PolicySuitePolicySuite

Data Processing Agreement (DPA)

Effective: 4 November 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and PolicySuite ("Data Processor") and governs our processing of personal data under UK GDPR.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person that you submit to the Service.
Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.

2. Scope and Roles

You are the Data Controller and determine the purposes and means of processing Personal Data. We are the Data Processor and process Personal Data only on your documented instructions.

3. Processing Instructions

We will process Personal Data only:

4. Security Measures

We implement appropriate technical and organisational measures, including:

5. Sub-Processors

We may engage sub-processors (hosting, email delivery) to assist in providing the Service. Current sub-processors:

6. Data Subject Rights

We will assist you in responding to data subject requests (access, rectification, erasure, portability) by providing tools and data export capabilities.

7. Data Breach Notification

We will notify you without undue delay (within 48 hours) of any personal data breach affecting your data.

8. Data Return and Deletion

Upon termination, we will delete or return all Personal Data within 90 days, unless legally required to retain it.

9. Audits

We maintain SOC 2 Type II certification. You may request audit reports or conduct audits (with reasonable notice and at your expense).

10. Contact

DPA questions: dpa@policy-suite.com
Data Protection Officer: dpo@policy-suite.com