Data Processing Agreement

Definitions

Terms used in this DPA have the meaning given to them in UK GDPR and the UK Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025). Key terms:

• Personal data: any information relating to an identified or identifiable natural person
• Processing: any operation performed on personal data (collection, storage, modification, transmission, deletion)
• Controller: the entity that determines the purposes and means of processing (you)
• Processor: the entity that processes data on behalf of the Controller (us)
• Sub-processor: a third party engaged by us to process data on the Controller’s behalf

Scope of processing

We process personal data only:

• For the purposes documented in the SOW for your engagement
• In accordance with your written instructions
• For the duration of the engagement, plus a wind-down period not exceeding 30 days

We do not process personal data for our own purposes, do not sell or share it with third parties (except documented sub-processors), and do not use it for product improvement, AI training, or analytics beyond what’s necessary to deliver the engagement.

Types of data and data subjects

Specific types of personal data processed depend on your engagement. Typically includes:

• Names, email addresses, contact details of your end users
• Authentication credentials (when implementing auth)
• Submission data (when implementing forms)
• Behavioural data (when implementing analytics, with your direction)

Categories of data subjects:

• Your customers, leads, or users
• Your employees or contractors (when relevant to the project)
• Other individuals identified in the SOW

We do not process special category data (health, religion, biometric, etc.) unless explicitly specified in the SOW with appropriate additional safeguards.

Our obligations

We commit to:

1. Process personal data only on your documented instructions
2. Ensure that any personnel authorised to process the data are bound by confidentiality
3. Implement appropriate technical and organisational measures to ensure security (see below)
4. Engage sub-processors only with your prior written consent (general consent for our current sub-processor list, specific consent for any addition)
5. Assist you in fulfilling your obligations to respond to data subject requests
6. Notify you without undue delay (and in any case within 48 hours) of any personal data breach affecting your data
7. Delete or return personal data at the end of the engagement, at your choice
8. Make available all information necessary to demonstrate compliance with this DPA

Security measures

We implement the following measures to protect personal data:

• TLS 1.3 encryption in transit
• AES-256 encryption at rest (Supabase, R2, Fastmail)
• Principle of least privilege for access (1Password Business with role-based access)
• Multi-factor authentication on all service provider accounts
• Regular automated backups (daily, retained 30 days)
• Documented incident response procedure
• Secrets never committed to version control
• Annual security review

These measures are subject to ongoing review and may be enhanced as the threat landscape evolves.

Sub-processors

Current sub-processors used in delivering engagements:

The baseline list above is our standard stack. Any project-specific sub-processor your build requires (for example a different host, database, or analytics tool) is named in your SOW and treated as part of this list. We will notify you of any intended addition or replacement of sub-processors. You may object to a proposed sub-processor within 14 days, in which case we will either not engage that sub-processor or work with you to find an alternative arrangement.

International transfers

For sub-processors located outside the UK and EEA (currently: Cloudflare, Resend, and Clerk), we rely on:

• The UK–US Data Bridge framework (for US-based sub-processors)
• Standard Contractual Clauses (where applicable)
• Sub-processor certifications (SOC 2, ISO 27001, GDPR compliance attestations)

A copy of the applicable Standard Contractual Clauses is available on request.

Data subject rights

We will assist you in responding to data subject requests (access, correction, deletion, portability) within reasonable time and at no additional charge for engagements of standard scope.

If responding to a data subject request requires substantial work beyond the scope of normal operations (e.g., bulk export of a large dataset), we will provide a quotation before proceeding.

Audits and inspections

You have the right to audit our compliance with this DPA, on reasonable notice (minimum 14 days) and not more frequently than once per year, except where a personal data breach has occurred.

Audits are conducted at your expense unless they reveal material non-compliance, in which case the cost is borne by us.

Termination

This DPA terminates with the underlying engagement. Upon termination, we will, at your written request:

• Return all personal data to you in a structured, commonly-used format, OR
• Delete all personal data (and certify deletion in writing)

We will retain personal data only as required by law, in which case we will continue to protect it under the terms of this DPA.

Liability

Liability under this DPA is governed by the liability provisions of the underlying engagement Terms of Engagement.

Contact

Data protection queries: [email protected]. Personal data breaches or urgent matters: same email with subject line including “URGENT — DATA.”