This is the Data Processing Agreement that applies to data processing carried out by us for a client. Machine Labs Ltd (“the Processor” or “Us”) is a company registered in Scotland number SC585963 with a registered office at the address shown below. You (“the Controller” or “You”) are a client of Machine Labs Ltd and are the data controller who is using our products or services to process data.

This agreement complies with the requirements of the EU General Data Protection Regulations.

Contact Details and Registered Office

Machine Labs Ltd
2 Rennie Square
Brucefield Industrial Estate
Scotland, UK
EH54 9DF



We will use Amazon Web Services, Inc. as a subprocessor. No other subprocessor will be appointed or have any personal data disclosed to unless authorized by you in writing.

Transfers of Personal Data

Personal data will only be transferred based on your specific instructions such as using the integration with an e-commerce store or by using the export facility to generate a dump of all or part of your database.


Machine Labs Ltd will keep all of the personal data confidential. All of our employees have contracts committing themselves to keeping your data confidential.

Data Subject Rights

We will assist you with responding to requests from your customers or data subjects under any data protection law.

We will promptly notify you of any requests we receive from your data subjects in respect of data we are processing. We will not respond to these requests other than acknowledgement without your written instructions unless we are required to by law.

Deletion of Personal Data

Provision will be made for the deletion of personal data both through a manual method (a web interface) and an automated method (the API).

It may take up to 30 days for the personal data to be removed from all backup systems.


We will assist you with any audit, including inspections by you or another auditor appointed by you. We require four weeks’ notice of any audit (unless an identifiable material issue has arisen) and we may charge a fee based on reasonable time and costs for assisting with the audit.


Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

  1. the pseudonymization and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Personal Data Breach

We will notify you as soon as possible if we become aware of a data breach affecting personal data. We will provide sufficient information to allow you to meet any obligations to inform data subjects of the data breach.

Aggregated Data

We will use machine learning and other statistical techniques to produce reports on aggregated data including data from you. This will be used for:

  1. benchmarking results against average performance;
  2. database segmentation;
  3. predicted performance including lifetime values;
  4. advice on email content including subject lines;
  5. public reports on general trends.

Governing Law

This agreement is governed by Scots Law.

This document is also available as a PDF if you need a signed hardcopy: