorDescription
1.02026-06-15Jack Lowe, Head of SecurityInitial Data Processing Agreement. Governs processing of personal data by Fenn on behalf of customer controllers. Incorporates client-side encryption architecture, sub-processor disclosure, and UK GDPR Article 28 compliance.