Data Processing Agreement
Last updated: 19 May 2026
This Data Processing Agreement ("DPA") forms part of the agreement between COMPLIANCEAGENTUK LIMITED (Company No. 17117580) ("Processor", "we", "us") and the customer ("Controller", "you") governing processing of personal data on behalf of the Controller.
Related documents: Sub-processor list (printable) · Privacy Policy
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by UK GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- "Controller" means the customer who determines the purposes and means of processing Personal Data.
- "Processor" means ComplianceAgent UK, which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "UK GDPR" means the retained EU law version of the General Data Protection Regulation (EU) 2016/679, as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018.
2. Scope and Purpose of Processing
The Processor processes Personal Data solely for the purpose of providing the ComplianceAgent UK service to the Controller, which includes:
- Scanning the Controller's Microsoft 365 or Google Workspace environment for risk signals
- Generating scan-based posture scores and risk assessments
- Producing scan reports
- Providing automated monitoring and alerts (on paid plans)
3. Categories of Data Subjects
The categories of data subjects whose Personal Data may be processed include:
- The Controller's employees and staff
- The Controller's clients and customers
- Any individuals whose personal data appears in the Controller's emails, files, or documents
4. Types of Personal Data
The types of Personal Data that may be processed during a compliance scan include:
- Names, email addresses, and contact details
- National Insurance numbers
- Financial information (bank account details, payment references)
- Addresses and phone numbers
- Health or other special category data (UK GDPR Article 9) if present in the Controller's workspace content
- Any other personal data present in the Controller's scanned emails, attachments, or files
Special category data: Because scans analyse real mailbox and file content, special category data may appear in transient snippets (for example NHS numbers or health references). The Controller is responsible for ensuring an appropriate lawful basis under Article 9 and for informing data subjects. The Processor processes such data only on the Controller's documented instructions to provide the service.
Content minimisation: We do not store, copy, or retain full email bodies or full file contents. Content is processed in memory during a scan run. We retain scan results (scores, finding summaries, sanitised source names).
5. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorised to process Personal Data have committed to confidentiality
- Implement appropriate technical and organisational measures to ensure security of processing (see Section 7)
- Not engage another processor without prior specific or general written authorisation of the Controller
- Assist the Controller in responding to data subject rights requests
- Assist the Controller in ensuring compliance with GDPR Articles 32–36
- Delete or return all Personal Data at the end of the provision of services, at the Controller's choice
- Make available all information necessary to demonstrate compliance, and allow for audits
6. Obligations of the Controller
The Controller shall:
- Ensure that there is a lawful basis for the processing of Personal Data
- Provide documented instructions for Personal Data processing
- Ensure that data subjects have been informed about the processing
- Comply with all applicable data protection laws
7. Security Measures
The Processor implements technical and organisational measures appropriate to the risk, as described in Appendix A (Technical and Organisational Measures) below and summarised here:
- Encryption in transit: TLS 1.2 or higher for all client and API traffic
- Encryption at rest: OAuth tokens and other sensitive fields encrypted with Fernet; database encrypted at rest by the hosting provider
- Access control: Read-only OAuth scopes; production access restricted to authorised personnel; role-based application access
- Content handling: Workspace content not persisted after scan analysis; only findings metadata retained
- Infrastructure: Hosted on Render (AWS-backed infrastructure with SOC 2 Type II reporting)
- Application security: Security headers (HSTS, CSP, X-Frame-Options), CSRF protection on OAuth, API rate limiting
- Logging and monitoring: Structured audit and security event logging; error monitoring
- Backups: Encrypted database backups with rolling retention for disaster recovery
- Sub-processor management: Written agreements and transfer tools for material sub-processors (see Section 8)
We are not ISO 27001 or SOC 2 certified as a company today. Controls are mapped to ISO 27001 and SOC 2 frameworks; certification is on our roadmap. See Security for current posture.
8. Sub-processors
The Controller gives the Processor general written authorisation to engage the sub-processors listed below. The current list is maintained at complianceagent.uk/sub-processors (printable for MSP client packs).
The Processor shall inform the Controller at least 30 days before adding or replacing a sub-processor that processes Controller workspace data, giving the Controller the opportunity to object on reasonable grounds relating to data protection.
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Render Services, Inc. | Application hosting, database, cache | All application data (tokens encrypted) | United States (primary) |
| Stripe, Inc. | Payment processing | Billing data, email, subscription metadata | United States / EEA |
| Anthropic, PBC | AI compliance analysis | Content snippets only (see Section 10) | United States |
| Microsoft Corporation | OAuth and M365 scanning (if applicable) | Auth tokens; read-only tenant access | Customer tenant region |
| Google LLC | OAuth and Workspace scanning (if applicable) | Auth tokens; read-only account access | Customer account region |
The Processor remains liable to the Controller for the performance of sub-processor obligations under UK GDPR Article 28(4).
9. International Transfers
Personal Data may be transferred outside the United Kingdom because certain sub-processors are located in the United States or process data there. The United States is not subject to a UK adequacy decision for all transfer scenarios.
The Processor ensures appropriate safeguards under UK GDPR Article 46, including:
| Recipient | Data transferred | Destination | Safeguard |
|---|---|---|---|
| Render | Account, scan results, encrypted tokens, logs | USA | UK International Data Transfer Agreement (IDTA) and/or UK Addendum to EU SCCs under Render's DPA |
| Stripe | Billing and subscription data | USA / EEA | Stripe DPA with SCCs; PCI DSS Level 1 |
| Anthropic | Scan content snippets for AI analysis (may include special category data if present in snippet) | USA | Anthropic Commercial Terms; UK IDTA / SCCs available on written request |
Microsoft and Google processing occurs under the Controller's own tenant or account and their provider terms. Copies of transfer documentation (for example executed IDTA modules) are available on request to karimtaitt@complianceagentuk.com.
