Data Processing Agreement

Last Updated: May 29, 2026

Background

1. This Personal Data Processing DPA (“DPA”) forms part of the supply of services agreement entered into between MCP and the Client to which this Data Processing DPA is attached.  

2. This DPA sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679). 

1. Definitions and Interpretation  

The following definitions and rules of interpretation apply in this DPA. 

1.1. Definitions:  

Business Purposes:  the services to be provided by the Provider to the Client as described in the Agreement and any other purpose specifically identified in Annex A. 

Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018). 

Data Subject:  the identified or identifiable living individual to whom the Personal Data relates. 

EEA:  the European Economic Area. 

Personal Data:  means any information relating to an identified or identifiable living individual that is processed by the Provider on behalf of the Client as a result of, or in connection with, the provision of the services under the Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. 

Processing, processes, processed, process:  any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third parties. 

Personal Data Breach:  a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.  

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. 

Records: has the meaning in Clause 14. 

Standard Contractual Clauses (SCCs):  the ICO’s International Data Transfer DPA for the transfer of personal data from the UK and/or the ICO’s International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914, or such alternative clauses as may be approved by the European Commission or by the UK from time to time. 

Term: this DPA’s term as defined in Clause 15. 

1.2. This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA. 

1.3. The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes. 

A reference to writing or written excludes fax but not email. 

In the case of conflict or ambiguity between: 

1. any provision contained in the body of this DPA and any provision contained in the Annexes (excluding any applicable UK Addendum and SCC), the provision in the body of this DPA will prevail; 
2. any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail; and 
3. any of the provisions of this DPA (or any other provision contained in the Annexes or any of the documents referred to in (b) and (c) above) and any applicable UK Addendum and SCC, the provisions of the executed UK Addendum and SCC will prevail. 

2. Scope and Application  

2.1. Subject always to Clause 3, the Client and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation: 

1. the Client is the Controller and the Provider is the Processor. 
2. the Client retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Provider. 
3. Annex A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Provider may process the Personal Data to fulfil the Business Purposes. 

2.2. This DPA applies only to MCP’s processing of Personal Data in its capacity as a Data Processor. Processing carried out by MCP as an independent Data Controller falls outside the scope of this DPA. When MCP acts as Data Controller, it processes Personal Data in accordance with its Privacy Notice which can be viewed here: https://mcpinsight.com/mcp-insight-client-data-privacy-policy/. Further, where the Client accesses or uses MCP’s website,  MCP shall act as a Data Controller in respect of any Personal Data collected as a result of such use and such processing will be governed by the MCP website privacy policy available here: https://mcpinsight.com/privacy-policy/. 

3. MCP as Independent Controller  

MCP acts as an independent Controller for the following categories of Personal Data: 

• Client user login credentials, emails, passwords and MFA details; 

• Client contact and billing information; 

• Platform access logs including IP address, device details, timestamps and API usage; 

• Support tickets and communications; 

• MCP’s own threat-detection and security analytics relating to its infrastructure; 

• Personal Data retained to comply with legal obligations.  

MCP determines its own lawful bases for this processing, typically Legitimate Interests, Contract, or Legal Obligation.  

For the avoidance of doubt, the terms of this DPA do not apply to the above-mentioned information of which MCP acts as an independent Controller. Personal Data processed under MCP’s Controller role is outside the scope of this Addendum A and is governed by MCP’s Privacy Notice which can be viewed here: https://mcpinsight.com/mcp-insight-client-data-privacy-policy/. Further, where the Client accesses or uses MCP’s website,  MCP shall act as a Data Controller in respect of any Personal Data collected as a result of such use and such processing will be governed by the MCP website privacy policy available here: https://mcpinsight.com/privacy-policy/.  

4. Details of Processor-Role Processing   

MCP SHIELD 

https://mcpinsight.com/mcp-shield-client-dpa-and-client-b2c-toolkit/

• Purpose: Fraud detection supporting Client services.  

• Categories: IP address, MSISDN (where applicable), device fingerprinting data, browser/OS details.  

