Data Processing Agreement
Last Updated: 7 March 2026
Version: 1.1
This DPA is accepted automatically when you agree to the SCORE Subscription Agreement. If you need a countersigned copy, contact compliance@scorehq.io.
Schedule 1 to the SCORE Subscription Agreement
Parties
This Data Processing Agreement ("DPA") is entered into between:
SCORE (the trading name of 220 Yards Limited, a company incorporated in England and Wales), whose registered office is at 15 Victoria Mews, Mill Field Road, Cottingley Business Park, Bingley, England, BD16 1PY ("Processor", "SCORE", "we", "us"); and
The Customer who has agreed to the Subscription Agreement ("Controller", "Customer", "you").
Together referred to as the "Parties".
Background
A. The Controller has engaged SCORE to provide the SCORE survey management platform and associated services (the "Services") pursuant to the Subscription Agreement between the Parties (the "Agreement").
B. In providing the Services, SCORE will process Personal Data on behalf of the Controller. The Parties therefore enter into this DPA to document the terms on which that processing will take place, as required by Article 28 of the UK General Data Protection Regulation ("UK GDPR").
C. This DPA forms part of and is incorporated into the Agreement. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail in respect of the processing of Personal Data.
1. Definitions
In this DPA, the following terms have the following meanings. Terms not defined here have the meaning given in the Agreement or in the UK GDPR.
- "Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and any other applicable data protection or privacy legislation in force from time to time in the United Kingdom.
- "Controller" means the Customer, who determines the purposes and means of the processing of Personal Data pursuant to this DPA.
- "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK GDPR.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- "Processing" (and "Process", "Processed") means any operation or set of operations performed on Personal Data, as defined in Article 4(2) UK GDPR.
- "Processor" means SCORE (220 Yards Limited), who processes Personal Data on behalf of the Controller pursuant to this DPA.
- "Sub-Processor" means any third party engaged by SCORE to carry out processing activities in respect of the Personal Data on behalf of the Controller.
- "Supervisory Authority" means the Information Commissioner's Office ("ICO"), or such other supervisory authority as may be applicable.
2. Roles of the Parties
2.1 The Parties acknowledge that, in respect of Personal Data processed under this DPA:
- The Controller is the data controller and determines the purposes and means of processing; and
- SCORE is the data processor and processes Personal Data only on the documented instructions of the Controller.
2.2 The Controller acknowledges that it is responsible for:
- (a) ensuring it has a valid lawful basis for the processing of Personal Data and for instructing SCORE to process Personal Data on its behalf;
- (b) ensuring that Data Subjects have been informed of the processing of their Personal Data, including SCORE's role as a processor, to the extent required by Applicable Data Protection Law; and
- (c) the accuracy and legality of the Personal Data it uploads to or otherwise provides to SCORE.
3. Details of Processing
3.1 The subject matter, nature, purpose, and duration of the processing, the types of Personal Data processed, and the categories of Data Subjects are set out in Appendix A to this DPA.
3.2 The specific processing activities that apply to a particular Customer will depend on the Services subscribed to under the Agreement. Where the Controller does not subscribe to a particular Service (for example, AI-assisted quality control), the corresponding processing activities in Appendix A will not apply.
4. Controller Instructions
4.1 SCORE shall process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to any country or international organisation, unless required to do so by applicable law. In such a case, SCORE shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.
4.2 The Controller's instructions are set out in this DPA, the Agreement, and any written instructions given by the Controller from time to time. The Controller's use of the Services constitutes an instruction to SCORE to process Personal Data to the extent necessary to provide the Services.
4.3 If SCORE considers that any instruction infringes Applicable Data Protection Law, it shall promptly notify the Controller.
5. SCORE's Obligations as Processor
5.1 Confidentiality
SCORE shall ensure that persons authorised to process Personal Data under this DPA are subject to appropriate obligations of confidentiality (whether by contract or professional duty) and process Personal Data only to the extent necessary for their job functions.
5.2 Security
SCORE shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, as required by Article 32 UK GDPR and as further described in Appendix C.
5.3 Sub-Processors
5.3.1 The Controller grants SCORE general written authorisation to engage Sub-Processors. The Sub-Processors approved as at the date of this DPA are listed in Appendix B.
5.3.2 SCORE shall provide the Controller with at least 30 days' advance written notice of any intended changes to the Sub-Processor list (whether additions or replacements), giving the Controller the opportunity to object.
5.3.3 If the Controller objects to a proposed new or replacement Sub-Processor on reasonable data protection grounds, SCORE shall use reasonable efforts to make available a change to the Services that avoids the use of that Sub-Processor. If SCORE is unable to do so within a reasonable time, either Party may terminate the relevant part of the Services on written notice, without prejudice to any fees owed by the Controller.
5.3.4 SCORE shall ensure that each Sub-Processor is bound by data protection obligations equivalent to those set out in this DPA, by way of a written agreement. SCORE remains fully liable to the Controller for the performance of any Sub-Processor's obligations under this DPA.
5.4 Data Subject Rights
SCORE shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Controller's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).
5.5 Assistance with Compliance
SCORE shall assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to SCORE.
