Data Processing Agreement

Version: 1.0  |  Effective date: 22 May 2026

---

Contents

1. Definitions
2. Scope and roles
3. Processor obligations
4. Controller obligations
5. Sub-processors
6. Data subject rights
7. Security
8. Personal data breach notification
9. Data protection impact assessments
10. International transfers
11. Termination and return/deletion of data
12. Audit and information
13. Liability
14. Governing law
15. Schedule A — Details of processing
16. Schedule B — Sub-processors
17. Schedule C — Technical and organisational security measures

---

1. Definitions

Terms defined in the Terms of Service have the same meaning here. In addition:

• "Controller" has the meaning in UK GDPR Article 4(7): the person who determines the purposes and means of processing.
• "Processor" has the meaning in UK GDPR Article 4(8): the person who processes personal data on behalf of the controller.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Personal Data" has the meaning in UK GDPR Article 4(1).
• "Special Category Data" means data falling within UK GDPR Article 9(1) (health data, criminal convictions and offences data, etc.).
• "UK GDPR" means the UK General Data Protection Regulation as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018.
• "DPA 2018" means the Data Protection Act 2018.
• "PECR" means the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended.
• "Sub-Processor" means any processor engaged by TheatreStack to assist in carrying out processing on behalf of the Customer.
• "Supervisory Authority" means the Information Commissioner's Office (ICO).

2. Scope and roles

This DPA applies to all personal data that the Customer (as Controller) submits to, stores in, or processes through the TheatreStack Service.

TheatreStack (as Processor) processes such personal data solely on the documented instructions of the Customer, except where required to do so by applicable UK law. TheatreStack will inform the Customer if, in its opinion, an instruction infringes UK GDPR or DPA 2018, unless prohibited from doing so by law.

The details of the processing activities are set out in Schedule A.

3. Processor obligations

TheatreStack will:

1. Process personal data only on the documented instructions of the Customer, including with regard to transfers of personal data to a third country, unless required to do so by applicable UK law;
2. Ensure that all persons authorised to process the personal data are subject to confidentiality obligations (whether contractual or statutory);
3. Implement the technical and organisational security measures described in Schedule C;
4. Respect the conditions for engaging Sub-Processors as set out in Section 5;
5. Take appropriate steps to assist the Customer in responding to data subject rights requests, taking into account the nature of the processing, as further described in Section 6;
6. Assist the Customer in ensuring compliance with Articles 32 to 36 UK GDPR (security, breach notification, DPIA), taking into account the nature of the processing and the information available to TheatreStack;
7. At the Customer's election, delete or return all personal data to the Customer after the end of the provision of services, and delete existing copies unless UK law requires retention;
8. Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, as described in Section 12.

4. Controller obligations

The Customer (Controller) represents and warrants that:

1. It has all necessary authority (including lawful bases) to instruct TheatreStack to process the personal data described in Schedule A;
2. Where it processes Special Category Data (including children's data, health data, safeguarding records, and DBS information), it has identified and documented an appropriate UK GDPR Article 9 condition and DPA 2018 Schedule 1 condition;
3. It has provided, and will maintain, appropriate privacy notices to data subjects whose personal data it records in TheatreStack;
4. It will not instruct TheatreStack to process personal data in a way that would breach applicable law;
5. It will ensure appropriate role-based access controls are configured within its TheatreStack organisation so that sensitive data (including safeguarding records, children's profiles, and medical notes) is accessible only to those with a legitimate need.

5. Sub-processors

The Customer provides a general written authorisation for TheatreStack to engage the Sub-Processors listed in Schedule B and any replacements or additions in accordance with this section.

TheatreStack will notify the Customer of any intended changes to the Sub-Processor list (additions or replacements) by updating Schedule B and providing notice via the platform or email at least 30 days before the change takes effect. The Customer may object to a new Sub-Processor by contacting TheatreStack within that period. If the Customer objects and TheatreStack cannot address the objection, either party may terminate the Service on reasonable notice.

