Data Processing Agreement
Last Updated: 13/11/2025
This agreement (the “Data Processing Agreement”) forms part of our Platform Terms and Conditions, including our privacy and cookies policies, accessible at https://layer8.io (the “Terms”). Capitalised but undefined terms have the meanings given in the Platform Terms and Conditions.
1. SCOPE OF THIS DATA PROCESSING AGREEMENT
1.1 A User may provide data to Layer 8 under or through the Services (“User Data”). That User Data may include Personal Data (“User Personal Data”).
1.2 This Data Processing Agreement applies to the Processing of User Personal Data that is subject to Data Protection Law under any Customer Contract and/or Terms.
1.3 The following definitions shall apply in this Data Processing Agreement:
(A) Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018 (as defined below));
(B) Data Protection Law: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (“DPA 2018”); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; the Data (Use and Access) Act 2025; and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of Personal Data (including the privacy of electronic communications); and
(C) UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.4 Terms such as “Process”, “Processing”, “Personal Data”, “Personal Data Breach” “Data Subject”, “Controller” and “Processor” shall have the meaning ascribed to them in the Data Protection Law.
1.5 Layer 8 may act as Controller in respect of certain Personal Data provided by User to Layer 8. This includes, for example, account information (such as usernames, email addresses and billing information) that User provides to Layer 8 in connection with the creation and administration of User’s account. This Data Processing Agreement does not apply where Layer 8 Processes such Personal Data as Controller.
1.6 Schedule 1 describes the subject matter, duration, nature and purpose of the Processing and the Personal Data categories and Data Subject types in respect of which Layer 8 may Process the User Personal Data.
2. ROLES AND RESPONSIBILITIES
2.1 User is the Controller of the User Personal Data covered by this Data Processing Agreement. The User will determine the scope, purposes and manner by which the User Personal Data may be accessed or Processed by Layer 8.
2.2 User will:
(A) comply with its obligations as a Controller under Data Protection Law in how it Processes User Personal Data and when giving instructions to Layer 8;
(B) provide notice and/or obtain all consents and rights necessary for Layer 8 to Process User Personal Data under the Customer Contract and/or Terms and provide the Services, and will ensure it keeps a record of these; and
(C) immediately give notice to Layer 8 of any revocation of consent or similar related to User Personal Data covered by this Data Processing Agreement.
2.3 Layer 8 is the Processor. Layer 8 shall only Process User Personal Data for the Authorised Purposes (as defined below) and on the documented instructions of User, unless Layer 8 is required by applicable laws to otherwise Process that User Personal Data. Where Layer 8 relies on applicable laws as the basis for Processing User Personal Data, Layer 8 shall notify User of this before performing the relevant Processing unless those applicable laws prohibit Layer 8 from so notifying User on important grounds of public interest.
2.4 Layer 8 will Process the User Personal Data only for the following purposes (“Authorised Purposes”):
(A) to perform Services in accordance with the Customer Contract and/or Terms;
(B) to perform any of the steps necessary for the Services; and
(C) to comply with any other lawful and reasonable written instructions from User that are consistent with the Customer Contract and/or Terms.
2.5 Where Layer 8 is unable to Process User Personal Data under clause 2.3 because of a legal obligation (including under Data Protection Law), Layer 8 shall inform User unless the law prohibits this.
3. CONFIDENTIALITY
3.1 Without prejudice to the existing contractual confidentiality arrangements between Layer 8 and User, Layer 8 shall ensure any person authorised by Layer 8 to Process User Personal Data has signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
4. SECURITY
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by Layer 8 and the User, Layer 8 and User shall implement appropriate technical and organisational measures to ensure a level of security of the processing of User Personal Data appropriate to the risk. These measures shall include as appropriate: (a) the measures referred to in Article 32(1) of the UK GDPR; and (b) the measures further detailed in Schedule 2.
4.2 In assessing the appropriate level of security account shall be taken in particular of all the risks that are presented by Processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorised or unlawful storage, Processing, access or disclosure of User Personal Data.