5.6 Audit Rights
5.6.1 SCORE shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations under this DPA.
5.6.2 SCORE shall permit, and contribute to, audits and inspections conducted by the Controller or an independent auditor mandated by the Controller, subject to:
- (a) the Controller giving SCORE at least 30 days' prior written notice of the intended audit;
- (b) audits taking place during normal business hours and in a manner that minimises disruption to SCORE's operations;
- (c) the Controller (or its auditor) executing a confidentiality agreement on terms acceptable to SCORE before the audit commences; and
- (d) no more than one audit per calendar year unless there are reasonable grounds to suspect a Personal Data Breach or material non-compliance.
5.6.3 The Controller may satisfy its audit right by requesting and reviewing SCORE's most recent third-party security certifications or audit reports (such as SOC 2 or ISO 27001 certificates), where available.
5.7 Deletion and Return of Data
5.7.1 Upon termination or expiry of the Agreement (or upon the Controller's written request), SCORE shall, at the Controller's election:
- (a) securely delete all Personal Data processed under this DPA; or
- (b) securely return all Personal Data to the Controller in a commonly used electronic format;
and delete existing copies, within 60 days of the termination date, unless applicable law requires storage of the Personal Data.
5.7.2 SCORE shall confirm in writing to the Controller once deletion or return has been completed.
5.7.3 Notwithstanding the above, SCORE may retain anonymised or aggregated data (from which individuals cannot be identified) for product improvement purposes.
6. Personal Data Breaches
6.1 SCORE shall notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach affecting the Personal Data processed under this DPA. Such notification shall include, to the extent available:
- (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
- (b) the name and contact details of SCORE's data protection contact;
- (c) a description of the likely consequences of the Personal Data Breach; and
- (d) a description of the measures taken or proposed to address the Personal Data Breach.
6.2 Where SCORE is unable to provide all of the information in clause 6.1 within 48 hours, it shall provide what information is available and the remaining information as soon as possible thereafter.
6.3 SCORE shall cooperate with the Controller and take such reasonable steps as directed by the Controller to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
6.4 Notification of a Personal Data Breach by SCORE does not constitute an admission of fault or liability.
7. International Transfers
7.1 SCORE shall not transfer Personal Data outside the United Kingdom without the Controller's prior written consent, except as permitted under this clause 7.
7.2 The Controller acknowledges and consents to SCORE transferring Personal Data to the Sub-Processors listed in Appendix B, subject to the transfer mechanisms described therein. The current approved international transfers are:
- (a) Mistral AI (France, EU): covered by the UK-EU adequacy decision;
- (b) Sinch (Mailgun) (EU, Germany): no international transfer outside EU/UK.
AWS (UK, London) and Heroku (EU, Ireland) do not involve transfers outside the UK or EU. All personal data is processed within the UK and EU.
7.3 In the event that a transfer mechanism relied upon by SCORE or a Sub-Processor is invalidated or suspended, SCORE shall promptly notify the Controller and take all reasonable steps to implement an alternative lawful transfer mechanism.
8. Controller's Obligations
8.1 The Controller shall:
- (a) comply with its obligations as data controller under Applicable Data Protection Law;
- (b) ensure it has a valid lawful basis for instructing SCORE to process Personal Data;
- (c) ensure that any Personal Data uploaded to or otherwise provided to SCORE has been collected lawfully and in accordance with Applicable Data Protection Law;
- (d) inform Data Subjects about the processing of their Personal Data by SCORE, including as set out in the Controller's privacy notice;
- (e) not instruct SCORE to process Personal Data in a way that would cause SCORE to breach Applicable Data Protection Law; and
- (f) ensure that the processing of Personal Data by SCORE on its behalf is within the scope of the Services and consistent with this DPA.
9. Liability
9.1 Each Party's liability under this DPA is subject to any limitation of liability provisions in the Agreement.
9.2 Where both Parties are responsible for damage caused to a Data Subject, each Party shall be liable for the part of the damage it is responsible for.
9.3 SCORE shall not be liable under this DPA for any processing of Personal Data carried out by the Controller outside the scope of the Agreement or in breach of this DPA.
10. Term
10.1 This DPA shall remain in force for the duration of the Agreement and shall automatically terminate upon the expiry or termination of the Agreement, subject to clause 5.7 (Deletion and Return of Data) which shall survive termination.
11. General
11.1 Entire agreement. This DPA constitutes the entire agreement between the Parties in relation to the processing of Personal Data and supersedes all prior agreements, representations, or understandings on that subject.
11.2 Amendments. SCORE may amend this DPA from time to time to reflect changes in Applicable Data Protection Law or regulatory guidance. SCORE shall provide the Controller with at least 30 days' notice of any material changes. Continued use of the Services following that notice period shall constitute acceptance of the amended DPA.
11.3 Governing law and jurisdiction. This DPA is governed by the laws of England and Wales. The Parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.
11.4 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
Execution
This DPA is accepted by the Customer upon agreeing to the Subscription Agreement, whether by signing, electronic acceptance, or creating an account on the SCORE platform.
