Legal
Data Processing Agreement
Last updated: 1 April 2026
About this agreement
This Data Processing Agreement (“DPA”) forms part of the contract between Garage Desk Ltd and each subscribing garage, and sets out the obligations of each party in relation to the processing of personal data under Article 28 of the UK General Data Protection Regulation (UK GDPR). By accepting the GarageDesk Terms & Conditions, you also accept this DPA.
1. Parties
Data Controller
The Subscribing Garage
The independent garage or garage business that has subscribed to the GarageDesk service, as identified in the account registration.
Data Processor
Garage Desk Ltd
A company registered in England and Wales, operating the GarageDesk platform at garagedesk.co.uk.
2. Subject Matter and Duration
This DPA governs the processing of personal data by Garage Desk Ltd (as processor) on behalf of the subscribing garage (as controller) for the purpose of providing the GarageDesk service.
This DPA runs for the duration of the subscription and terminates when the subscription ends, subject to the data deletion obligations set out in Section 12.
3. Nature and Purpose of Processing
The processing carried out by Garage Desk Ltd under this DPA includes:
- Receiving and storing inbound WhatsApp messages from members of the public contacting the garage
- Using AI (Claude by Anthropic) to engage in automated conversation to collect enquiry details
- Performing automated vehicle registration lookups via the DVLA Vehicle Enquiry Service API
- Generating indicative AI diagnoses based on described symptoms
- Storing enquiry data in a secure database for display in the garage’s dashboard
- Enabling garage staff to view, respond to, and manage enquiries via the dashboard
- Sending outbound WhatsApp messages to customers on the garage’s behalf
4. Types of Personal Data
The personal data processed under this DPA comprises:
No special category data (as defined in Article 9 UK GDPR) is intended to be processed. Subscribers must not use the service to collect health, financial, or other special category data from their customers.
5. Data Subjects
The data subjects are members of the public who contact the subscribing garage via WhatsApp, including:
- Individuals who message the garage’s WhatsApp number directly
- Individuals who submit their phone number via the garage’s website enquiry widget
- Individuals who called the garage and were followed up by GarageDesk after a missed call
6. Processor Obligations (Article 28 UK GDPR)
Garage Desk Ltd, as the data processor, shall:
6.1 Documented instructions
Process personal data only on documented instructions from the controller (i.e. to provide the GarageDesk service as described in these Terms and this DPA), unless required to do so by applicable law.
6.2 Confidentiality
Ensure that all personnel authorised to process the personal data are subject to a contractual or statutory duty of confidentiality.
6.3 Security
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, and regular security reviews.
6.4 Sub-processors
Not engage any sub-processor without prior written authorisation from the controller (provided as general consent under Section 7 of the Terms). We will impose equivalent data protection obligations on any sub-processor via a written agreement.
6.5 Data subject rights
Assist the controller in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) within 15 calendar days of receiving such a request from the controller. We will not respond directly to data subjects acting in relation to the controller's data without the controller's instruction.
6.6 Privacy impact assessments
Assist the controller, taking into account the nature of the processing and the information available to us, in ensuring compliance with obligations under Articles 32–36 UK GDPR (security, breach notification, DPIA, prior consultation).
6.7 Audit rights
Make available to the controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the controller or a mandated auditor. Audits shall be conducted at the controller's cost, with at least 30 days' notice, and no more than once per 12-month period unless a breach has occurred.
6.8 Notification of unlawful instructions
Immediately inform the controller if, in our opinion, an instruction from the controller would infringe UK GDPR or other applicable data protection law.
7. Sub-Processors
The controller provides general written authorisation for Garage Desk Ltd to engage the following sub-processors. Garage Desk Ltd will ensure each sub-processor is bound by a written agreement containing equivalent data protection obligations:
Twilio Inc.
