Data Protection Register

Data Processing Agreement

Last updated: 10 June 2026

This Data Processing Agreement ("DPA") forms part of our Terms of Service and applies automatically to every customer: no signature is required. It governs how Data Protection Register ("we", "us", the "processor") processes personal data contained in the records your organisation ("you", the "controller") creates in the service, as required by Article 28 of the UK GDPR and, where it applies, the EU GDPR. If you need a countersigned copy for your own records, email hello@dataprotectionregister.co.uk.

1. Scope and roles

You are the controller of the personal data your team puts into your records. We are your processor for that data. For the data we need to run the service itself (your account, organisation, and billing details) we act as an independent controller, as described in our Privacy Policy; that data is not covered by this DPA.

2. Details of the processing

  • Subject matter and purpose: hosting, storing, and processing the compliance records you create, including generating draft documents (such as ROPAs and DPIAs) from the information you capture.
  • Duration: the life of your subscription, plus the 90 day export window after cancellation.
  • Nature of the processing: storage, retrieval, display, structuring, and AI-assisted drafting performed on your instructions through the service.
  • Types of personal data: whatever your records contain. Typically names, job titles, and contact details of staff and data subjects referenced in your processing descriptions. You control what goes in.
  • Categories of data subjects: the individuals referenced in your records, typically your employees, customers, and suppliers.

3. Our obligations as processor

  • We process your record content only on your documented instructions. Using the service (creating records, generating documents, exporting) constitutes those instructions. We will tell you if we believe an instruction breaks data protection law.
  • Everyone we authorise to access your data is bound by confidentiality obligations.
  • We apply the technical and organisational measures described on our security page: encryption in transit and at rest, tenant isolation enforced at the data layer, MFA-capable authentication, and append-only audit logging. We may improve these measures but will not materially weaken them.
  • We assist you, taking into account the nature of the processing, in responding to data subject requests and in meeting your obligations on security, breach notification, and impact assessments.
  • If we become aware of a personal data breach affecting your data, we will notify your organisation owner by email without undue delay and share what we know as we learn it.
  • At the end of the contract we delete your record content after the 90 day export window described in the Terms of Service, unless UK or EU law requires us to keep it longer. You can export your records yourself at any time before then.

4. Sub-processors

You give us general authorisation to use the sub-processors listed in our Privacy Policy. The current list: Neon (EU database hosting), Vercel (application hosting), Clerk (authentication), Stripe (payments), Anthropic (AI drafting; does not train on your data), and Google (analytics, consent based, and not used for record content). Each sub-processor is bound by data protection obligations no less protective than this DPA. If we add or replace a sub-processor that handles record content, we will notify organisation owners by email at least 30 days in advance, and you may object on reasonable data protection grounds; if we cannot resolve the objection, you may cancel and export your data.

5. International transfers

Record content is stored in the European Union. Where a sub-processor processes personal data outside the UK or EU (for example, Anthropic in the United States), the transfer is protected by the UK Extension to the EU-US Data Privacy Framework, the EU-US Data Privacy Framework, or Standard Contractual Clauses, as applicable.

6. Audits

We will make available the information reasonably necessary to demonstrate our compliance with this DPA, starting with our security page and documentation we can share on request. Where that is not sufficient, you may audit us (directly or through an independent auditor) no more than once in any 12 month period, on at least 30 days' notice, during business hours, at your cost, and subject to confidentiality. Audits may not access other customers' data.

7. Your obligations as controller

You confirm that you have a lawful basis for the personal data you put into your records, that your instructions to us comply with data protection law, and that you will not put data into the service that it is plainly unsuited to hold, such as special category data in volume or anything restricted by the Acceptable Use Policy.

8. Liability and order of precedence

Liability under this DPA is subject to the limitations in the Terms of Service. If this DPA conflicts with the Terms on a data protection matter, this DPA wins. This DPA is governed by the laws of England and Wales.

Contact

Data Protection Register
Email: hello@dataprotectionregister.co.uk