Articles on: Privacy Centre

Data Processing Agreement (DPA) & GDPR Compliance

Quick Answer: You can view, download, and countersign the DPA from the Customer Portal under Settings → Business → Business Documents → GDPR Compliance.



Accessing the DPA


  1. Log in to the Customer Portal
  2. Go to SettingsBusinessBusiness Documents
  3. Navigate to GDPR Compliance – Data Processing Agreement
  4. From here you can view, download the PDF, or upload a countersigned copy for your records


💡 Tip: The version in the portal is the current and authoritative version of the agreement.



Signing the DPA


We provide a pre-executed DPA, already signed by The Hoxton Mix Ltd.


If you need a countersigned copy for internal records:


  1. Download the DPA from the portal
  2. Review Schedule 1 (nature of processing, mail handling, identity verification)
  3. Go to Page 7 and complete: “Signed for and on behalf of THE CUSTOMER (Controller)”
  4. Save for your compliance files


You do not need to return the signed document unless you have a specific objection to a sub-processor or are requested to by a regulator.


⚠️ Important: Continued use of the service constitutes acceptance of the DPA.



Roles Under the DPA


Role

Scope

Processor

Customer content: physical and digital mail handling, scanning, forwarding, destruction

Controller

Service data: account management, billing, identity verification, AML compliance


Third-party postal carriers (Royal Mail, DHL, FedEx) act as independent Data Controllers once mail enters their networks.



Sub-Processors


We use a limited number of trusted sub-processors (e.g., AWS, Crisp) under a general authorisation model in line with UK GDPR. A live list is maintained in our Privacy Policy.



International Data Transfers


Where data is transferred outside the UK, we rely on:


  • The UK Extension to the EU–US Data Privacy Framework (UK Data Bridge)
  • The UK International Data Transfer Agreement (IDTA) or approved Standard Contractual Clauses



Security & Certifications


  • Encryption in transit: TLS 1.2+
  • Encryption at rest: AES-256
  • Physical security: Controlled access, CCTV, secure mail handling
  • Certification: Valid Cyber Essentials Plusverify here



Common Questions


Do I need to sign and return the DPA?

No. It’s pre-executed. You only need to countersign if required for your internal records.


Where can I find the sub-processor list?

In our Privacy Policy.


Who do I contact about data protection?

Email dpo@hoxtonmix.com.



Log in to your portal →

Updated on: 28/03/2026