Last updated: 11/25/2025
This Data Processing Agreement (“Agreement”) forms part of the Contract for Services under the We Make Stuff Ltd. (trading as and herein named Mutual) Terms and Conditions (the “Principal Agreement”).
The term of this Agreement shall follow the term of the Principal Agreement. Where Mutual provides additional services beyond standard services (such as managed hosting), this Agreement may be supplemented by a project-specific data processing agreement detailing any further Sub Processors relevant to those services.
1.1 This agreement applies to the processing of Personal Data, within the scope of the GDPR, by the Processor on behalf of the Controller.
1.2 For purposes of this agreement, the Client and Mutual agree that the Client is the Controller of the Personal Data and Mutual is the Processor of such data. In the case where the Client acts as a Processor of Personal Data on behalf of a third party, Mutual shall be deemed to be a Sub-Processor.
1.3 The Client appoints Mutual as a Data Processor to perform the Data Processing Services described below in this document.
2.1 For the purpose of this Agreement, the following definitions shall apply:
2.1.1 Agreement - this data processing agreement
2.1.2 GDPR - means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
2.1.3 Personal Data - means that data, meeting the definition of “personal data” as defined in Article 4 of the GDPR, that is provided by the Client to Mutual in order to perform the processing as set out in this document.
2.1.4 Sub Processor - means a natural or legal person, public authority, agency or body other than the data subject, Controller and Processor who, under the direct authority of the Processor, are authorised to process Personal Data for which the Client is the Controller
2.1.5 Terms used but not defined in this Data Processing Agreement (e.g., “processing”, “controller”, “processor”, “data subject”) shall have the same meaning as in Article 4 of the GDPR.
3.1 The subject matter, duration, nature and purpose of the Processing, and the types of Personal Data and categories of data subjects shall be as set out in this document.
4.1 Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that Processing is performed in accordance with the GDPR. Those measures shall be reviewed and updated where necessary.
4.2 Where proportionate in relation to Processing activities, the measures referred to in paragraph 4.1 shall include the implementation of appropriate data protection policies by the Controller.
4.3 The Controller shall implement appropriate technical and organisational measures for ensuring that, by default, only Personal Data which are necessary for each specific purpose of the Processing are processed. That obligation applies to the amount of Personal Data collected, the extent of their Processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default Personal Data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
5.1 Mutual may only process personal data in accordance with your written instructions (including when making an international transfer of personal data) unless required to do so by law.
5.2 Mutual must obtain a commitment of confidentiality from anyone that it allows to process the personal data, unless they are already under such a duty by law.
5.3 Mutual is subject to the same Article 32 requirements as you to keep the personal data that is being processed secure. These include but are not limited to:
5.3.1 Encryption
5.3.2 Pseudonymisation
5.3.3 Resilience of processing systems
5.3.4 Backing up personal data
6.1 By entering into this Agreement, Controller grants Mutual general written authorisation to engage Sub Processors to process Personal Data on Controller’s behalf, subject to the conditions set out in this Section 6.
6.2 Mutual will notify Controller by email at least 30 calendar days before engaging any new Sub Processor or replacing an existing Sub Processor. Controller will have the opportunity to object to such changes during this period on reasonable grounds relating to data protection. If Mutual does not receive an objection from Controller within the 30-day period, Controller’s consent to the new Sub Processor will be deemed to have been given
6.3 Mutual will take all measures required pursuant to Article 32 of the GDPR, namely to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the rights and freedoms of natural persons.
6.4 If Mutual employs another processor, then we will impose the contract terms that are required by Article 28.3 of the GDPR on the Sub Processor.
6.5 If Mutual employs another processor, then the original Processor will still be liable to you for the compliance of the Sub Processor.
6.6 Mutual is at the time of entering into this Data Processor Agreement using the Sub Processors listed below in this document. If Mutual initiates sub-processing with a new Sub Processor, such new Sub Processor shall be added to the list.
7.1 Taking into account the nature of processing and the information available to us as a Data Processor, Mutual will provide you with full cooperation and assistance in meeting your obligations to data subjects under chapter 3 of the General Data Protection Regulation, including:
7.1.1 Put measures in place to keep personal data secure
7.1.2 Provide notification to you of any personal data breaches that require notification to your Supervisory Authority
7.1.3 Provide notification to you of any personal data breaches that require notification to the Data Subject
7.1.4 Provide assistance in the preparation of any Data Protection Impact Assessment prior to commencing any processing
7.1.5 To inform you immediately if we identify at any point that there is an unmitigated high risk to the processing
8.1 Ordinarily, the data processor will not transfer your data to countries outside the European Economic Area. In some cases, personal data will be saved on storage solutions that have servers outside the European Economic Area (EEA). Only those storage solutions that provide secure services with adequate relevant safeguards will be employed.
