Data Processing Agreement (DPA)
Mixmetric Ltd trading as Design Metric (“Controller”, “we”, “us”, “our”) and each listed supplier acting as a Processor (and their sub-processors) agree to this DPA, which forms part of the services we provide to our customers and prospects. This DPA is intended to satisfy UK GDPR and the Data Protection Act 2018 requirements for controller–processor relationships.
Last updated: September 2025
1) Parties & Contacts
Controller: Mixmetric Ltd (Company No. 14210352) t/a Design Metric
Registered Office: 3 Barton Clough, Billinge, Wigan, Lancashire, WN5 7NT, United Kingdom
Office / Showroom: Central Tech, 31 Russell St, Liverpool, L3 5LJ, United Kingdom
Contact (privacy): info@designmetric.co.uk •
0151 792 6163
2) Purpose & Duration
Processors will handle Personal Data solely to provide their contracted services to us (e.g., email, hosting, analytics, payments, communications, scheduling) and only for as long as those services are active or as legally required.
3) Categories of Data & Data Subjects
- Data subjects: website visitors, prospects, customers/clients, supplier contacts, subscribers, and business contacts.
- Personal data: identity (name), contact (email, phone, company, role), communications, preferences, technical (IP, device, browser), usage (site/app interactions), transaction metadata (order/quote IDs). We do not intentionally collect special category data.
4) Controller Instructions
Processors shall process Personal Data only on our documented instructions, including this DPA and the main services agreement. If an instruction appears unlawful, the Processor will notify us.
5) Security & Confidentiality
Processors must implement appropriate technical and organisational measures (encryption in transit where applicable, access controls, least-privilege, logging, backups and resilience) and ensure personnel are bound by confidentiality obligations.
6) Sub-processors
Processors may use sub-processors to deliver their services. They must flow down equivalent data protection obligations and remain fully liable for those sub-processors’ acts and omissions. We receive reasonable notice of material changes to sub-processors through the supplier’s usual channels.
7) International Transfers
Where Personal Data is transferred outside the UK/EEA, the Processor must ensure a valid transfer mechanism (e.g., UK IDTA, EU SCCs with UK Addendum, adequacy decision) and appropriate safeguards.
8) Assistance, Breach & Requests
- Data Subject Requests: Processors will assist us in responding to requests (access, correction, deletion, objection, portability).
- Incidents: Processors will notify us without undue delay after becoming aware of a personal data breach and provide information and reasonable cooperation.
- Impact Assessments & Audits: Processors will provide information reasonably necessary to demonstrate compliance, including audit reports/certifications where available.
9) Return & Deletion
Upon termination of services (or on our instruction), Processors will delete or return Personal Data, unless retention is required by law. Deletion shall cover backups within feasible cycles.
Annex A — Our Current Processors
We use (or may use) the following processors to operate our business. We review and update this list as our stack evolves.
| Processor | Role / Purpose | Typical Data | Primary Location | Transfer Safeguards |
|---|---|---|---|---|
| Squarespace | Website hosting/CMS | Usage, form submissions (site) | EU/US | SCCs / UK Addendum |
| Google Workspace (incl. Gmail) | Email, docs, file storage; contact/forms processing via Apps Script | Identity, contact, comms metadata, attachments | EU/Global | SCCs / UK Addendum |
| Microsoft 365 | Productivity, email (where used) | Identity, contact, comms metadata | EU/UK | SCCs / UK Addendum |
| Mailchimp | Email marketing & subscriber management | Name, email, preferences, activity | EU/US | SCCs / UK Addendum |
| Elfsight | Embedded widgets (forms, social feeds, etc.) | Form inputs, usage | EU/US | SCCs / UK Addendum |
| Meta Platforms (Facebook, Instagram, WhatsApp) | Advertising, social engagement, messaging (WhatsApp Business) | Contact, messaging metadata, campaign/engagement data | EU/US | SCCs / UK Addendum |
| X (Twitter) | Social media & advertising (where used) | Engagement, handle, campaign data | US | SCCs |
| Social media & advertising (where used) | Engagement, campaign data | EU/US | SCCs / UK Addendum | |
| YouTube (Google) | Embedded video hosting & playback analytics | Usage, device, IP (via player) | EU/Global | SCCs / UK Addendum |
| Matterport | 3D tours hosting & playback analytics | Usage, device, IP (via viewer) | US/EU | SCCs / UK Addendum |
| Autodesk AutoCAD, Trimble SketchUp, McNeel Rhino | Design/visualisation tooling (accounts & collaboration) | User account details, project meta (no client special data) | EU/US (vendor dependent) | SCCs / UK Addendum |
| Xero | Accounting & invoicing | Billing contacts, invoice metadata, payments info (non-card) | EU/Global | SCCs / UK Addendum |
| PayPal / Teya (payments) | Payment processing (we receive tokenised/summary data only) | Payer name, email, transaction IDs, value, timestamps | EU/US/UK | PCI DSS; SCCs / UK Addendum |
| monday.com (CRM) | Project & workflow management | Contact, task/project metadata (business context) | EU/US/IL (vendor cloud) | SCCs / UK Addendum |
Note: We may add or replace processors as our services evolve. We will ensure any new processors are bound by equivalent data protection terms and valid transfer safeguards.
Annex B — Lawful Basis
We generally act as Controller and rely on: Contract (service delivery), Legitimate Interests (business operations, security, service improvement) and Consent (where required, e.g., email marketing). Processors act on our documented instructions.
Annex C — Requests & Contact
To exercise your UK GDPR rights or raise a concern, contact: info@designmetric.co.uk. You can also contact the UK ICO: ico.org.uk/make-a-complaint.