Legal
This agreement governs the processing of personal data by Micro Forge Ltd (Packagewise) on behalf of firms using the Packagewise platform. It forms part of the contract between Packagewise and each subscribing client.
Last updated: April 2026
1.
This Data Processing Agreement ('DPA') is between Micro Forge Ltd, a company incorporated in England and Wales, trading as Packagewise ('Processor'), and the law firm, HR consultancy, trade union, or other organisation that has signed up for a Packagewise subscription ('Controller'). It governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the Packagewise platform and embedded redundancy calculator service.
2.
The Processor provides a white-label embed widget and associated dashboard that allows the Controller to offer a UK redundancy package calculator to its own clients. The processing is limited to: (a) storing the Controller's account details (firm name, admin email, branding settings); (b) logging embed load events for usage analytics; and (c) transmitting PDF reports generated in response to calculator inputs. The embedded calculator does not collect or transmit any personally identifiable information about the employees who use it — inputs are limited to non-identifying financial parameters (age band, years of service, weekly pay).
3.
The personal data processed under this DPA relates to the Controller's authorised dashboard users (name, business email address). No personal data relating to the employees of the Controller's clients is processed through the embedded widget. PDF reports are generated locally and may contain information entered by the employee; those reports are never stored on Packagewise servers.
4.
The Processor shall: (a) only process personal data on documented instructions from the Controller, unless required to do so by applicable law; (b) ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations; (c) implement appropriate technical and organisational security measures as set out in clause 7; (d) not engage sub-processors without prior notice to the Controller; (e) assist the Controller in responding to data subject rights requests insofar as this is possible given the nature of the processing; (f) notify the Controller of a personal data breach affecting Controller data within 72 hours of becoming aware of it; (g) at the Controller's choice, delete or return all personal data at the end of the service relationship.
5.
The Controller shall: (a) ensure there is a lawful basis for any personal data transmitted to the Processor; (b) provide any necessary notices and obtain any necessary consents from data subjects; (c) ensure that any personal data provided to the Processor is accurate; (d) not instruct the Processor to process data in a way that would breach applicable data protection law.
6.
The Controller hereby provides general authorisation for the Processor to engage the following sub-processors: Supabase Inc (database and authentication, EU/US); Vercel Inc (application hosting, US); Stripe Inc (payment processing, US/EU); Resend Inc (transactional email, US). The Processor will notify the Controller of any intended changes to sub-processors by updating this page. The Controller may object to any new sub-processor within 14 days of notification. All sub-processors are subject to data transfer safeguards including Standard Contractual Clauses where required under UK GDPR.
7.
The Processor implements the following technical and organisational measures: encrypted data transmission (HTTPS/TLS); encrypted data storage; access controls ensuring only authorised personnel can access production systems; API key and credential authentication for embed access; no logging of personally identifiable calculator inputs; regular review of security practices. The Processor will update these measures over time as technology and best practices evolve.
8.
In the event of a personal data breach affecting Controller data, the Processor will notify the Controller by email to the registered account address within 72 hours of becoming aware of the breach. The notification will include, to the extent then known: the nature of the breach; the categories and approximate number of data subjects affected; the likely consequences of the breach; and the measures taken or proposed to address the breach.
9.
Where the Controller receives a data subject rights request that requires the Processor's assistance (e.g. access, rectification, or erasure of data held in the Packagewise platform), the Processor will provide reasonable assistance within 30 days of a written request. The Processor will not respond directly to data subjects regarding Controller data without the Controller's prior written authorisation, except where required by law.
10.
On termination of the Controller's subscription, the Processor will retain account data for up to 90 days to allow for reactivation, after which it will be securely deleted. The Controller may request immediate deletion at any time by contacting packagewiseuk@gmail.com. The Processor will confirm deletion in writing within 30 days.
11.
The Controller may, on reasonable written notice of not less than 30 days and no more than once per year, request information from the Processor to demonstrate compliance with this DPA. The Processor may satisfy such requests by providing relevant certifications, policies, or documentation rather than granting direct access to systems.
12.
This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales in relation to any dispute arising under or in connection with this DPA. Processing is conducted in compliance with the UK General Data Protection Regulation and the Data Protection Act 2018.