Data Processing Agreement (DPA) for Star Feedback Limited

Last updated: 28.3.2025

This Data Processing Agreement (“DPA”) is part of the Terms of Service (“Agreement”) between you (“Customer,” “you,” “your”) and Star Feedback Limited (“the Software,” “Processor,” “we,” “our,” “us”). This DPA governs the processing of personal data that we perform on your behalf in connection with the provision of the Star Feedback Software and Services, in compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

  1. Definitions
  • Data Controller: The entity that determines the purposes and means of processing personal data.
  • Data Processor: The entity that processes personal data on behalf of the Data Controller.
  • Data Subject: Any identified or identifiable individual whose personal data is processed.
  • Personal Data: Any information relating to an identified or identifiable individual.
  • Processing: Any operation performed on personal data (e.g., collection, storage, use, sharing).
  • Sub-Processor: Any third party appointed by the Processor to process personal data on behalf of the Customer.
  1. Roles and Responsibilities
  • Customer as Data Controller: You are the Data Controller for all personal data processed via the Software. You are responsible for determining the lawful basis for processing and for fulfilling obligations to data subjects.
  • Star Feedback Limited as Data Processor: We act as the Data Processor and will process personal data solely on your documented instructions and in accordance with this DPA.
  1. Types of Personal Data Processed

We may process the following categories of personal data on your behalf:

  • End-user data: Names, email addresses, reviews, ratings, private feedback, video testimonials, and responses submitted via review widgets, forms, or landing pages.
  • Customer data: Contact names, email addresses, company name, phone numbers, account data, login credentials, and preferences.
  • Usage data: IP addresses, device/browser information, platform usage analytics, and cookie tracking data (where applicable).

The scope of data may evolve depending on the services provided. We will notify you of any material changes.

  1. Purpose of Processing

We process personal data for the purpose of delivering and improving the Star Feedback Software, which includes:

  • Aggregating reviews from platforms like Google and Facebook
  • Responding to reviews using AI tools (if enabled by Customer)
  • Sending review request emails and collecting feedback
  • Sharing reviews via website widgets and social media
  • Providing analytics on campaign performance and reputation
  • Automating workflows and integrations (e.g., via Zapier)
  1. Duration of Processing

We will process personal data for the duration of your subscription to the Software, or until this Agreement is terminated, unless otherwise required by law or requested by you.

  1. Processor Obligations

Star Feedback Limited agrees to:

  • Process only on your instructions
  • Maintain confidentiality: All employees and contractors handling data are bound by confidentiality agreements
  • Implement appropriate security measures (see Section 10)
  • Assist in compliance: We will help you fulfil data subject rights requests and conduct Data Protection Impact Assessments (DPIAs) if applicable
  • Notify of data breaches without undue delay and provide timely assistance to mitigate impact
  1. Customer Obligations

As Data Controller, you agree to:

  • Provide lawful, documented processing instructions
  • Ensure the legal basis for processing personal data
  • Inform data subjects as required by law and obtain necessary consents
  • Respond to data subject access, correction, or deletion requests
  • Notify us if any data or consent requirements change
  1. Sub-Processors

We may engage Sub-Processors to support service delivery. These may include:

  • SuiteDash – CRM, client portal, task management, and secure document delivery (hosted in the United States)
  • Stripe – payment processing
  • MailerLite – email automation and marketing
  • Calendly – meeting scheduling
  • Zapier – process automation and integrations
  • Google Workspace – internal communications and cloud storage
  • Amazon Web Services (AWS) or equivalent – cloud infrastructure

We ensure that all Sub-Processors:

  • Are bound by written agreements with appropriate data protection obligations
  • Implement sufficient technical and organisational measures
  • Are regularly reviewed for security and compliance

You will be notified of any intended changes to Sub-Processors and may object on reasonable grounds.

  1. International Data Transfers

Some Sub-Processors (such as SuiteDash, Stripe, MailerLite, and AWS) may store or process personal data outside of the United Kingdom or European Economic Area (EEA), including in the United States.

Where such transfers occur, we will ensure that appropriate safeguards are in place, such as:

  • UK Standard Contractual Clauses (SCCs)
  • Adequacy decisions issued by the UK government
  • Other lawful transfer mechanisms as recognised under UK GDPR
  1. Security Measures

We implement the following technical and organisational measures to ensure data security:

  • Encrypted transmission of all personal data (TLS/SSL)
  • Secure password storage and access controls
  • Role-based permissions and internal audits
  • Two-factor authentication for internal users
  • Regular software and infrastructure security testing
  • Business continuity and incident response planning
  1. Data Subject Rights

We will support your obligations to fulfil requests from data subjects regarding their rights, including:

  • Access to personal data
  • Rectification of inaccurate data
  • Erasure (right to be forgotten)
  • Restriction or objection to processing
  • Portability of data (if applicable)

We will notify you of any such request received directly and support you in responding.

  1. Data Retention and Deletion

Upon termination of our services, and at your written request, we will either:

  • Return all personal data to you, or
  • Securely delete it from our systems, unless legal obligations require retention

Data backups will be permanently deleted in accordance with our data retention schedule.

  1. Audit Rights

You may request a security audit or inspection, provided that:

  • It is performed with reasonable notice
  • Conducted in a way that does not disrupt our business
  • Costs are covered by the requesting Customer

We may provide existing certifications or summaries in place of a full audit.

  1. Liability

Liability for breaches of this DPA shall be subject to the limitations and exclusions outlined in the main Terms of Service, unless otherwise required by applicable data protection law.

  1. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of laws principles.

  1. Termination

This DPA shall remain in effect as long as Star Feedback Limited processes personal data on your behalf. Upon termination of the Agreement, the terms of this DPA will continue to apply to any retained data until securely returned or deleted.

  1. Contact Information

If you have questions or concerns regarding this DPA or our data processing practices, please contact:

Data Protection Officer
📧 info@starfeedback.io
🏢 Star Feedback Limited
Ground Floor, Rear Barn, The Brookdale Centre, Knutsford, WA16 0SR
📌 Company Number: 15275178
📌 VAT Number: 464 3026 08