4.3 Layer 8 will maintain records of its security standards and certifications. Upon User’s written request, Layer 8 will provide (on a confidential basis) copies of relevant external certifications, audit report summaries and/or other documentation as reasonably required by User to satisfy it of compliance with this Data Processing Agreement. Layer 8 shall in addition provide responses to User’s reasonable written questions relating to information security as necessary to confirm compliance with this Data Processing Agreement.
4.5 Customer acknowledges that security measures are constantly being improved and Layer 8 may update these measures and the related policies, provided that these do not reduce the overall security of User’s Services.
5. TRANSFER
5.1 Layer 8 will not transfer any User Personal Data outside the European Economic Area without User’s written authorisation.
5.2 Where such consent is granted, Layer 8 may only Process, or permit the Processing, of the User Personal Data outside the European Economic Area under the following conditions:
(A) Layer 8 is Processing the Personal Data in a territory which is subject to adequacy regulations under Data Protection Law that the territory provides adequate protection for the privacy rights of individuals; or
(B) Layer 8 participates in a valid cross-border transfer mechanism under Data Protection Law, so that Layer 8 (and, where appropriate, User) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR; or
(C) the transfer otherwise complies with Data Protection Law (for example, where User has consented to it or there is a specific exception which applies under Data Protection Law).
5.3 If any Personal Data transfer between User and Layer 8 requires execution of standard contractual clauses (“SCCs”) in order to comply with Data Protection Law, Layer 8 and User will complete all relevant details in, and execute, the SCCs adopted by the Commissioner (or other relevant supervisory authorities or regulators) from time to time, and take all other actions required to legitimise the transfer.
6. INCIDENT MANAGEMENT
6.1 Layer 8 shall, upon becoming aware of a Personal Data Breach affecting User’s Services:
(A) without undue delay notify User about the Personal Data Breach; and
(B) at all times cooperate with User, and shall follow User’s reasonable instructions relating to the Personal Data Breach, to enable User to perform a thorough investigation into the Personal Data Breach, to formulate a correct response, and to take suitable further steps in respect of the Personal Data Breach.
7. SUB-PROCESSORS
7.1 Customer hereby grants a general authorisation to Layer 8 to engage sub-processors from time to time, including: (a) Layer 8 Affiliates; and (b) the list of sub-processors which Layer 8 maintains under “Layer 8 – Subprocessors” at the following URL: https://security.vorboss.com/resources. Subject to clause 7.2, Layer 8 will not subcontract any of its Service-related activities consisting (partly) of the Processing of Personal Data or requiring User Personal Data to be Processed by any third party without the prior written authorisation of Customer.
7.2 Layer 8 will add the names of new and replacement sub-processors to the list referenced at clause 7.1 above prior to them starting sub-processing Personal Data and shall provide a mechanism at such URL for Customer to obtain notice of such changes including any information necessary for the Customer to exercise its right to object. If Customer has a reasonable objection to any new or replacement sub-processor, it shall notify Layer 8 of such objections in writing within 10 days of the notification, and the parties will seek to resolve the matter in good faith. If Layer 8 requires use of the sub-processor in its discretion and is unable to satisfy Customer as to the suitability of the sub-processor then Customer shall have the right to terminate the relevant portion of the Services affected by the proposed sub-processing, or the affected Services agreement in its entirety, by providing written notice to Layer 8. Such termination shall take effect no earlier than 30 days after the date of Customer’s notice of termination.
7.3 Layer 8 will ensure that any sub-processor is bound by materially the same data protection obligations contained in this Data Processing Agreement and must, in particular, ensure that the sub-processor meets the requirements of Data Protection Law.
7.4 Even if authorised under clause 7.1, Layer 8 shall remain responsible for ensuring that the sub-processor’s Processing of User Personal Data meets this Data Processing Agreement.
8. RETURN OR DESTRUCTION OF PERSONAL DATA
8.1 This clause 8 shall apply where User Personal Data no longer needs to be Processed by Layer 8 because: (a) the Customer Contract and/or Terms has been terminated; and/or (b) all purposes for the Processing of User Personal Data in relation to the Services have been fulfilled.
8.2 User may make a written request for Layer 8 to delete, destroy or (at User’s request) return all User Personal Data to User and delete, destroy or return any existing copies, unless the law requires storage. Layer 8 shall in such cases notify within 25 Business Days that this clause has been complied with.
