Data processing agreement

Last updated: 12 June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Cadrify Ltd and the Customer for the provision of the Cadrify platform (the “Principal Agreement”). It governs the processing of personal data carried out by Cadrify, as processor, on behalf of the Customer, as controller. It sits alongside our Privacy Policy, Terms of use, Cookies policy and Security overview.

Where this DPA conflicts with the Principal Agreement on the subject of data protection, this DPA prevails. Capitalised terms not defined here have the meaning given in the Principal Agreement.

1. Parties

Processor
Cadrify Ltd (“Cadrify”, “we”, “us”, “our”)
Registered in England & Wales, Company number 17244539
Registered address: 7 Malvern Road, Hornchurch, Essex, RM11 1BG
Data protection contact: privacy@cadrify.org

Controller
The organisation that has subscribed to the Cadrify platform under the Principal Agreement (the “Customer”, “you”, “your”), as identified in that agreement.

2. Definitions

The terms “controller”, “processor”, “data subject”, “personal data”, “special category data”, “processing” and “personal data breach” have the meanings given in the UK GDPR.

3. Roles of the parties

The parties agree that, for Customer Personal Data, the Customer is the controller and Cadrify is the processor. Cadrify processes Customer Personal Data only on the documented instructions of the Customer, including as set out in this DPA, the Principal Agreement, and the Customer’s use and configuration of the Services in accordance with the Principal Agreement.

The Customer represents, and is responsible for ensuring, that it has a valid lawful basis under Article 6 of the UK GDPR, and where applicable a condition under Article 9, for all Customer Personal Data it uploads to or collects through the platform. Where Customer Personal Data includes electoral register data, the Customer is responsible for ensuring it holds that data and instructs its processing only for purposes permitted under the Representation of the People Act 1983 (as amended) and associated regulations. Where it includes door-knock data revealing political opinions, the Customer is responsible for identifying and documenting its Article 9 condition, including, where applicable, Article 9(2)(d).

Cadrify will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws. Cadrify is not obliged to verify the legality of the Customer’s instructions beyond this.

4. Independent controller processing

Separately from its role as processor, Cadrify acts as an independent controller for certain personal data it processes for its own business purposes, including Customer account administration, support communications, abuse and fraud prevention, records kept to meet its own legal and regulatory obligations, and, where billing applies, billing and payment records. This processing is described in the Privacy Policy and is not governed by this DPA.

5. Scope and duration of processing

The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subject are set out in Annex 1. Processing continues for the duration of the Principal Agreement and any period after termination during which Cadrify retains Customer Personal Data in accordance with section 12.

6. Cadrify’s obligations as processor

Cadrify will:

7. Confidentiality

Cadrify treats all Customer Personal Data as confidential. Access is limited to personnel who need it to deliver, support, or secure the service, each of whom is bound by confidentiality obligations. Cadrify does not sell Customer Personal Data and has no independent right to use, share, or retain it beyond what is needed to deliver the service or as instructed by the Customer.

8. Subprocessors

The Customer grants Cadrify general authorisation to engage the Subprocessors listed in Annex 3. Cadrify imposes on each Subprocessor, by written contract, data protection obligations equivalent to those in this DPA. Cadrify remains fully liable to the Customer for the performance of each Subprocessor’s obligations.

Cadrify will give the Customer reasonable prior notice of any intended addition or replacement of a Subprocessor, giving the Customer the opportunity to object on reasonable data protection grounds. If the Customer objects and the parties cannot agree a resolution, the Customer may terminate the affected part of the service.

Customer-enabled integrations are different from Subprocessors. Where the Customer chooses to connect an external system (for example a CRM) to the platform using the Customer’s own account and credentials, that provider processes data under the Customer’s own relationship with it, not as Cadrify’s Subprocessor. These integrations are off by default and operate only after the Customer enables and configures them. They are described in Annex 4.

9. Assistance with data subject rights

Taking into account the nature of the processing, Cadrify will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Chapter III of the UK GDPR (including access, rectification, erasure, restriction, portability, and objection).

Where a data subject contacts Cadrify directly about Customer Personal Data, Cadrify will not respond substantively but will, without undue delay, refer the request to the relevant Customer.

10. Assistance with security, breaches, and impact assessments

Taking into account the nature of the processing and the information available to Cadrify, Cadrify will assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR, including security of processing, personal data breach notification, data protection impact assessments, and prior consultation with the ICO.

Breach notification. Cadrify will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, in time to allow the Customer to meet its own notification obligations under Articles 33 and 34 of the UK GDPR (including the 72-hour deadline that applies to the Customer as controller). The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Cadrify will cooperate with the Customer and take reasonable steps to mitigate the breach. Cadrify will not notify data subjects or the ICO on the Customer’s behalf unless instructed to do so in writing.

Cadrify provides reasonable assistance under this section and section 9 at no additional charge. Where the assistance the Customer requests is materially excessive, in particular extensive or repeated data protection impact assessment, audit, or data subject request support, Cadrify may charge for it at reasonable rates, having first notified the Customer.

11. Audits and information

Cadrify will make available to the Customer all information reasonably necessary to demonstrate compliance with Article 28 of the UK GDPR, including the Security Whitepaper and the audit log records described in the Security overview.

Cadrify will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, on reasonable prior written notice and no more than once per twelve-month period (unless required by the ICO or following a personal data breach). Audits will be conducted during business hours, will not unreasonably disrupt Cadrify’s operations, and will respect the confidentiality and security of other customers’ data. The Customer bears its own costs in connection with any audit.

