Data Processing Agreement (DPA)
Effective: 4 November 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and PolicySuite ("Data Processor") and governs our processing of personal data under UK GDPR.
1. Definitions
Personal Data: Any information relating to an identified or identifiable natural person that you submit to the Service.
Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.
2. Scope and Roles
You are the Data Controller and determine the purposes and means of processing Personal Data. We are the Data Processor and process Personal Data only on your documented instructions.
3. Processing Instructions
We will process Personal Data only:
- As necessary to provide the Service under our Terms of Service
- As instructed by you through the Service interface
- As required by applicable law
4. Security Measures
We implement appropriate technical and organisational measures, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication
- Regular security testing and audits
- Incident response procedures
5. Sub-Processors
We may engage sub-processors (hosting, email delivery) to assist in providing the Service. Current sub-processors:
- Render.com - Hosting infrastructure (USA, Standard Contractual Clauses)
- Amazon Web Services - Database hosting (UK/EU regions)
6. Data Subject Rights
We will assist you in responding to data subject requests (access, rectification, erasure, portability) by providing tools and data export capabilities.
7. Data Breach Notification
We will notify you without undue delay (within 48 hours) of any personal data breach affecting your data.
8. Data Return and Deletion
Upon termination, we will delete or return all Personal Data within 90 days, unless legally required to retain it.
9. Audits
We maintain SOC 2 Type II certification. You may request audit reports or conduct audits (with reasonable notice and at your expense).
10. Contact
DPA questions: dpa@policy-suite.com
Data Protection Officer: dpo@policy-suite.com