8.3 Where User does not make a request under clause 8.2 within 30 days, Layer 8 will delete or destroy all User Data in accordance with applicable law. Layer 8 will complete this as soon as reasonably practicable and within a maximum period of 180 days, unless the law requires storage.
8.4 User shall be responsible for exporting any User Data that it wishes to retain before clause 8.1 applies.
9. ASSISTANCE TO CONTROLLER
9.1 Layer 8 shall, taking into account the nature of processing and the information available, assist User by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of User’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Law.
9.2 Layer 8 shall assist User in meeting User’s compliance obligations under Data Protection Law, taking into account the nature of Layer 8’s Processing and the information available to Layer 8, including in relation to security, breach notifications, impact assessments and consultations with the Commissioner (or other relevant supervisory authorities or regulators) under Data Protection Law.
9.3 Layer 8 shall make available to User all information necessary to demonstrate compliance with User’s obligations under Data Protection Law and allow for reasonable audits by User, or by User’s designated auditor, for this purpose on reasonable written notice.
10. LIABILITY AND INDEMNITY
10.1 Layer 8 indemnifies User and holds User harmless against all claims arising in connection with a breach of this Data Processing Agreement by Layer 8.
10.2 User indemnifies Layer 8 and holds Layer 8 harmless against all claims arising in connection with a breach of this Data Processing Agreement by User.
11. DURATION AND TERMINATION
11.1 This Data Processing Agreement shall come into effect on the effective date of the Terms into which this Data Processing Agreement is incorporated, and shall remain in force for the duration of those Terms.
11.2 Termination or expiry of this Data Processing Agreement shall not discharge Layer 8 from its confidentiality obligations under clause 3.
12. MISCELLANEOUS
12.1 In the event of any inconsistency between this Data Processing Agreement and any other terms in the Customer Contract and/or Terms in relation to those matters covered by clause 1.2, this Data Processing Agreement shall prevail.
12.2 As set out in the Terms, the Terms shall be governed by and interpreted in accordance with the laws of England, the courts of England shall have exclusive jurisdiction to settle any disputes (including non-contractual disputes) arising out of or in connection with the Terms, and Layer 8 and the User hereby submit to the exclusive jurisdiction of the English courts.
13. SCHEDULE 1: SUBJECT MATTER AND DETAILS OF PROCESSING
13.1 Subject matter: Layer 8 to process Personal Data provided by User when using Layer 8’s Platform and Services as detailed in the Customer Contract and/or Terms. Layer 8 is expected to access such Personal Data in order to successfully deliver those Services to the User.
13.2 Duration of Processing: As per clause 11.
13.3 Purpose of Processing: For the Authorised Purposes (as defined above).
13.4 Categories of Personal Data: As per clauses 1.1 and 1.2.
13.5 Data Subjects: Data Subjects include individuals about whom User Personal Data is provided to Layer 8.
14. SCHEDULE 2: SECURITY MEASURES
14.1 Layer 8 takes security extremely seriously and is a wholly owned subsidiary of Vorboss Limited who maintains security policies and procedures that are assessed and regularly audited against ISO 27001 and covering all areas related to Processing User Data. Layer 8 shares a fully integrated business management system with Vorboss.
14.2 Physical Access Control: All User Data storage locations are monitored with CCTV and physical access controlled through a restricted list of named individuals.
14.3 Data and Administrative Access: Authentication, credential management, and privilege control systems restrict administrative access to systems to a limited number of authorised personnel.
14.4 Layer 8 further has specific policies, within scope of its ISO 27001 certification, addressing the following areas:
(A) Removable Devices Policy defining requirements, encryption standards and limitations on use.
(B) Disposal of Media and Equipment Policy detailing the process for securely wiping, degaussing and physically destroying (as applicable) media and equipment after use.
(C) Use of Cryptographic Controls Policy setting out encryption usage, PKI, and transport encryption.
(D) Password Policy governing the generation, strength, storage and rotation of passwords, PINs and cryptographic private keys.
(E) Backup and Antivirus Policy dictating the usage of antivirus and anti-malware protection and detailing backup policy.
(F) Information Security Events, Reporting and Investigation Procedure detailing the process to be followed upon discovery of any actual or perceived system weaknesses or breaches.