Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Hangar.Media Ltd, a company registered in England and Wales ("Hangar.Media", "Processor"), and the customer identified in the applicable Hangar.Media account ("Customer", "Controller").

It sets out the terms on which Hangar.Media processes personal data on behalf of the Customer in connection with the Hangar.Media digital signage platform (the "Service"), in accordance with Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

This DPA applies automatically to all Customers of the Service. No separate signature is required; the DPA takes effect when the Customer accepts the Terms of Service. A countersigned version is available on request via the contact form for Customers whose internal processes require one.

Definitions

Terms used but not defined in this DPA have the meanings given to them in the Terms of Service or in the UK GDPR. For clarity:

"Controller", "Processor", "Data Subject", "Personal Data", "Processing" and "Personal Data Breach" have the meanings given to them in the UK GDPR.
"Customer Personal Data" means Personal Data that Hangar.Media processes on behalf of the Customer in the course of providing the Service.
"Sub-processor" means any third party engaged by Hangar.Media to process Customer Personal Data.
"Supervisory Authority" means the Information Commissioner's Office (ICO) in the United Kingdom.

Roles of the Parties

In relation to Customer Personal Data processed under this DPA:

The Customer is the Controller.
Hangar.Media is the Processor, acting only on the documented instructions of the Customer.

The Customer's use of the Service, including its configuration of Content, screens, users, and optional audience measurement features, constitutes documented instructions to Hangar.Media for the purposes of Article 28(3)(a) UK GDPR.

For clarity, in relation to Hangar.Media's own account and billing data (including the Customer's registration details, payment details, and communications with support), Hangar.Media acts as Controller, and that processing is governed by the Privacy Policy, not by this DPA.

Subject Matter, Duration, Nature and Purpose

Item	Description
Subject matter	Provision of the Hangar.Media digital signage platform to the Customer.
Duration	For the term of the Customer's subscription, plus the post-termination data retention window specified in the Terms of Service (30 days).
Nature and purpose	Storing, transmitting, displaying and managing digital signage Content; managing user accounts and access; delivering content to devices; monitoring device health; and, where enabled by the Customer, generating aggregate audience measurement statistics.
Categories of Data Subjects	Customer's authorised users (employees, contractors, agents) Individuals identified within Content uploaded by the Customer Where audience measurement is enabled: members of the public present at the Customer's venue, processed only to derive aggregate anonymous counts
Categories of Personal Data	Identification data (name, job title, email address, phone number) Authentication data (hashed passwords, session identifiers) Technical data (IP address, device identifier, device model, application version) Usage data (actions taken within the dashboard, content management activity) Content provided by the Customer (which may contain Personal Data determined solely by the Customer) Where audience measurement is enabled: transient sensor input processed on-device and immediately discarded; only aggregate anonymous statistics are transmitted to Hangar.Media
Special category data	Hangar.Media does not require, request, or intentionally process any special category data under Article 9 UK GDPR. The Customer must not upload Content containing special category data unless it has established an appropriate lawful basis under Article 9(2).

Processor Obligations

Hangar.Media shall:

Process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data outside the United Kingdom, unless required to do otherwise by law (in which case Hangar.Media will inform the Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest).
Ensure that persons authorised to process Customer Personal Data are bound by appropriate contractual confidentiality obligations or statutory obligations of confidentiality.
Take all measures required pursuant to Article 32 UK GDPR, as described in the Security section below.
Assist the Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under the UK GDPR.
Assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 UK GDPR (security, breach notification, DPIA and prior consultation), taking into account the nature of the processing and the information available to Hangar.Media.
At the Customer's choice, delete or return all Customer Personal Data after the end of the provision of the Service, and delete existing copies unless retention is required by law, as further described in the Deletion and Return of Data section below.
Make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 UK GDPR.

Sub-processors

The Customer grants Hangar.Media general authorisation to engage Sub-processors to assist in providing the Service, subject to the conditions set out in this section.

Current Sub-processors

Sub-processor	Purpose	Location
DigitalOcean, LLC	Infrastructure hosting (servers, databases, object storage)	United Kingdom (London)
Stripe Payments Europe, Ltd	Payment processing	European Union (Ireland)

Changes to Sub-processors

Hangar.Media will notify the Customer in advance of any intended changes to the list of Sub-processors (for example, by adding a new Sub-processor or replacing an existing one), giving the Customer the opportunity to object to such changes. Notification will be given by updating this DPA and, where a notification email address has been provided, by email to the Customer's registered contact, at least 30 days before the change takes effect.

If the Customer has a reasonable objection to a proposed new Sub-processor on data protection grounds, the Customer must notify Hangar.Media in writing within 14 days of receiving notification. The parties will work in good faith to address the objection. If no acceptable resolution can be reached, either party may terminate the Customer's subscription without penalty, and Hangar.Media will refund any unused prepaid fees on a pro-rata basis.

