Articles on: Privacy Centre

Data Processing Agreement (DPA) & GDPR Compliance

At The Hoxton Mix, we are committed to protecting the security and privacy of your data. To ensure compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and related UK data protection legislation, we provide a standard Data Processing Agreement (DPA) to all business customers.

Do I need to sign a DPA?

No additional signature is required for the DPA to be legally valid.

Our DPA is incorporated into our Terms of Service and is accepted electronically when you:

Create an account, and/or
Continue to use our services

This constitutes a binding electronic agreement. A record of acceptance (including account details and timestamps) is retained by The Hoxton Mix in accordance with our compliance obligations.

However, we understand that many organisations require a physically signed copy of the DPA for:

Internal compliance records
Vendor onboarding or procurement
Audit and regulatory purposes

How to access your DPA

Your DPA is available securely within the Hoxton Mix customer portal.

You must be logged in to access it.

Steps

👉 https://account.hoxtonmix.com/

From the left-hand menu, select Business Settings
Navigate to GDPR Compliance – Data Processing Agreement
From this section, you can:

View the current DPA
Download the PDF version
Upload / replace a countersigned copy for your own records (optional)

The version displayed in the customer portal is the current and authoritative version of the agreement.

Signing the DPA for your records

We provide a pre-executed DPA, already signed by The Hoxton Mix Ltd.

If you require a countersigned copy for your internal records:

Download the DPA from the customer portal
Review Schedule 1, which sets out:

The nature and purpose of processing
Mail handling and scanning
Identity verification and compliance data

Navigate to Page 7 of the document
Complete the section:

“Signed for and on behalf of THE CUSTOMER (Controller)”

Save the completed document in your internal compliance files

You do not need to return the signed document to us unless you:

Have a specific objection to a sub-processor, or
Are requested to do so by a regulator or auditor

Continued use of the service constitutes acceptance of the DPA.

Roles under the DPA (Summary)

Depending on the data involved, The Hoxton Mix acts in different roles:

Processor

For Customer Content, including physical and digital mail handling, scanning, forwarding, and destruction.

Controller

For Service Data, including account management, billing, identity verification, and compliance with Anti-Money Laundering (AML) obligations.

Third-party postal carriers (e.g. Royal Mail, DHL, FedEx) act as independent Data Controllers once mail enters their delivery networks.

Sub-processors

We use a limited number of trusted sub-processors to deliver our services (for example, AWS and Crisp).

We operate under a general authorisation model in line with UK GDPR
A live list of sub-processors, including their functions and locations, is maintained in our Privacy Policy

👉 View Sub-processor List

https://help.hoxtonmix.com/en/article/privacy-policy-4bp798/

International data transfers

Where data is transferred outside the UK, we rely on appropriate safeguards, including:

The UK Extension to the EU–US Data Privacy Framework (UK Data Bridge)
The UK International Data Transfer Agreement (IDTA) or approved Standard Contractual Clauses

Security & certifications

To support vendor due-diligence and audit requirements:

Encryption in transit: TLS 1.2+
Encryption at rest: AES-256
Physical security: Controlled access, CCTV, and secure mail handling facilities
Certification:

The Hoxton Mix holds a valid Cyber Essentials Plus certification

Certification status can be independently verified here:

https://registry.blockmarktech.com/certificates/af0f0105-1863-4e02-a5d5-f2548d77bc2a1

Updated on: 08/01/2026