• Role: MCP is Processor.  

MCP VerifyTX  

MCP Verify Data Processing DPA Overview and client B2C Toolkit.docx 

• Purpose: Consent verification and authentication. 

• Categories: IP address, MSISDN (where applicable), session video, device and browser details. 

• Role: MCP is Processor.  

5. Processor Obligations  

5.1. The Provider will only the process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Client’s written instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. The Provider must promptly notify the Client if, in its opinion, the Client’s instructions do not comply with the Data Protection Legislation.  

5.2. The Provider must comply with any Client written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing. 

5.3. The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Client or this DPA specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the Commissioner). If a domestic or EU law, court or regulator (including the Commissioner) requires the Provider to process or disclose the Personal Data to a third-party, the Provider must first inform the Client of such legal or regulatory requirement and give the Client an opportunity to object or challenge the requirement, unless the domestic or EU law prohibits the giving of such notice. 

5.4. The Provider will reasonably assist the Client, subject to payment of the Provider’s charges by the Client, with meeting the Client’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider’s processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation. 

5.5. The Provider must notify the Client of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Provider’s performance of the Agreement or this DPA. 

5.6. The Provider shall adhere to the conditions for engaging sub-processors as set out in Clause 9. 

5.7. The Provider will ensure that all of its employees:  

1. are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data; 
2. have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and 
3. are aware both of the Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this DPA. 

6. Personal Data Breach  

The Provider will as soon as reasonably practicably notify the Client in writing if it becomes aware of: 

1. the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. 
2. any accidental, unauthorised or unlawful processing of the Personal Data; or 
3. any Personal Data Breach. 

6.1. Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Client with the following written information: 

1. description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; 
2. the likely consequences; and 
3. a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 

6.2.As soon as reasonably practicable following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Client, subject to payment of the Provider’s charges by the Client, in the Client’s handling of the matter, including but not limited to:

1. assisting with any investigation; 
2. providing the Client with physical access to any facilities and operations affected; 
3. facilitating interviews with the Provider’s employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
4. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Client; and
5. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.

6.3. The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Client’s written consent (such consent not to be unreasonably withheld, conditioned or delayed), except when required to do so by domestic or EU law. 

6.4. The Provider agrees that the Client has the sole right to determine: 

1. whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Client’s discretion, including the contents and delivery method of the notice; and 
2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 

6.5. The Client will pay the Provider’s charges associated with the performance of the obligations under Clause 6.1 to Clause 6.6.  

7. International Transfers  

7.1. The Client authorises MCP and its sub-processors to process Personal Data outside the UK and EEA in connection with the provision of the Services. MCP shall ensure that any such transfers rely on a lawful basis of transfer under the UK GDPR, maintain appropriate safeguards, and provide the Client with information on the mechanisms used upon request. 

7.2. Where Personal Data is transferred to a country without an adequacy decision, the parties agree that the UK Addendum to the EU Standard Contractual Clauses shall apply and are hereby incorporated by reference. 

7.3. Where the UK Addendum is used, the following provision shall apply: Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. 

8. Sharing of Information and Automated Processing  

8.1. MCP may share data that has been anonymised or aggregated so that no Personal Data is identifiable. MCP may share such anonymised or aggregated data with trusted partners.  

8.2. The Client acknowledges Shield uses automated processing to issue “Block/Clear” recommendations based on behavioural biometrics. 

9. Sub-Processors  

9.1 General Authorisation  

The Client provides general written authorisation for MCP to engage sub-processors. 

The Provider may only authorise a new third- party (sub-processor) to process the Personal Data if:  

1. the Client is provided with an opportunity to object to the appointment of each sub-processor within 30 days after the Provider supplies the Client with full details in writing regarding such sub-processor – new details will be provided by way of an update to the list provided in Clause 9.2.1; 

2. the Provider enters into a written contract with the sub-processor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Client’s written request, provides the Client with copies of the relevant excerpts from such contracts; and 

3. the Provider maintains control over all of the Personal Data it entrusts to the sub-processor. 