10. AI Processing
The Processor uses Anthropic's Claude API to assist with compliance analysis. The following apply:
- What is sent: Only the minimum text snippets required for analysis (typically regex-flagged passages or truncated content), not entire mailboxes or full documents.
- What is not sent: Full mailbox exports, bulk archives, or unnecessary attachments beyond scan limits.
- Retention: Raw snippets are held in memory during processing only and are not stored in the Processor's database after the scan completes.
- Training: Under Anthropic's standard API commercial terms, customer API data is not used to train foundation models.
- Human review: AI outputs are informational; the Controller remains responsible for compliance decisions.
- Fallback: If the AI service is unavailable, deterministic scanning (pattern matching and rules engine) continues without AI.
11. Data Breach Notification
In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:
- The nature of the breach, including categories and approximate number of data subjects affected
- Contact details for the Processor's data protection point of contact
- The likely consequences of the breach
- Measures taken or proposed to address the breach
12. Data Subject Rights
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under the UK GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
13. Data Retention and Deletion
Upon termination of the service agreement, or upon the Controller's request, the Processor shall:
- Delete all Personal Data processed on behalf of the Controller
- Delete all copies of Personal Data, unless retention is required by applicable law
- Provide written confirmation of deletion upon request
As ComplianceAgent UK does not store the actual content of emails or files, deletion primarily involves removing scan results, posture scores, and account data.
14. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
15. Liability and Indemnity
15.1 Processor liability. Each party's total aggregate liability arising out of or in connection with this DPA and the service agreement (whether in contract, tort, or otherwise) shall not exceed the greater of: (a) the fees paid by the Controller to the Processor in the twelve (12) months preceding the claim; or (b) one hundred pounds (£100), except where liability cannot be limited under applicable law.
15.2 Exclusions. Nothing in this DPA excludes or limits liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot be excluded under English law.
15.3 Processor indemnity. The Processor shall indemnify and hold harmless the Controller against direct losses, fines, and reasonable legal costs finally awarded against the Controller by a court or regulator, to the extent arising from a Personal Data breach caused solely by the Processor's breach of this DPA or UK GDPR processor obligations, provided the Controller: (i) notifies the Processor promptly; (ii) allows the Processor to control the defence (subject to Controller cooperation); and (iii) does not admit liability without the Processor's consent.
15.4 Insurance. The Processor shall use commercially reasonable efforts to maintain appropriate cyber liability and professional indemnity insurance as the business scales. Details available on request.
15.5 Controller responsibility. The Controller indemnifies the Processor against claims arising from the Controller's unlawful instructions, lack of lawful basis, or failure to meet Article 9 obligations for special category data in the Controller's workspace.
16. Governing Law
This DPA shall be governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
17. Contact
For questions about this Data Processing Agreement or to exercise any rights under it, please contact us:
Email: karimtaitt@complianceagentuk.com
Website: complianceagent.uk
Appendix A — Technical and Organisational Measures (TOMs)
This appendix describes measures implemented by the Processor as at the date of the DPA.
A.1 Governance and personnel
- Designated contact for data protection enquiries and breach notification
- Confidentiality obligations for personnel with production access
- Security and privacy considerations in change management
- Controls mapped to ISO 27001:2022 and SOC 2 criteria (self-assessment; formal certification on roadmap)
A.2 Access control
- Unique user accounts; no shared production credentials
- Production database access restricted to application services and authorised administrators
- Customer workspace access via read-only OAuth scopes only (Mail.Read, Files.Read / gmail.readonly, drive.readonly)
- Session authentication via HttpOnly signed JWT cookies; CSRF protection on OAuth flows
- API rate limiting and abuse detection
A.3 Encryption and pseudonymisation
- TLS 1.2+ for data in transit; HSTS enforced
- Fernet (AES-128-CBC + HMAC) for OAuth tokens at rest
- Database encryption at rest via hosting provider
- Encrypted rolling database backups
A.4 Processing integrity and AI handling
- Deterministic pre-scan (pattern matching) before optional AI analysis
- Minimum-necessary snippets transmitted to Anthropic API; no full mailbox storage
- AI circuit breaker: scans continue with non-AI detection if API unavailable
- Findings stored as structured metadata (severity, category, remediation), not raw content
- Attachment processing with size and count limits; password-protected files skipped with logged outcome
A.5 Availability and resilience
- Managed cloud hosting with provider SLA
- Health checks and automated restart on failure
- Database backups and recovery procedures
- Scan job queue with concurrency limits to protect service stability
A.6 Incident response
- Documented breach notification to Controllers within 72 hours of awareness
- Security event logging and investigation procedures
- Cooperation with Controller and supervisory authority as required
A.7 Retention and deletion
- Account deletion removes findings, scores, tokens, and scan history (subject to legal billing retention)
- Technical logs retained up to 90 days unless needed for incident investigation
- Billing records retained up to 7 years where required by UK law
A.8 Sub-processor and transfer management
- Published sub-processor list at /sub-processors
- Written DPAs or equivalent terms with material sub-processors
- UK IDTA / SCCs for US transfers where applicable; copies available on request
- 30-day notice before material sub-processor changes
A.9 Vulnerability and assurance (roadmap)
- Dependency and infrastructure patching via hosting provider and application updates
- Automated test suite including security and scanner accuracy regression tests
- Cyber Essentials certification in progress; independent penetration testing planned as customer base grows
- Formal ISO 27001 / SOC 2 Type II certification planned; not yet held