12. Return and deletion of data

On termination or expiry of the Principal Agreement, and at the Customer’s choice, Cadrify will return Customer Personal Data to the Customer in a structured, commonly used, machine-readable format, or delete it. Unless the Customer requests return or earlier deletion, Cadrify will delete Customer Personal Data from production systems within 30 days of account closure, and encrypted backups are removed on their normal retention cycle.

Cadrify may retain Customer Personal Data to the extent, and for as long as, required by law. Where retention is required, Cadrify will continue to protect it under this DPA and will process it only as necessary for the purpose of that legal requirement.

13. International transfers

Customer Personal Data at rest is stored within the European Economic Area (Frankfurt, Germany), which is covered by UK adequacy regulations. Cadrify will not transfer Customer Personal Data outside the UK or EEA except where an appropriate safeguard under Chapter V of the UK GDPR is in place, such as UK adequacy regulations, the UK Extension to the EU–US Data Privacy Framework (UK–US Data Bridge), or the UK International Data Transfer Agreement (IDTA) / Standard Contractual Clauses. The transfer basis for each Subprocessor is set out in Annex 3. Where the Customer enables an integration with an external system located outside the UK or EEA (see Annex 4), the resulting transfer is made on the Customer’s instruction and under the Customer’s own relationship with that provider, and the Customer is responsible for the transfer safeguards that apply to it.

14. Liability

Each party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement. Nothing in this DPA limits either party’s liability where it cannot lawfully be limited.

15. Changes to this DPA

Cadrify may update this DPA from time to time to reflect changes in law, regulatory guidance, or its processing operations. The current version is always available at cadrify.org/dpa, with the date of the latest revision shown at the top. Where a change materially reduces the protections that apply to Customer Personal Data, Cadrify will give the Customer reasonable prior notice. Continued use of the platform after a change takes effect constitutes acceptance of the updated DPA.

16. Term and governing law

This DPA takes effect on the start date of the Principal Agreement and remains in force for as long as Cadrify processes Customer Personal Data. It is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

Annex 1: Details of processing

Subject matter Provision of the Cadrify electoral campaign management platform to the Customer.
Duration For the term of the Principal Agreement, plus the retention period in section 12.
Nature and purpose Storage, organisation, retrieval, and processing of voter and supporter data to support lawful political campaigning, including managing the electoral register, door-knocking rounds, get-out-the-vote activity, activist coordination, nominations, and leaflet drops.
Categories of data subject Electors and members on the register; supporters and contacts recorded by the Customer; the Customer’s own staff, organisers, and activists who hold platform accounts.
Types of personal data Names, postal addresses, electoral register entries (including GSS-coded geography), contact details, door-knock responses and voting intentions, support levels, activity and assignment records, and platform account data (names, email addresses, roles, group memberships).
Special category data Door-knock data may reveal political opinions (Article 9 UK GDPR). The Customer is responsible for its Article 9 condition. No other special category data is intended to be processed.

Annex 2: Technical and organisational measures

Cadrify maintains the following measures. Further detail is in the Security overview and Security Whitepaper.

Annex 3: Authorised subprocessors

Provider Purpose Data location Transfer basis
Render Platform hosting and database Frankfurt, Germany (EEA) UK adequacy regulations (EEA)
Resend Transactional email delivery (password resets, invitations, notifications) Dublin, Ireland (eu-west-1, EEA) UK adequacy regulations (EEA)

Render and Resend do not process electoral register data or door-knock records. Cadrify does not currently use a payment processor, as self-service billing is not yet enabled; this annex will be updated to add the relevant Subprocessor when it is.

Annex 4: Customer-enabled integrations

The platform offers optional integrations with external CRM and organising systems. These are off by default. An integration operates only where the Customer chooses to enable and configure it, using the Customer’s own account and credentials with that provider. For these integrations the provider processes data under the Customer’s own relationship with it: the provider is the Customer’s processor or independent controller, not Cadrify’s Subprocessor, and the Customer is responsible for its own agreement (including any data processing agreement) and lawful basis with that provider.

When the Customer enables an integration, Cadrify, on the Customer’s instruction, exchanges supporter and volunteer contact records (such as name, email address, postcode, phone number where applicable, and tags or subscription status) with the connected system. Electoral register records and door-knock data are never included in any integration.

Integration Operator Data location Provider terms
Action Network Action Squared, Inc. United States Privacy · Data Processing Terms · Terms
NationBuilder 3dna Corp. United States (EU–US Data Privacy Framework, UK Extension) Privacy · DPA · Subprocessors · Terms
Salesforce Salesforce, Inc. The Customer’s own Salesforce instance Privacy · Agreements (MSA / DPA) · Trust & compliance
Movement Movement Industries Ltd (England & Wales) EEA (Frankfurt, Germany) Privacy · Trust Vault. DPA and terms provided by Movement on request

Because some of these providers are located outside the UK and EEA (for example in the United States), enabling an integration may involve a transfer of contact data outside the UK or EEA. That transfer is made on the Customer’s instruction and under the Customer’s own relationship with the provider, and the Customer is responsible for the transfer safeguards that apply to it. The links above are provided so the Customer can review each provider’s terms before enabling an integration.

Contact

For questions about this DPA or to exercise rights under it:

Email: privacy@cadrify.org
Security: security@cadrify.org
Post: Cadrify Ltd, 7 Malvern Road, Hornchurch, Essex, RM11 1BG