Data Processing Agreement
Last updated: 2 April 2026
This Data Processing Agreement ("DPA") forms part of the agreement between ComplianceAgent UK ("Processor") and the customer ("Controller") governing ComplianceAgent UK's processing of personal data on behalf of the customer.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by UK GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- "Controller" means the customer who determines the purposes and means of processing Personal Data.
- "Processor" means ComplianceAgent UK, which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "UK GDPR" means the retained EU law version of the General Data Protection Regulation (EU) 2016/679, as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018.
2. Scope and Purpose of Processing
The Processor processes Personal Data solely for the purpose of providing the ComplianceAgent UK service to the Controller, which includes:
- Scanning the Controller's Microsoft 365 or Google Workspace environment for risk signals
- Generating scan-based posture scores and risk assessments
- Producing scan reports
- Providing automated monitoring and alerts (on paid plans)
3. Categories of Data Subjects
The categories of data subjects whose Personal Data may be processed include:
- The Controller's employees and staff
- The Controller's clients and customers
- Any individuals whose personal data appears in the Controller's emails, files, or documents
4. Types of Personal Data
The types of Personal Data that may be processed during a compliance scan include:
- Names, email addresses, and contact details
- National Insurance numbers
- Financial information (bank account details, payment references)
- Addresses and phone numbers
- Any other personal data present in the Controller's scanned emails and files
Important: ComplianceAgent UK does not store, copy, or retain full email/file content. We process content during a scan run to identify risks and retain only scan results (scores and finding summaries).
5. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorised to process Personal Data have committed to confidentiality
- Implement appropriate technical and organisational measures to ensure security of processing (see Section 7)
- Not engage another processor without prior specific or general written authorisation of the Controller
- Assist the Controller in responding to data subject rights requests
- Assist the Controller in ensuring compliance with GDPR Articles 32–36
- Delete or return all Personal Data at the end of the provision of services, at the Controller's choice
- Make available all information necessary to demonstrate compliance, and allow for audits
6. Obligations of the Controller
The Controller shall:
- Ensure that there is a lawful basis for the processing of Personal Data
- Provide documented instructions for Personal Data processing
- Ensure that data subjects have been informed about the processing
- Comply with all applicable data protection laws
7. Security Measures
The Processor implements the following technical and organisational measures:
- Encryption in transit: All data is transmitted using TLS 1.2 or higher
- Encryption at rest: Sensitive stored fields (such as OAuth tokens) are encrypted at rest (Fernet)
- Access control: Read-only OAuth access - we cannot modify, delete, or send data in your workspace
- Infrastructure: Hosted on SOC 2-compliant cloud infrastructure (Render/AWS)
- No data retention: Actual email and file content is never stored - only scan results are retained
- Security headers: HSTS, X-Content-Type-Options, X-Frame-Options, CSP, and referrer policies
- Rate limiting: API rate limiting to prevent abuse
- Monitoring: Server-side logging and error monitoring
8. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Render | Application hosting and infrastructure | United States (SOC 2 compliant) |
| Stripe | Payment processing | United States / EU (PCI DSS Level 1) |
| Microsoft Graph API | OAuth authentication and workspace scanning (Microsoft 365) | As per customer's Microsoft tenant |
| Google APIs | OAuth authentication and workspace scanning (Google Workspace) | As per customer's Google account |
The Controller gives the Processor general written authorisation to engage the sub-processors listed above. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.
9. International Transfers
Where Personal Data is transferred outside the United Kingdom, the Processor shall ensure that appropriate safeguards are in place in accordance with UK GDPR Article 46, such as:
- Standard Contractual Clauses (SCCs) approved by the ICO
- Adequacy decisions by the UK Government
- Other lawful transfer mechanisms under UK GDPR
10. Data Breach Notification
In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:
- The nature of the breach, including categories and approximate number of data subjects affected
- Contact details for the Processor's data protection point of contact
- The likely consequences of the breach
- Measures taken or proposed to address the breach
11. Data Subject Rights
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under the UK GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
12. Data Retention and Deletion
Upon termination of the service agreement, or upon the Controller's request, the Processor shall:
- Delete all Personal Data processed on behalf of the Controller
- Delete all copies of Personal Data, unless retention is required by applicable law
- Provide written confirmation of deletion upon request
As ComplianceAgent UK does not store the actual content of emails or files, deletion primarily involves removing scan results, posture scores, and account data.
13. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
14. Governing Law
This DPA shall be governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
15. Contact
For questions about this Data Processing Agreement or to exercise any rights under it, please contact us:
Email: hello@complianceagent.uk
Website: complianceagent.uk