Data Processing Agreement (DPA)

Our commitments for GDPR-compliant data processing

Effective: 17 February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and Sevenpoynt Ltd, trading as PolicySuite ("Data Processor") and governs our processing of personal data under UK GDPR.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person that you submit to the Service.
Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.

2. Scope and Roles

You are the Data Controller and determine the purposes and means of processing Personal Data. We are the Data Processor and process Personal Data only on your documented instructions.

3. Processing Instructions

We will process Personal Data only:

  • As necessary to provide the Service under our Terms of Service
  • As instructed by you through the Service interface
  • As required by applicable law

4. Security Measures

We implement appropriate technical and organisational measures, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication
  • Regular security testing and audits
  • Incident response procedures

5. Sub-Processors

We may engage sub-processors to assist in providing the Service. Current sub-processors:

  • Render — Cloud infrastructure and hosting (Frankfurt, DE / EU) — SOC 2 Type II
  • Stripe — Payment processing (US) — PCI-DSS Level 1
  • Mailgun (Sinch) — Email delivery (US/EU) — SOC 2 Type II
  • Sentry — Error tracking and monitoring (US) — SOC 2 Type II
  • Cloudflare — CDN and DDoS protection (Global) — ISO 27001
  • Anthropic — AI policy generation / Claude API (US) — SOC 2 Type II
  • OpenAI — AI policy generation / GPT API (US) — SOC 2 Type II
  • Google Cloud — AI policy generation / Gemini API (US) — ISO 27001, SOC 2 Type II
  • PostHog — Product analytics (EU) — SOC 2 Type II

6. Data Subject Rights

We will assist you in responding to data subject requests (access, rectification, erasure, portability) by providing tools and data export capabilities.

7. Data Breach Notification

We will notify you without undue delay (within 72 hours, in alignment with GDPR Article 33) of any personal data breach affecting your data.

8. Data Return and Deletion

Upon termination, we will delete or return all Personal Data within 90 days, unless legally required to retain it.

9. Audits

We implement security controls aligned with industry standards. You may request details of our security practices or conduct audits (with at least 60 days' written notice and at your expense).

Swiss nDSG Addendum

Where the Data Controller is domiciled in Switzerland or where Swiss data subjects' personal data is processed, this DPA is supplemented by the requirements of the Swiss Federal Act on Data Protection (nDSG), including the Ordinance on Data Protection (VDSG). Cross-border transfers comply with nDSG Articles 16-17.

10. Contact

DPA questions: privacy@policy-suite.com
Privacy Contact: privacy@policy-suite.com

Legal entity: Sevenpoynt Ltd, trading as PolicySuite
Address: 28 Chamberlain Drive, Wilmslow, SK9 2SN, United Kingdom