Purpose: Sending and receiving WhatsApp messages on the controller's behalf
Location: United States
Transfer mechanism: International Data Transfer Agreement (IDTA) / Standard Contractual Clauses
DPA: https://www.twilio.com/en-us/legal/data-protection-addendum
Anthropic PBC (Claude AI)
Purpose: AI-powered automated conversation handling and indicative diagnosis generation
Location: United States
Transfer mechanism: International Data Transfer Agreement (IDTA) / Standard Contractual Clauses
DPA: https://www.anthropic.com/legal/data-processing-addendum
Supabase Inc.
Purpose: Secure database storage of enquiry and conversation data
Location: EU (database hosted in EU region)
Transfer mechanism: UK adequacy framework for EU transfers
We will notify the controller of any intended changes to sub-processors (additions or replacements) at least 14 days in advance by email, giving the controller the opportunity to object. If the controller objects in writing within 14 days and we cannot reasonably accommodate the objection, either party may terminate the subscription with immediate effect and we will refund a pro-rata portion of any prepaid fees.
8. Data Breach Notification
In the event of a personal data breach involving data processed under this DPA, Garage Desk Ltd shall notify the controller without undue delay and no later than 24 hours of becoming aware of the breach.
The notification will include, as far as is possible:
- A description of the nature of the breach, including where possible the categories and approximate number of data subjects and personal data records affected
- The name and contact details of our data protection contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
The controller is responsible for determining whether to report the breach to the ICO (within 72 hours of the controller becoming aware) and/or to notify affected data subjects. Garage Desk Ltd will provide all reasonable assistance with the controller’s investigation and response.
9. Data Subject Rights Assistance
Where Garage Desk Ltd receives a request directly from a data subject in relation to data processed on the controller’s behalf, we will:
- Promptly forward the request to the controller (within 2 business days)
- Not respond to the data subject without the controller’s instruction
- Provide the controller with all information and assistance needed to respond within the statutory timeframe
Garage Desk Ltd will provide assistance with data subject rights requests within 15 calendar days of a request from the controller.
10. Security Measures
Garage Desk Ltd implements the following technical and organisational security measures:
- Encryption of all data in transit using TLS 1.2 or higher
- Database encryption at rest
- Role-based access controls — dashboard data is accessible only to the subscribing garage’s authorised users
- Multi-factor authentication for administrative access
- Regular security reviews and vulnerability assessments
- Staff confidentiality obligations and data protection training
11. International Transfers
Where personal data is transferred outside the UK to sub-processors (Twilio, Anthropic), such transfers are governed by International Data Transfer Agreements (IDTAs) or equivalent Standard Contractual Clauses as approved by the ICO, providing appropriate safeguards in accordance with Chapter V UK GDPR.
Supabase stores data within the EU under an EU-hosted configuration and no transfer outside the EU/UK occurs for database storage.
12. Deletion on Termination
On termination of the subscription (for any reason), Garage Desk Ltd shall, at the controller’s election:
- Delete all personal data processed on the controller’s behalf within 30 days of the termination date; or
- Return the data to the controller in a structured, machine-readable format (CSV) within 30 days, following which we will delete all copies.
The controller must submit their election (deletion or return) within 14 days of the termination date. If no election is made, we will delete the data. We will provide written confirmation of deletion on request.
We may retain data beyond 30 days where required to do so by applicable law, in which case we will notify the controller and restrict processing of that data to the minimum required.
13. Controller Obligations
The controller (subscribing garage) acknowledges and agrees to:
- Having a lawful basis under UK GDPR for processing end-customer personal data via GarageDesk
- Maintaining an accessible privacy policy that informs customers about the use of WhatsApp, AI, and GarageDesk’s sub-processors
- Ensuring staff who access the GarageDesk dashboard are authorised to do so
- Not instructing Garage Desk Ltd to process personal data in a manner that would infringe UK GDPR or any applicable law
- Promptly notifying Garage Desk Ltd of any changes to the controller’s instructions that may affect processing
14. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
15. Contact
For questions about this DPA or to exercise your rights under it, contact:
Related legal documents: