Our commitments for GDPR-compliant data processing
Effective: 17 February 2026This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and PolicySuite ("Data Processor") and governs our processing of personal data under UK GDPR.
Personal Data: Any information relating to an identified or identifiable natural person that you submit to the Service.
Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.
You are the Data Controller and determine the purposes and means of processing Personal Data. We are the Data Processor and process Personal Data only on your documented instructions.
We will process Personal Data only:
We implement appropriate technical and organisational measures, including:
We may engage sub-processors (hosting, email delivery) to assist in providing the Service. Current sub-processors:
We will assist you in responding to data subject requests (access, rectification, erasure, portability) by providing tools and data export capabilities.
We will notify you without undue delay (within 48 hours) of any personal data breach affecting your data.
Upon termination, we will delete or return all Personal Data within 90 days, unless legally required to retain it.
We maintain SOC 2 Type II certification. You may request audit reports or conduct audits (with reasonable notice and at your expense).
Where the Data Controller is domiciled in Switzerland or where Swiss data subjects' personal data is processed, this DPA is supplemented by the requirements of the Swiss Federal Act on Data Protection (nDSG), including the Ordinance on Data Protection (VDSG). Cross-border transfers comply with nDSG Articles 16-17.
DPA questions: dpa@policy-suite.com
Data Protection Officer: dpo@policy-suite.com