| Legal entity | UNIVERSALHOMEANDTECH LTD |
|---|---|
| Company number | 16534780 |
| Place of registration | England and Wales |
| Registered office | 15a Shrubbery Road, London, SW16 2AS, United Kingdom |
| ICO registration reference | ZC044007 |
| VAT position | Not VAT registered |
| Brand | TorScript |
| Website | https://torscript.com/ |
This Data Processing Agreement applies where UNIVERSALHOMEANDTECH LTD processes personal data on behalf of a business customer in connection with custom software, implementation, migration, commissioned release and support services. It does not apply where the Company is acting only as an independent controller for its own account, billing, tax, security, support or sales records.
The customer is the controller for personal data it controls. UNIVERSALHOMEANDTECH LTD is the processor only for the processing it performs on the customer's documented instructions. The Company is an independent controller for its own business administration, sales, billing, fraud prevention, tax, legal and security records.
The subject matter is the technical service, support, migration, installation, audit or software-related work described in the order or statement of work. Processing lasts for the term of the engagement and any wind-down, deletion, return, legal hold or recordkeeping period described in the contract.
Data may include names, email addresses, account identifiers, order records, customer records, website content, support tickets, log entries, IP addresses, configuration data, database fields and other data exposed by the customer for the agreed work. The customer should not provide special-category or criminal-offence data unless the contract specifically authorises it and appropriate safeguards are agreed.
The Company will process personal data only on documented instructions, keep authorised personnel under confidentiality duties, apply appropriate technical and organisational measures, help the customer with data subject requests where reasonably possible, assist with personal data breach information, and delete or return personal data at the end of services subject to legal retention.
Measures include access control, least privilege, secure credential handling, device security, backups where under Company control, incident escalation, confidentiality, logging where appropriate, and separation of customer records. Customers remain responsible for their own infrastructure, backups, administrator access and production environment security unless the written scope says otherwise.
The Company may use hosting, infrastructure, email, storage, payment, communication, professional adviser and security providers where needed for the service. The Company remains responsible for processor obligations that must flow down to sub-processors and will use appropriate contractual protections.
Where restricted transfers occur, the Company will use a recognised transfer route such as adequacy, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or an applicable data privacy framework certification.
The Company will notify the customer without undue delay after becoming aware of a personal data breach affecting customer-controlled personal data processed under this addendum. The customer remains responsible for regulator and data-subject notifications where the customer is controller, unless the law requires the Company to notify directly.
The Company will make available reasonable information needed to show compliance, subject to confidentiality, security, protection of other customers, and reasonable limits on disruption.