Cookies on Margot

We use cookies and similar technologies for the things below. You can accept all, reject everything except what's essential, or pick what you're OK with.

Preferences
Theme, language, dismissals. Improves the experience but the site works without.
Improvement
Anonymous usage measurement so we can fix bugs and prioritise work.
Marketing
Lets us measure whether ads we run send people who actually use the site. We don't share personal data with advertisers.

Read our cookies policy and the privacy policy.

Loading…

Data processing agreement

Last updated: 2026-07-06

1. Introduction

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms & conditions (the "Agreement") between you ("Customer", "you") and Margot, operated by Tamperan Ltd, a company registered in England and Wales (company number [to follow]) whose registered office is at Piccadilly Business Centre, Aldow Enterprise Park, Manchester M12 6AE ("Margot", "we", "us"). It governs our processing of personal data on your behalf in connection with the Services.

Terms such as "controller", "processor", "data subject", "personal data", "processing", and "personal data breach" have the meanings given in the "Data Protection Legislation", meaning the UK GDPR (the retained EU General Data Protection Regulation as it forms part of the law of England and Wales) and the Data Protection Act 2018, together with any other applicable data protection law, in each case as amended or replaced from time to time.

2. Roles of the parties

The Services allow you to publish a website that includes a contact-form component. When a visitor to your website submits that form, Margot processes the visitor's personal data in order to email the enquiry to you and to operate the Services. For that processing:

  • you are the controller; and
  • Margot is the processor, acting on your documented instructions.

This DPA applies to that processor relationship. It does not apply to personal data for which Margot is itself the controller (for example, your account and billing data); that is covered by our Privacy Policy. Where we are a processor, you are responsible for ensuring you have a lawful basis and any necessary notices or consents to collect and process the personal data submitted through your website's contact form, and for providing your website's visitors with your own privacy information.

3. Subject matter, duration, nature, and purpose

The subject matter, duration, nature, and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Schedule 1. In summary, we process the personal data submitted through your website's contact form for the purpose of receiving it, delivering it to you by email, and operating, securing, and supporting the Services, for the duration of the Agreement.

4. Our obligations as processor

We will:

  1. Process only on your instructions - process the personal data only on your documented instructions, including as set out in this DPA and the Agreement and as needed to provide the Services, unless required to do otherwise by law, in which case we will (unless legally prohibited) inform you first. Your configuration and use of the Services, including the contact-form component, constitute your documented instructions. We will inform you if, in our opinion, an instruction infringes the Data Protection Legislation.

  2. Confidentiality - ensure that our personnel authorised to process the personal data are subject to an appropriate duty of confidentiality.

  3. Security (Article 32) - implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. A summary of our current measures is set out in Schedule 2.

  4. Sub-processors - only engage the sub-processors listed in Schedule 3, or others notified to you under section 5, and impose on each sub-processor data protection obligations that are no less protective than those in this DPA. We remain responsible to you for the performance of each sub-processor's obligations.

  5. Assistance with data subject requests - taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights. If we receive such a request directly, we will, where legally permitted, refer the data subject to you and not respond to the request ourselves except on your instructions.

  6. Assistance with compliance - taking into account the nature of processing and the information available to us, assist you in ensuring compliance with your obligations regarding security, personal data breaches, data protection impact assessments, and prior consultation with the ICO.

  7. Breach notification - notify you without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the personal data we process on your behalf, and provide you with sufficient information to allow you to meet any obligations to report the breach to the ICO or affected data subjects.

  8. Return or deletion - at your choice, delete or return to you all the personal data we process on your behalf after the end of the provision of the Services, and delete existing copies, unless we are required by law to retain them. On termination of the Agreement, personal data will be deleted within 30 days, subject to any legal retention requirement.

  9. Audit and information - make available to you the information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to reasonable notice, confidentiality obligations, and frequency limits, and conducted so as not to disrupt the Services or compromise the security or data of our other customers.

