Data Protection & DUAA 2025 Statement

Embracing the DUAA 2025 – Continuing Our Commitment to Simplicity and Trust 

We’re pleased to see the Data Use and Access Act 2025 (DUAA) receive Royal Assent on 19 June 2025. It’s a welcome step forward, introducing greater clarity and flexibility in data protection — and it aligns perfectly with our core promise: we make it simple. 

The DUAA doesn’t replace UK GDPR or the DPA 2018, but it does evolve them. It introduces targeted reforms to better reflect modern digital practices — and we’re already on board. 

This updated statement outlines how Forfront Ltd, through the e-shot™ platform, continues to uphold the highest standards in data protection for our UK public sector clients and beyond. 

 

e-shot™ Product Privacy Statement 

Updated in line with the Data Use and Access Act 2025 (DUAA) 

Our Commitment to You 

At Forfront Ltd, privacy isn’t just a box-ticking exercise — it’s part of our DNA. Whether you use e-shot™ basic, pro, omni, engage, or integrate via API, Zapier or Microsoft Teams, we’re committed to protecting your data with integrity, clarity, and innovation. 

 

1. Roles and Responsibilities 

• You (our Client) act as the Data Controller: you decide how and why data is processed within e-shot™. 

• We act as the Data Processor: we only act on your instructions, in line with our Terms and Conditions and this policy. 

We comply with: 

• UK GDPR 

• DPA 2018 

• DUAA 2025 

 

2. What You Can Do with e-shot™ 

Our platform helps you: 

• Send email and SMS campaigns at scale. 

• Manage and organise contact data securely. 

• Track engagement and improve communications. 

Important note: As the Data Controller, it’s your responsibility to ensure that your processing activities (e.g. sending campaigns) have a lawful basis, such as consent or legitimate interest. 

 

3. Security Measures You Can Count On 

We're genuinely passionate about data security — and we’ve baked it into every part of our platform: 

• Secure UK-based hosting with tight physical and digital safeguards. 

• Encryption in transit and at rest. 

• Strict access controls for authorised personnel only. 

• Regular security assessments, including penetration testing. 

• Certifications & standards: ISO 27001:2022, Cyber Essentials Plus, and alignment with NCSC guidance. 

That said, no system is invincible. Strong passwords, enforced security with MFA/SSO and responsible user practices are crucial — and we’re here to help you get them right. 

 

4. Tools to Help You Stay Compliant 

e-shot™ includes built-in features that support your compliance: 

• Unsubscribe and opt-out management 

• Preference centres for contact-driven control 

• Double opt-in workflows 

• Compliant email footers 

• Spam and deliverability monitoring 

Everything is designed to simplify your compliance journey — without compromising effectiveness. 

 

5. Integrations & Sub-processors 

We integrate with tools like Zapier, Microsoft Teams, and others to support your workflows. You're responsible for how you use those integrations — but we ensure: 

• Any sub-processors we use meet our high standards. 

• All sub-processors are contractually bound to GDPR- and DUAA-compliant practices. 

 

6. International Data Transfers 

All data is hosted and processed in the UK by default. If transfers outside the UK ever occur, we apply appropriate safeguards — including updated DUAA-compliant assessments. 

 

7. Retention and Data Subject Rights 

• Data is retained only for the duration of your contract or as instructed. 

• Post-contract, data is encrypted and retained temporarily (usually 30–90 days) before secure deletion. 

• We support your responses to DSARs (Data Subject Access Requests) Under the New UK Data (Use and Access) Act 2025, access, rectification, and erasure requests. 

DUAA update: The new “reasonable and proportionate” search standard helps streamline Subject Access Request responses. 

 

8. Breach Notification 

Should a personal data breach occur, we’ll notify affected clients without undue delay and provide everything you need to fulfil your regulatory obligations. 

 

9. Policy Updates 

We’re open and transparent. This policy may change as services, laws, or technologies evolve. You’ll always find the latest version at: e-shot.net/privacy 

Your continued use of e-shot™ indicates your acceptance of any updates. 

 

10. Need to Talk Data? 

We’re here to help. If you’ve got a question, concern, or challenge around data protection, don’t hesitate to contact us. 

 

Further Reading 

• ICO Guide to UK GDPR 

• ICO Data (Use and Access) Act 2025 

 

 

Last updated: 29 June 2025