Sub-processor obligations

Where Hangar.Media engages a Sub-processor, it shall impose on that Sub-processor, by way of a written contract, data protection obligations that are no less protective than those set out in this DPA. Hangar.Media remains fully liable to the Customer for the performance of any Sub-processor's obligations.

Data Subject Rights

Taking into account the nature of the processing, Hangar.Media shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for the exercise of Data Subject rights under Chapter III of the UK GDPR, including:

The right of access (Article 15)
The right to rectification (Article 16)
The right to erasure (Article 17)
The right to restriction of processing (Article 18)
The right to data portability (Article 20)
The right to object (Article 21)

If Hangar.Media receives a request directly from a Data Subject relating to Customer Personal Data, Hangar.Media will not respond to that request directly (except to acknowledge receipt) and will forward the request to the Customer without undue delay.

The Service provides the Customer with self-service tools through the dashboard and API to respond to most Data Subject requests (for example, exporting, correcting or deleting user accounts and Content).

Security

Hangar.Media shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 UK GDPR. These measures include, as a minimum:

Encryption in transit: All data transmitted between end-user devices and Hangar.Media servers is encrypted using TLS 1.3 or equivalent.
Encryption at rest: Customer Personal Data stored in databases and object storage is encrypted using AES-256.
Access control: Access to Customer Personal Data is restricted to authorised personnel on a need-to-know basis, using role-based access controls and strong authentication. Administrative access is logged.
Network security: Production infrastructure is protected by firewalls, intrusion detection, and automated vulnerability scanning.
Backups: Encrypted backups are maintained on a 30-day rolling cycle and stored in a geographically separate UK location.
Vulnerability management: Security patches are applied to production systems according to a documented patch management policy, with critical patches applied without undue delay.
Incident response: Hangar.Media maintains a documented incident response process covering detection, containment, notification and remediation.
Staff training: Personnel with access to Customer Personal Data receive data protection and information security training.
Secure development: Changes to the Service are reviewed, tested, and deployed through a controlled release process.

Hangar.Media reserves the right to update these measures over time to maintain an appropriate level of security, provided that the updated measures are no less protective than those described here.

Personal Data Breach Notification

Hangar.Media shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known at the time:

The nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned
The likely consequences of the Personal Data Breach
The measures taken or proposed to address the Personal Data Breach and mitigate its possible adverse effects
The contact details of a point of contact where further information can be obtained

Where it is not possible to provide all of this information at once, it will be provided in phases without further undue delay. Hangar.Media will also cooperate reasonably with the Customer in the Customer's investigation and notification obligations to the Supervisory Authority and affected Data Subjects.

International Transfers

Customer Personal Data is stored and processed within the United Kingdom. Where a Sub-processor is located within the European Union (for example, Stripe in Ireland), Hangar.Media relies on the UK adequacy regulation for the EU, under which EU data protection standards are recognised as adequate for the purposes of UK GDPR.

Hangar.Media will not transfer Customer Personal Data to a third country outside the United Kingdom or the European Economic Area without ensuring that an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement, Standard Contractual Clauses with the UK Addendum, or reliance on an adequacy regulation.

Audit Rights

Hangar.Media shall make available to the Customer, on reasonable written request and no more than once per twelve-month period, information reasonably necessary to demonstrate compliance with this DPA and Article 28 UK GDPR. This may take the form of:

Written responses to a reasonable data protection questionnaire
Copies of relevant policies, procedures, or certifications
Summary reports of security assessments conducted on the Service

Where the Customer has a regulatory obligation or reasonable basis to require an on-site audit, the parties shall agree in advance on the timing, scope, and confidentiality terms of such an audit, which shall be conducted at the Customer's expense and in a manner that does not disrupt the operation of the Service.

Deletion and Return of Data

On termination or expiry of the Customer's subscription:

The Customer will have a 30-day window following termination to export Customer Content and account data through the Service dashboard or API.
After the 30-day window, Hangar.Media will delete all Customer Personal Data from active production systems. Deleted data will be purged from backups within the 30-day backup rotation window.
Billing and invoice records will be retained for 7 years in accordance with HMRC legal requirements, as described in the Privacy Policy.
Hangar.Media will, on request, provide written confirmation that deletion has taken place.

Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA excludes or limits any liability that cannot be excluded or limited under applicable law.

Precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail in relation to the processing of Customer Personal Data. All other matters are governed by the Terms of Service.

Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Changes to this DPA

Hangar.Media may update this DPA from time to time to reflect changes in legal requirements, sub-processors, or the Service. Material changes will be notified to the Customer at least 30 days in advance, in the same manner as changes to the Terms of Service.

Contact

If you have any questions about this DPA, or need to contact Hangar.Media in connection with any matter covered by it, please use the contact form on our website.

Data Processing Agreement.