5. Sub-processors and change notice

You provide a general authorisation for us to engage the sub-processors listed in Schedule 3. If we intend to add or replace a sub-processor, we will give you at least 30 days' prior notice, by email or via this page, and you may object on reasonable data protection grounds within that notice period. If you object and we cannot reasonably accommodate the objection, you may terminate the affected part of the Services as your sole remedy.

6. International transfers

Where processing under this DPA involves a transfer of personal data outside the United Kingdom, we will ensure that an appropriate transfer mechanism recognised under the Data Protection Legislation is in place, such as the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, and/or reliance on a relevant UK adequacy regulation. In practice, our hosting and the delivery of enquiry emails take place in the UK; where a Schedule 3 sub-processor that provides global edge and ingress processes data outside the UK, it does so under such a mechanism set out in its own data processing terms. We aim to keep this personal data within the UK or the European Economic Area wherever possible.

7. Liability and general

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA forms part of the Agreement; in the event of a conflict between this DPA and the rest of the Agreement in relation to the processing of personal data as a processor, this DPA prevails. This DPA is governed by the law of England and Wales and subject to the jurisdiction provisions of the Agreement.


Schedule 1 - Details of the processing

Item Detail
Controller The Customer (the account holder operating a website built with Margot).
Processor Margot (Tamperan Ltd, company number [to follow]).
Subject matter Processing of personal data submitted by visitors through the contact-form component of the Customer's Margot-hosted website.
Duration For the term of the Agreement, plus any short retention period needed to deliver enquiries and provide support, after which data is deleted per Schedule 2 and section 4.8.
Nature and purpose Receiving, transmitting (by email to the Customer), temporarily storing, securing, backing up, and supporting the delivery of website contact-form enquiries as part of providing the Services.
Types of personal data Data provided by the website visitor in the contact form, typically: name, email address, and the free-text content of their message (which may contain further personal data the visitor chooses to include, such as a phone number). Associated technical metadata such as IP address and timestamp may be processed for security and anti-abuse purposes.
Special category data Not intended or required. The Customer must not configure the contact form to solicit special category data. Any special category data a visitor volunteers in free text is processed only incidentally as part of the message.
Categories of data subjects Visitors to the Customer's website who submit an enquiry through the contact form (for example, the Customer's prospective or existing customers).

Schedule 2 - Technical and organisational security measures (Article 32)

This is a summary of the measures we maintain; they may be updated as the Services evolve, provided the level of protection is not reduced.

  • Encryption of personal data in transit (using TLS) and at rest.
  • Physical and network security of the self-hosted United Kingdom infrastructure.
  • Access controls and authentication for systems processing personal data, on a least-privilege basis.
  • Segregation between customers' data within the Services.
  • Logging and monitoring, and anti-abuse/bot protection on published websites and forms.
  • Regular backups and a documented restore process.
  • Patching and maintenance of the infrastructure we operate.
  • Confidentiality obligations for personnel with access to personal data.
  • A process for detecting, investigating, and notifying personal data breaches.

Schedule 3 - Authorised sub-processors

The following sub-processors are authorised to process personal data under this DPA.

Sub-processor Purpose Processing location
Stripe Billing merchant of record (seller of record) for your subscription (active when paid plans go live). Stripe does not process the contact-form / site-visitor personal data covered by this DPA; it handles the billing relationship with you as an independent controller, not as a processor of visitor data Global
Amazon Web Services / Amazon SES Transactional email and delivery of contact-form enquiries UK (London, eu-west-2)
Cloudflare DNS, CDN, TLS, custom-hostname routing, reverse-proxy ingress, bot/abuse protection Global edge
PostHog Product analytics (consent-gated) EU (PostHog Cloud EU, eu.i.posthog.com)
Google Sign-in (OAuth/OIDC authentication) Google

Website hosting and application infrastructure are operated by us on our own self-hosted infrastructure (a self-hosted Proxmox host), with public ingress via a Cloudflare tunnel; data at rest is held on-premises and is not provided by a third-party cloud host. Physical location: the United Kingdom.

Contact

For any question about this DPA, or to exercise your rights or ours under it, contact us at [email protected] or via our contact form.