9.1 Upon termination of the contract, if requested by you we will:
9.1.1 Return to you all the personal data that has been processed for you and then delete our copies
9.1.1.1 Except where we are required to retain the personal data by law
10.1 If requested Mutual must provide you with all the information that is required to demonstrate both parties have met the obligations of Article 28.
10.2 If requested Mutual must submit and contribute to audits and inspections that you conduct, or another auditor appointed by you carries out.
10.3 Mutual must inform you immediately if we think we have been given an instruction which doesn’t comply with the General Data Protection Regulation.
11.1 This Agreement shall be governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.
If you require a signed copy of this agreement, please contact hello@mutual.agency.
Subject Matter of Processing: Web development, design, consulting, and related digital services as specified in the Principal Agreement.
Duration of Processing: For the duration of the Principal Agreement and as required for service delivery.
Nature and Purpose of Processing: Processing of Personal Data necessary to provide web development services, including but not limited to:
Types of Personal Data:
Categories of Data Subjects:
Important Note: The Sub Processors listed below are those that Mutual uses at an agency level to provide our standard development and consulting services. These are services Mutual directly contracts with on behalf of all our clients.
It is Mutual’s company policy that the Controller maintains direct relationships with service providers such as hosting companies, cookie consent platforms, and analytics providers. These are not included in this list as they are contracted directly by you (the Controller).
However, in instances where Mutual provides additional services beyond our standard agency services (such as managed hosting or analytics implementation), this list may be supplemented by an additional site-specific data processing agreement detailing any further Sub Processors relevant to those services.
Name: Anthropic, PBC
Services Provided: Claude AI models
Purpose: Generate alt text for images uploaded in content management systems, translate content, and enforce tone of voice guidelines
Data Processed: Text content, image data submitted for analysis, user-generated content
Location: United States
Additional Information: https://www.anthropic.com/legal/privacy
Name: Hetzner Online GmbH
Services Provided: Cloud hosting infrastructure
Purpose: Hosts Mutual APIs including image transformation services and AI integration tools
Data Processed: API request data, image files for transformation, temporary data processed through Mutual’s APIs
Location: Germany (EU)
Additional Information: https://www.hetzner.com/legal/privacy-policy
Name: Cloudflare, Inc.
Services Provided: Content delivery network (CDN), DDoS protection, API security
Purpose: Protects Mutual APIs from malicious traffic and improves performance
Data Processed: IP addresses, request headers, user agent strings, cookies, request/response data passing through protected services
Location: United States with global network
Additional Information: https://www.cloudflare.com/privacypolicy/
Subprocessors: https://www.cloudflare.com/en-gb/gdpr/subprocessors/
Name: Pixel & Tonic, Inc.
Services Provided: Craft CMS licensing and management
Purpose: Handles Craft CMS software licensing, license validation, and associated billing for Craft CMS installations
Data Processed: Licence information, billing details, domain names where Craft CMS is installed
Location: United States
Additional Information: https://craftcms.com/privacy
Name: Google LLC
Services Provided: Google Analytics 4, Google Tag Manager, Google Search Console, Google Workspace
Purpose: Web analytics and tracking (Analytics 4), tag management (Tag Manager), search performance monitoring (Search Console), email and document collaboration (Workspace)
Data Processed:
Location: United States
Additional Information: https://policies.google.com/privacy
Name: Front App Inc.
Services Provided: Email management and team inbox
Purpose: Manages client communications, shared email inbox, and team collaboration on email correspondence
Data Processed: Email addresses, email content, attachments, contact information, communication history
Location: United States
Additional Information: https://front.com/privacy-policy
Name: Basecamp, LLC (37signals)
Services Provided: Project management and team collaboration
Purpose: Internal project planning, team coordination, and client communications
Data Processed: Project documentation, task descriptions, file attachments, messages which may incidentally contain client names, email addresses, user data examples, or other personal information shared during project discussions
Location: United States
Additional Information: https://basecamp.com/about/policies/privacy
Name: Linear Orbit, Inc.
Services Provided: Issue tracking and project management
Purpose: Internal tracking of bugs, feature requests, and development workflows
Data Processed: Issue descriptions, comments, attachments which may incidentally contain client names, email addresses, user data examples, error logs, or other personal information included in bug reports and technical discussions
Location: United States
Additional Information: https://linear.app/privacy
Name: Slack Technologies, LLC (Salesforce)
Services Provided: Team communication and collaboration platform
Purpose: Internal team communications, support ticket notifications, bug discussions, and project coordination
Data Processed: Messages, file attachments, support ticket information, bug reports which may incidentally contain client names, email addresses, user data examples, or other personal information shared in correspondence
Location: United States
Additional Information: https://slack.com/trust/privacy/privacy-policy
Mutual will notify you by email at least 30 calendar days before adding any new Sub Processor that will process your personal data, as set out in Section 6 of this Agreement.
For information about which Sub Processors are currently processing your personal data, please contact hello@mutual.agency