Data Processing Agreement

Last updated: 19 May 2026

This Data Processing Agreement ("DPA") forms part of the agreement between COMPLIANCEAGENTUK LIMITED (Company No. 17117580) ("Processor", "we", "us") and the customer ("Controller", "you") governing processing of personal data on behalf of the Controller.

Related documents: Sub-processor list (printable) · Privacy Policy

1. Definitions

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the ComplianceAgent UK service to the Controller, which includes:

3. Categories of Data Subjects

The categories of data subjects whose Personal Data may be processed include:

4. Types of Personal Data

The types of Personal Data that may be processed during a compliance scan include:

Special category data: Because scans analyse real mailbox and file content, special category data may appear in transient snippets (for example NHS numbers or health references). The Controller is responsible for ensuring an appropriate lawful basis under Article 9 and for informing data subjects. The Processor processes such data only on the Controller's documented instructions to provide the service.

Content minimisation: We do not store, copy, or retain full email bodies or full file contents. Content is processed in memory during a scan run. We retain scan results (scores, finding summaries, sanitised source names).

5. Obligations of the Processor

The Processor shall:

6. Obligations of the Controller

The Controller shall:

7. Security Measures

The Processor implements technical and organisational measures appropriate to the risk, as described in Appendix A (Technical and Organisational Measures) below and summarised here:

We are not ISO 27001 or SOC 2 certified as a company today. Controls are mapped to ISO 27001 and SOC 2 frameworks; certification is on our roadmap. See Security for current posture.

8. Sub-processors

The Controller gives the Processor general written authorisation to engage the sub-processors listed below. The current list is maintained at complianceagent.uk/sub-processors (printable for MSP client packs).

The Processor shall inform the Controller at least 30 days before adding or replacing a sub-processor that processes Controller workspace data, giving the Controller the opportunity to object on reasonable grounds relating to data protection.

Sub-processor Purpose Data shared Location
Render Services, Inc. Application hosting, database, cache All application data (tokens encrypted) United States (primary)
Stripe, Inc. Payment processing Billing data, email, subscription metadata United States / EEA
Anthropic, PBC AI compliance analysis Content snippets only (see Section 10) United States
Microsoft Corporation OAuth and M365 scanning (if applicable) Auth tokens; read-only tenant access Customer tenant region
Google LLC OAuth and Workspace scanning (if applicable) Auth tokens; read-only account access Customer account region

The Processor remains liable to the Controller for the performance of sub-processor obligations under UK GDPR Article 28(4).

9. International Transfers

Personal Data may be transferred outside the United Kingdom because certain sub-processors are located in the United States or process data there. The United States is not subject to a UK adequacy decision for all transfer scenarios.

The Processor ensures appropriate safeguards under UK GDPR Article 46, including:

Recipient Data transferred Destination Safeguard
Render Account, scan results, encrypted tokens, logs USA UK International Data Transfer Agreement (IDTA) and/or UK Addendum to EU SCCs under Render's DPA
Stripe Billing and subscription data USA / EEA Stripe DPA with SCCs; PCI DSS Level 1
Anthropic Scan content snippets for AI analysis (may include special category data if present in snippet) USA Anthropic Commercial Terms; UK IDTA / SCCs available on written request

Microsoft and Google processing occurs under the Controller's own tenant or account and their provider terms. Copies of transfer documentation (for example executed IDTA modules) are available on request to karimtaitt@complianceagentuk.com.

10. AI Processing

The Processor uses Anthropic's Claude API to assist with compliance analysis. The following apply:

11. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:

12. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under the UK GDPR, including:

13. Data Retention and Deletion

Upon termination of the service agreement, or upon the Controller's request, the Processor shall:

As ComplianceAgent UK does not store the actual content of emails or files, deletion primarily involves removing scan results, posture scores, and account data.

14. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

15. Liability and Indemnity

15.1 Processor liability. Each party's total aggregate liability arising out of or in connection with this DPA and the service agreement (whether in contract, tort, or otherwise) shall not exceed the greater of: (a) the fees paid by the Controller to the Processor in the twelve (12) months preceding the claim; or (b) one hundred pounds (£100), except where liability cannot be limited under applicable law.

15.2 Exclusions. Nothing in this DPA excludes or limits liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot be excluded under English law.

15.3 Processor indemnity. The Processor shall indemnify and hold harmless the Controller against direct losses, fines, and reasonable legal costs finally awarded against the Controller by a court or regulator, to the extent arising from a Personal Data breach caused solely by the Processor's breach of this DPA or UK GDPR processor obligations, provided the Controller: (i) notifies the Processor promptly; (ii) allows the Processor to control the defence (subject to Controller cooperation); and (iii) does not admit liability without the Processor's consent.

15.4 Insurance. The Processor shall use commercially reasonable efforts to maintain appropriate cyber liability and professional indemnity insurance as the business scales. Details available on request.

15.5 Controller responsibility. The Controller indemnifies the Processor against claims arising from the Controller's unlawful instructions, lack of lawful basis, or failure to meet Article 9 obligations for special category data in the Controller's workspace.

16. Governing Law

This DPA shall be governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

17. Contact

For questions about this Data Processing Agreement or to exercise any rights under it, please contact us:

Email: karimtaitt@complianceagentuk.com
Website: complianceagent.uk


Appendix A — Technical and Organisational Measures (TOMs)

This appendix describes measures implemented by the Processor as at the date of the DPA.

A.1 Governance and personnel

A.2 Access control

A.3 Encryption and pseudonymisation

A.4 Processing integrity and AI handling

A.5 Availability and resilience

A.6 Incident response

A.7 Retention and deletion

A.8 Sub-processor and transfer management

A.9 Vulnerability and assurance (roadmap)