TheatreStack will ensure each Sub-Processor is bound by data processing obligations no less protective than those set out in this DPA.

6. Data subject rights

TheatreStack will promptly notify the Customer of any data subject request received directly (which we will forward without responding to the data subject, unless the Customer has authorised otherwise).

TheatreStack provides built-in tools within the Service to assist Customers in handling data subject access, portability, and erasure requests, including:

• A data requests administration panel;
• Automated data export generation;
• Deletion request management;
• User anonymisation functionality.

Taking into account the nature of the processing, TheatreStack will provide reasonable additional assistance to the Customer in responding to data subject requests where the built-in tools are insufficient.

7. Security

TheatreStack implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Schedule C. These measures are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

TheatreStack will regularly test, assess, and evaluate the effectiveness of these measures. The Customer acknowledges that no security system is completely secure and TheatreStack cannot guarantee absolute security.

8. Personal data breach notification

TheatreStack will notify the Customer without undue delay — and in any event within 72 hours of becoming aware — of a personal data breach affecting the Customer's personal data. The notification will include, to the extent then known:

• A description of the nature of the breach, including (where possible) the categories and approximate numbers of data subjects and records affected;
• Contact details of the data protection point of contact at TheatreStack;
• A description of the likely consequences of the breach;
• A description of the measures taken or proposed to address the breach and, where appropriate, to mitigate its effects.

The Customer is responsible for notifying the ICO and data subjects where required. TheatreStack will provide reasonable cooperation and assistance.

9. Data protection impact assessments

Where the Customer is required to carry out a Data Protection Impact Assessment (DPIA) in relation to its use of the Service (for example, in connection with processing children's data or Special Category Data at scale), TheatreStack will provide reasonable assistance and information to help the Customer complete the DPIA.

10. International transfers

The core Service (application hosting, database, and file storage) is hosted in the United Kingdom, and Customer personal data is stored there. TheatreStack will not transfer personal data outside the UK without ensuring that an appropriate transfer mechanism is in place as required by UK GDPR Chapter V. Where a Sub-Processor is located outside the UK, or otherwise processes personal data outside the UK, TheatreStack will rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, transfers to countries covered by UK adequacy regulations, or equivalent appropriate safeguards.

11. Termination and return/deletion of data

Upon termination of the Customer's subscription, TheatreStack will retain the Customer's personal data for a period of 90 days to allow the Customer to export it using the Service's export tools. After that period, TheatreStack will delete or anonymise the personal data unless retention is required by applicable UK law.

TheatreStack may retain aggregated, anonymised data derived from Customer Content after termination for service improvement purposes; such data will not identify individual data subjects.

12. Audit and information

TheatreStack will, upon reasonable written request (no more than once per year unless there are reasonable grounds to suspect a material breach), make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. This may include summary security documentation, certifications, or responses to a standardised questionnaire.

Where the Customer (or its appointed auditor) requires an on-site audit or inspection, the parties will agree the scope, timing, and cost in advance. TheatreStack may object to an auditor that is a competitor.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service. In the event of a conflict between the DPA and the Terms of Service regarding liability, the Terms of Service will prevail.

14. Governing law

This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.

---

Schedule A — Details of processing

A.1 Subject matter and duration

The processing covers all personal data submitted to or stored in the TheatreStack Service by the Customer. The duration of processing is the term of the Customer's subscription, plus any post-termination retention period described in Section 11.

A.2 Nature and purpose of processing

Providing and operating the core Service, including:

• User account and membership management;
• Production planning and collaboration;
• Safeguarding case and incident record management;
• Chaperone and DBS compliance management;
• Child performance licence and 4-day rule tracking;
• Rehearsal and session attendance management;
• Financial and ticketing management;
• Communications and notification delivery;
• Audit logging and compliance reporting.

A.3 Categories of data subjects

• Members and committee members of the Customer's society;
• Child performers and participants (and their parents/guardians as emergency contacts);
• Chaperones, volunteers, and production team members;
• Individuals named in safeguarding incidents or cases;
• Audience members and customers (box office, ticketing);
• External professionals (e.g. LADO contacts, social care contacts recorded in safeguarding records).

