Data Processing Addendum
Data processing terms for scoped client work
JNET.support keeps data handling practical and limited. This addendum explains how client personal data is handled when JNET.support processes it on documented instructions during an agreed service engagement.
Applicability summary
- Applies when incorporated into an agreed project
- Client usually acts as controller
- JNET.support may act as processor for scoped work
- Processing is limited to documented instructions
- Sensitive data requires prior written agreement
- No production access without agreed scope
This public addendum applies only when it is incorporated by reference into an agreed proposal, statement of work, order, invoice, written agreement, or service engagement. It does not create a client relationship by itself.
Parties and roles
Apefo Ltd trading as JNET.support provides practical AI workflow, automation, training, assistant, and integration support.
For website inquiries, ordinary business communication, and company administration, JNET.support acts as an independent controller.
For scoped client work, JNET.support may act as a processor where it processes client personal data on documented instructions from the client. The client is usually the controller for client-provided personal data.
If a project requires a different role allocation, the agreed project document should define it.
Subject matter and duration
Processing relates to the agreed service engagement, such as workflow audit, automation scoping, AI assistant setup, training preparation, CRM, email, form workflow review, or integration support.
Duration
Processing lasts for the duration of the agreed engagement and any reasonable follow-up, retention, legal, accounting, security, or dispute period described in the Privacy Policy or project agreement.
Nature and purpose of processing
The purpose is to provide the agreed service and related support.
- reviewing workflow descriptions
- reviewing forms, emails, CRM fields, document structures, or reporting flows
- preparing summaries, maps, recommendations, training materials, prompts, assistant workflows, or integration plans
- testing scoped workflow examples
- communicating with client contacts
- maintaining project notes and deliverables
Categories of personal data
- business contact details
- names, job titles, work email addresses, phone numbers, and company details
- content submitted through the contact form or email
- workflow examples supplied by the client
- CRM, email, document, form metadata, or sample records if shared during a scoped project
- project notes, decisions, approvals, and communications
- optional documents or screenshots if later added by scope
Clients should avoid sending special category data, HR records, payroll data, medical data, financial account data, private client lists, credentials, API keys, or legally sensitive material unless explicitly agreed in writing.
Categories of data subjects
- client employees and contractors
- client representatives and business contacts
- client customers or leads only if the client supplies such data for scoped work
- suppliers or partners if included in workflow examples
- website and contact form users
Documented instructions
JNET.support will process client personal data only on documented instructions from the client, unless legally required otherwise.
If an instruction appears unsafe, unclear, unlawful, or outside scope, JNET.support may pause work and ask for clarification.
Instructions may include
- signed proposal
- statement of work
- written email approval
- project brief
- agreed workflow scope
- approved implementation task
- support request
Confidentiality
People authorized to work on client data must handle it confidentially. JNET.support will not intentionally disclose non-public client information except as needed to provide the agreed service, use approved sub-processors, comply with law, protect rights, or as otherwise agreed.
Practical security measures
- access limited to project need
- no credentials in first contact message
- scoped access before implementation
- human review checkpoints
- data minimisation
- use of client-approved tools where needed
- separation of public website forms from project delivery
- Turnstile bot protection on contact page when configured
- deletion or return after engagement where appropriate
- no analytics or tracking scripts on the current site
Security measures may be updated over time and may be supplemented by project-specific requirements.
Sub-processors
JNET.support may update the sub-processor list when tools change. For material changes affecting scoped client data, JNET.support should provide notice where reasonably possible through the website, written communication, or project documentation.
| Sub-processor | Purpose | Data involved | Notes |
|---|---|---|---|
| Web3Forms | Contact form delivery | Form fields submitted through /contact/ | Used for inbound requests unless replaced by another agreed intake method. |
| Cloudflare Turnstile | Bot protection for contact form when configured | Technical verification data | Rendered only on /contact/ when a public site key is configured. |
| Website hosting/infrastructure provider | Serving the public website and logs/security operation where applicable | Technical data such as IP address and request metadata | Name should be confirmed and added if/when the hosting provider is intentionally disclosed. |
| Client-selected tools | CRM, email, automation, AI, cloud, document, or project tools selected or approved by the client | Depends on project scope | Client approval and access rules should be defined before use. |
Provider details may be updated when tools or hosting arrangements change.
Assistance to the controller
Taking into account the nature of the service and available information, JNET.support will provide reasonable and proportionate assistance with:
- data subject requests
- security questions
- breach investigation
- DPIA-related information where relevant
- deletion or return requests
- audit or information requests
Personal data breach
If JNET.support becomes aware of a personal data breach affecting client personal data processed under a scoped engagement, it will notify the client without undue delay after becoming aware, provide available information, and cooperate reasonably.
Return and deletion
At the end of the engagement, client personal data will be returned, deleted, or retained only as reasonably required for legal, accounting, security, dispute, backup, or legitimate business record purposes, unless the agreed project document says otherwise.
Audits and information
JNET.support will make reasonable information available to help demonstrate compliance with this DPA. Formal audits or security reviews must be scoped in advance, limited to relevant systems, respect confidentiality, and avoid exposing data of other clients.
International transfers
JNET.support is based in the United Kingdom and may provide services to clients in the EU/EEA, UK, and other markets. Where personal data is transferred internationally, the parties should use a lawful transfer mechanism where required, such as an adequacy decision, standard contractual clauses, UK transfer mechanism, or another applicable safeguard.
Client responsibilities
- Lawful instructionsProvide instructions that are lawful, clear, and within scope.
- Authority to shareConfirm authority to share any client data supplied for the project.
- Minimise dataShare only what is needed for the agreed work.
- Sensitive dataAvoid sensitive data unless it is specifically agreed in writing.
- Review outputsReview AI-assisted or automation-supported outputs before use.
- Approve toolsApprove tools, access levels, and project workspaces before use.
- Secure credentialsKeep passwords, API keys, and credentials secure.
- Lawful basisDecide the lawful basis where the client is the controller.
- Rights requestsRespond to data subject requests where the client is the controller.
AI-assisted work and client data
JNET.support may help design or use AI-assisted workflows only where scoped and appropriate. Client data should not be entered into AI tools unless the tool, purpose, data type, access rules, and review process are approved for the project.
- no sensitive data in AI tools by default
- use anonymized or sample data where possible
- human review before client-facing use
- client approval before connecting AI to live workflows
- no guarantee of model accuracy
- no autonomous high-risk decisions without explicit scope and safeguards
What this DPA does not cover
- unscoped free advice
- data the client sends without request
- client systems outside JNET.support access
- client-selected tools used outside JNET.support control
- regulated legal, financial, medical, HR, or security advice
- production automation without a separate implementation scope
- large-scale or special category processing without specific written agreement
Conflict and order of documents
If there is a conflict, the signed agreement, proposal, SOW, or project-specific written terms control for that specific engagement. This public DPA is a baseline unless replaced or supplemented.
This DPA is not a substitute for a lawyer-reviewed enterprise agreement where high-risk, regulated, sensitive, or large-scale processing is involved.
Questions about data processing?
Apefo Ltd trading as JNET.support
Office 1, Izabella House 24-26 Regent Place, City Centre, Birmingham, United Kingdom, B1 3NJ
Company number: 16610465
Email: info@jnet.support