Appendix A — Details of Processing
The following table sets out the details of processing as required by Article 28(3) UK GDPR. The processing activities that apply to a particular Customer depend on the Services subscribed to under the Agreement.
A1. All Customers — Survey Report Storage and Management
| Subject matter | Storage, retrieval, and management of survey report files and associated data |
| Duration | For the term of the Agreement and the retention period agreed between the Parties |
| Nature of processing | Storage, organisation, retrieval, deletion |
| Purpose | Enabling the Controller to upload, store, access, and manage survey report documents via the SCORE platform |
| Types of Personal Data | Names and contact details of survey clients (property owners, tenants); property addresses; survey metadata |
| Categories of Data Subjects | Survey clients of the Controller (individuals whose property is the subject of a survey report); authorised users of the Controller |
A2. Customers Using AI-Assisted Quality Control and Field Extraction
This section applies only where the Controller has subscribed to or enabled AI-assisted QC or field extraction features.
| Subject matter | AI-assisted optical character recognition (OCR), quality checking, and structured data extraction from survey report documents |
| Duration | For the term of the Agreement or until the Controller disables AI features |
| Nature of processing | Analysis, extraction, structuring, validation |
| Purpose | Automated quality checking of survey report content; extraction of structured data fields; flagging of potential errors or inconsistencies for human review |
| Types of Personal Data | Text content of survey reports, which may include: names and addresses of survey clients; property addresses and descriptions; valuation figures; surveyor details |
| Categories of Data Subjects | Survey clients of the Controller; surveyors authoring reports |
| Sub-Processor involved | Mistral AI (EU, France) — see Appendix B |
| Human oversight | All AI outputs are subject to mandatory human review via the SCORE quality control dashboard before any action is taken. SCORE does not make solely automated decisions that produce legal or similarly significant effects |
A3. All Customers — Transactional Communications
| Subject matter | Delivery of transactional email notifications relating to the Services |
| Duration | For the term of the Agreement |
| Nature of processing | Transmission of email communications |
| Purpose | Sending notifications to authorised users (e.g., survey job updates, report delivery notifications, account administration) |
| Types of Personal Data | Email addresses; names; notification content (which may reference survey job or report details) |
| Categories of Data Subjects | Authorised users of the Controller |
| Sub-Processor involved | Sinch (Mailgun) — EU (Germany) — see Appendix B |
Appendix B — Approved Sub-Processors
The following Sub-Processors are approved as at the date of this DPA. SCORE will notify the Controller of any changes in accordance with clause 5.3.2.
| Sub-Processor | Service | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud storage (S3) | Survey report PDFs; survey metadata; account files | UK (London) | No transfer outside UK |
| Salesforce / Heroku | Application hosting and database | All data processed by the SCORE platform (application layer) | EU (Ireland) | No transfer outside UK/EU |
| Sinch (Mailgun) | Transactional email delivery | Email addresses; names; notification content | EU (Germany) | No transfer outside UK/EU |
| Mistral AI | AI/ML processing (OCR, QC, field extraction) | Survey report text and field content | EU (France) | UK-EU adequacy decision |
| Sentry (Functional Software) | Error monitoring and performance monitoring | Error context: IP addresses, user agent, request data (cookies stripped, PII filtering applied) | EU | No transfer outside EU/UK |
Appendix C — Technical and Organisational Security Measures
SCORE maintains the following technical and organisational measures in accordance with Article 32 UK GDPR. These measures are reviewed at least annually.
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 encryption for all stored data (AWS S3 and Heroku PostgreSQL) |
| Encryption in transit | TLS 1.2 or higher for all data in transit |
| Access control | Role-based access control (RBAC); principle of least privilege; multi-factor authentication (MFA) required for all production system access |
| Password security | Passwords hashed using bcrypt; minimum complexity requirements enforced |
| Data segregation | Tenant-level data isolation; each customer's data is logically separated within the platform |
| Infrastructure security | Hosted on Heroku (Salesforce) EU infrastructure with ISO 27001 and SOC 2 Type II certification |
| File storage security | AWS S3 with server-side encryption; S3 versioning enabled for file recovery |
| Monitoring and logging | Application error monitoring via Sentry; access and security logs retained for 90 days (incident records retained for 24 months) |
| Vulnerability management | Regular security scanning; critical vulnerabilities patched within 48 hours; Rails security advisories monitored |
| Backup and recovery | Automated Heroku PostgreSQL backups; S3 versioning; recovery procedures verified after initial setup and tested periodically |
| Incident response | Documented Incident Response Plan; Personal Data Breaches notified to Controller within 48 hours |
| Personnel training | All team members with access to Personal Data trained on data protection obligations |
| Information security policy | SCORE maintains a documented Information Security Policy, reviewed annually |
| Framework alignment | Aligned with Cyber Essentials framework; controls designed in alignment with ISO 27001 principles |
Document Information
- Version: 1.1
- Effective Date: 7 March 2026
- Last Updated: 7 March 2026
- Next Review: March 2027
Document Reference: SCO-AGR-DPA | 220 Yards Limited (trading as SCORE) — registered in England and Wales.