A.4 Types of personal data

• Identity and contact data: names, email addresses, telephone numbers, addresses;
• Date of birth and age information;
• Role, membership, and permission information;
• School and education details (children);
• Emergency contact details;
• Medical notes, health conditions, allergies, and medications;
• Safeguarding incident and case records (including information about alleged abuse, disclosures, referrals, and case outcomes);
• DBS check reference numbers and check dates;
• Chaperone licence details and expiry dates;
• Performance licence applications, approvals, and expiry dates;
• Session, rehearsal, and performance attendance records;
• Financial data (subscription and ticketing, not payment card numbers);
• Communications and messages within the platform.

A.5 Special category and criminal records data

Processing of Special Category Data arises specifically in connection with:

• Health data: medical conditions, allergies, and medication recorded in member and child profiles;
• Safeguarding records: incident and case records that may contain information about physical, emotional, or sexual abuse, disclosures, or allegations — which may reveal data about health, sexual life, or other sensitive matters;
• Criminal records data: DBS check reference numbers and check dates (Article 10 UK GDPR / DPA 2018 Schedule 1).

---

Schedule B — Sub-processors

The following Sub-Processors are authorised as of the effective date. TheatreStack will update this Schedule in accordance with Section 5.

Sub-processor	Service provided	Data types shared	Location
DigitalOcean	Infrastructure, application hosting, and storage	All Customer personal data stored in the Service	United Kingdom (London)
Postmark	Transactional email delivery	Name, email address, message content for notifications/alerts	United Kingdom (London)
Stripe	Payment processing and subscription billing	Billing name, email, payment token (not full card data)	United Kingdom (London)
DigitalOcean Managed Databases	Managed database hosting	All Customer personal data	United Kingdom (London)
DigitalOcean Spaces	File storage (documents, exports, profile images)	Uploaded files and generated exports	United Kingdom (London)
Sentry (if applicable)	Error monitoring and application performance	Technical log data (may incidentally contain personal data); PII scrubbed where possible	United Kingdom (London)

---

Schedule C — Technical and organisational security measures

TheatreStack implements the following technical and organisational measures (TOMs) to protect Customer personal data:

Access control

• Passkeys-first multi-factor authentication (MFA) for all platform accounts, with TOTP fallback;
• Role-based access control with principle of least privilege across all platform modules;
• Scoped permissions for sensitive data: safeguarding records, children's profiles, DBS data, medical notes, and financial information are accessible only to users with the relevant role;
• Separate safeguarding module permissions enforced independently of general committee access;
• Staff access to production systems is restricted to named individuals with a legitimate need.

Encryption and transmission security

• All data in transit is encrypted using TLS 1.2 or higher;
• Data at rest is encrypted using AES-256 (or equivalent) at the storage layer;
• Particularly sensitive free-text fields (such as medical and accessibility notes) are additionally encrypted at the application layer using authenticated encryption, so they are not readable directly from the database;
• Passwords are hashed using a modern, salted algorithm (PBKDF2-SHA256, with bcrypt and scrypt also configured); plaintext passwords are never stored;
• Passkey credentials (WebAuthn) are stored as public keys only.

Audit logging

• Comprehensive audit log of user actions within the platform, including record creation, modification, and deletion;
• Specific audit events for access to and export of safeguarding records, children's profiles, DBS data, and medical notes;
• Audit logs are append-only in normal operation and retained in line with our data retention policy;
• Platform staff access to audit logs is restricted.

Incident response and availability

• Automated monitoring and alerting for security events and anomalies;
• Documented incident response procedure, including breach notification processes;
• Regular automated backups with tested restore procedures;
• Change management process for production deployments.

Organisational measures

• Data protection obligations included in employment contracts and contractor agreements;
• Staff training on data protection and security;
• A named point of contact for data protection queries;
• Vendor due diligence for Sub-Processors, including review of their security and privacy practices.