9.2. Sub-Processor Register  

9.2.1. Those sub-processor’s used as at the commencement of this DPA are as set out at: https://wtm.monitoringservice.co/subprocessor.php. These sub-processors are hereby approved by the Client.    

9.2.2. This register shall identify all sub-processors, and the Provider shall include any sub-processor’s name and location and the contact information regarding privacy and data protection compliance.  

9.3. Right to Object  

If the Client exercises their right to object to a new sub-processor in accordance with clause 9.1(a), MCP and the Client shall work together in good faith to resolve the objection.  

9.4. Liability  

9.4.1. Where the sub-processor fails to fulfil its obligations under the written agreement with the Provider which contains terms substantially the same as those set out in this DPA, the Provider remains fully liable to the Client for the sub-processor’s performance of its agreement obligations. 

10. Data Retention and Deletion  

10.1. At the Client’s request, subject to payment of the Provider’s charges by the Client, the Provider will give the Client, or a third-party nominated in writing by the Client, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Client. 

10.2. Without prejudice to Clause 16 of the Agreement and Clause 10.4 below, on termination of the Agreement for any reason or expiry of its term, the Provider will securely delete or destroy or, if directed in writing by the Client, return and not retain, all or any of the Personal Data related to this DPA in its possession or control, except for one copy that it may retain and use for the period set out below in connection with the Provider’s Services only: 

1. Transaction Decisions: 7 years for financial and audit compliance. 
2. Consumer MSISDN: 3–5 years for historical billing disputes. 
3. Behavioural & Device Metadata: 12–24 months to minimise data footprint once dispute windows close. 

10.3. Notwithstanding any other provision of this DPA, the Provider may retain anonymised or aggregated data and shall own all Intellectual Property Rights in the same in accordance with Clause 16 of the Agreement. 

10.4. If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Provider would otherwise be required to return or destroy, thee Provider may retain the required information, documents and data in order to meet that requirement and all such items so retained will remain subject to the terms of this DPA.  

11. Automated Decision-Making and Profiling  

11.1. Automated Processing in Shield  

11.1.1. The Client acknowledges that the Shield Service includes automated decision-making within the meaning of Article 22 UK GDPR. Shield evaluates device, network, behavioural and environmental signals to determine whether to permit or block a Premium Rate or Direct Carrier Billing Service subscription or transaction.  

11.1.2. As a result of these checks, we may advise Client to block transactions based on technical indicators such as IP addresses and device fingerprints. These automated decisions are limited to preventing potentially fraudulent transactions and do not involve profiling individuals or making decisions that produce legal effects or similarly significantly affect users. Legitimate customers who are inadvertently blocked can contact support for manual review.  

11.1.3. There is no profiling activities performed on any Personal Data.  

11.2. Purpose and Legal Basis  

11.2.1. Such automated processing is performed for fraud detection, service protection, and prevention of unauthorised or non-genuine transactions. The Client, as Controller, is responsible for identifying the appropriate lawful basis (typically Legitimate Interests) and for informing Data Subjects of the use of automated decision-making.  

11.3. Human Intervention  

Where required, MCP shall assist the Client in enabling Data Subjects to obtain human review of a decision, express their views, or contest an automated decision, where required by Article 22 UK GDPR. 

11.4. Logic Description  

11.4.1. MCP shall provide the Client with a meaningful explanation of the general logic applied by Shield, including key factors assessed, without disclosing proprietary algorithms or security-sensitive information.  

11.5. Client Responsibilities  

11.5.1. The Client remains responsible for ensuring compliance with Articles 13–22 UK GDPR, including transparency obligations and the requirement to conduct a DPIA where necessary.  

12. Security Measures  

• The Provider must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data  in accordance with Data Protection Legislation. 

• The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate: 

• The Processor implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including encryption of Personal Data in transit using industry-standard protocols, role-based access controls, authentication controls, logging and monitoring, network security measures, and backup and recovery controls. 

• Certain data elements, including IP addresses, may be processed and stored in intelligible form within production search and analytics systems where strictly necessary to provide fraud detection, risk analysis, querying, correlation, investigation, reporting, and related service functionality. Access to such data is restricted to authorised personnel on a least-privilege basis and is subject to audit and monitoring. 

• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 

• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and 

• A process for regularly testing, assessing and evaluating the effectiveness of the security measures. 

• Restoration of availability and access to Personal Data in a timely manner following a physical or technical incident. 

• Immediately inform the Client if, in MCP’s opinion, an instruction infringes the UK GDPR or other applicable data protection laws. 

• Administrative and production system access is restricted to authorised personnel using SSH key-based authentication, multi-factor authentication, and role-based access controls. 

• Network & Infrastructure: Systems are hosted on secure cloud environments with recognised security certifications; access is restricted and object storage controlled. 

• Logging & Monitoring: System and application logs are rotated/truncated; authentication events and access are monitored with alerts for unauthorised activity. 

• Data Minimisation & Retention: Only necessary Personal Data (IP, MSISDN, geolocation, browser metadata) is collected and retained according to defined schedules. 

• Backup & Recovery: Redundant servers, regular backups, and disaster recovery procedures ensure continuity. 

• Secure Development & Change Control: Development follows secure coding and authorised change management practices. 

• Sub-Processors: Cloud providers act as sub-processors and maintain their own security certifications; contractual and technical obligations are enforced. 

• Policies & Training: Policies cover access, incident response, secure configuration, data handling, and staff training on security and data protection. 

12.1. The Provider may update and modify its security measures from time to time, provided that such modifications do not materially reduce the overall level of security.  

13. Audits and Inspections:  

• The Provider will, subject to payment of the Provider’s charges by the Client, permit the Client and its third-party representatives to audit the Provider’s compliance with its DPA obligations, on at least 30 days’ notice, during the Term. The Provider will give the Client and its third-party representatives reasonable assistance to conduct such audits. The assistance may include, but is not limited to the following as is reasonable in the circumstances and reasonably required: 

1. physical access to, remote electronic access to, and copies of the Records and any other information held at the Provider’s premises or on systems storing the Personal Data; 

2. access to and meetings with any of the Provider’s personnel reasonably necessary to perform the audit effectively; and 

3. inspection of Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to store, process the Personal Data. 

13.1. The notice requirements in Clause 13.1 will not apply if the Client reasonably believes that a Personal Data Breach occurred or is occurring, or the Provider is in breach of any of its obligations under this DPA or any Data Protection Legislation. 

14. Records 

14.1. The Provider will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved sub-processor, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 12 (“Records”). 

14.2. The Provider will ensure that the Records are sufficient to enable the Client to verify the Provider’s compliance with its obligations under this DPA and the Data Protection Legislation and the Provider will provide the Client with copies of the Records upon request. 

15. Term and Termination  

15.1. This DPA will remain in full force and effect so long as: 

1. the Agreement remains in effect; or 
2. the Provider retains any of the Personal Data related to the Agreement in its possession or control (Term). 

16. Children’s data 

16.1. MCP does not knowingly process Personal Data relating to children under the age of 13 in connection with the Shield, VerifyTX or Scanner Services. The Client is responsible for ensuring that age verification, parental consent requirements or child-specific safeguards apply to its own end-users where required by law. If MCP becomes aware that it has inadvertently processed Personal Data of a child under 13, MCP shall delete such data unless retention is required by law. 

This DPA has been entered into by the Parties on the date stated at the beginning of the MCP Provider Agreement

Annex A: Formal Specification of Processing

Feature	Description
Subject Matter	The provision of fraud detection (Shield) and consent verification (VerifyTX & Certify) services.
Duration of Processing	For the duration of the Service DPA, plus applicable retention periods (e.g., 7 years for financial data).
Nature of Processing	Collection, recording, storage, automated analysis for fraud detection, and deletion.
Categories of Data Subjects	Client employees/staff and the Client’s end-user consumers.
Types of Personal Data	IP addresses, device fingerprints, MSISDN, and session videos.
Business Purposes	For example processing for HR purposes, recruitment, direct marketing and so on