Data Processing Agreement

Between:

(1) Redactr Platforms Ltd, a company incorporated in England and Wales (company number 17022943) whose registered office is at 167–169 Great Portland Street, London, W1W 5PF, England (the "Processor"); and

(2) The entity identified as the customer under the Principal Agreement (the "Controller").

(each a "Party" and together the "Parties")

(A) The Processor provides an API-based document redaction service that reads file contents, uses large language models to identify sensitive data, and applies redactions using coordinates supplied or confirmed by the Controller (the "Service").

(B) In the course of providing the Service, the Processor will Process Personal Data on behalf of the Controller.

(C) The Parties wish to ensure that such Processing is carried out in compliance with Data Protection Laws and that the rights of Data Subjects are protected.

It is agreed as follows.

1.1 Defined Terms

In this DPA, unless the context otherwise requires, the following terms have the meanings set out below. Capitalised terms not defined in this DPA have the meanings given to them in the Principal Agreement.

"Authorised Sub-processor" means a Sub-processor listed in Annex III or subsequently approved in accordance with Clause 5.

"Business Day" means a day other than a Saturday, Sunday, or public holiday in England and Wales.

"Controller" has the meaning given in the UK GDPR and, for the purposes of this DPA, refers to the Customer as identified in the Principal Agreement.

"Data Protection Contact" means the Processor's point of contact for data protection matters under this DPA, reachable at inbox@redactr.io.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of personal data, including (a) the UK GDPR; (b) the Data Protection Act 2018; (c) the EU GDPR to the extent applicable; and (d) any laws or regulations implementing or supplementing any of the foregoing, in each case as amended, re-enacted, or replaced from time to time.

"Data Subject" has the meaning given in the UK GDPR.

"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"Idempotency Reference" means a unique operation-reference identifier generated by the Processor to prevent duplicate processing of the same API request, cached temporarily and containing no Tier 1 Data.

"Personal Data" has the meaning given in the UK GDPR.

"Personal Data Breach" has the meaning given in the UK GDPR.

"Principal Agreement" means the agreement between the Processor and the Controller under which the Processor provides the Service.

"Processing" has the meaning given in the UK GDPR (and "Process" and "Processed" shall be construed accordingly).

"Processing Window" means the period during which the Processor actively Processes Tier 1 Data or Tier 2 Data for the purpose of fulfilling a specific API request from the Controller, commencing when the data is received and ending when the API response is returned.

"Processor" has the meaning given in the UK GDPR and, for the purposes of this DPA, refers to Redactr Platforms Ltd.

"Service" means the API-based document redaction service provided by the Processor under the Principal Agreement, as further described in Annex I.

"Special Category Data" has the meaning given in Article 9(1) of the UK GDPR.

"Sub-processor" means any third party appointed by the Processor or on behalf of the Processor to Process Personal Data in connection with the Service.

"Supervisory Authority" means an independent public authority with responsibility for monitoring the application of Data Protection Laws, including the UK Information Commissioner's Office (ICO).

"Technical and Organisational Measures" or "TOMs" means the security measures described in Annex II.

"Tier 1 Data" means Personal Data contained within files uploaded by the Controller for processing via the Service, including document text, embedded metadata, and any personal data identifiable within such file contents. Tier 1 Data is processed ephemerally and is never persisted, logged, cached, or used for model training by the Processor.

"Tier 2 Data" means derived output generated by the Service, including redacted files, suggestion lists, and model reasoning. Tier 2 Data is returned to the Controller as an API response and is not retained by the Processor, subject only to the Idempotency Reference exception described in Clause 4.3.

"Tier 3 Data" means operational metadata generated in the course of providing the Service, including account identifiers, usage metrics, API call logs (excluding any Tier 1 Data or Tier 2 Data), and configuration preferences.

"Tier 4 Data" means billing data, invoicing records, account administration data, and (where the relevant account holder has opted in) marketing-contact data (name and email address) processed in connection with the Controller's subscription to the Service.

"UK GDPR" means the retained EU law version of the EU GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

1.2 Interpretation

In this DPA:

1. a reference to a statute or statutory provision is a reference to it as amended, extended, or re-enacted from time to time;
2. a reference to a "Clause" or "Annex" is a reference to a clause of, or annex to, this DPA;
3. headings are for convenience only and do not affect interpretation;
4. words importing the singular include the plural and vice versa;
5. a reference to "writing" or "written" includes email but excludes fax;
6. in the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail in respect of the Processing of Personal Data; and
7. where the UK GDPR and the EU GDPR define the same term differently, the UK GDPR definition shall take precedence for the purposes of this DPA, except where the EU GDPR applies directly to the Processing in question.

2.1 This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the Service.

2.2 For the purposes of Data Protection Laws:

1. the Controller is the controller of the Personal Data;
2. the Processor is the processor of the Personal Data; and
3. Annex I sets out the subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects.

2.3 The Controller warrants that it has all necessary consents, legal bases, and authority to provide the Personal Data to the Processor for Processing in accordance with this DPA and the Principal Agreement.

2.4 Each Party shall comply with its respective obligations under Data Protection Laws.

3.1 The Processor provides the Service as described in the Background and Annex I. The Processing consists of receiving files submitted by the Controller via API, using large language models (hosted on AWS Bedrock) to identify potentially sensitive data, and applying redactions based on coordinates supplied or confirmed by the Controller.

3.2 Personal Data Processed under this DPA is classified into four tiers as defined in Clause 1.1 and further described in Annex I:

1. Tier 1 Data (file content) is processed ephemerally within a Processing Window of seconds to minutes. It is never persisted to disk, never written to application logs, never cached beyond the Processing Window, and never used for model training;
2. Tier 2 Data (derived output) is generated during Processing and returned to the Controller as part of the API response. It is not retained by the Processor beyond the API response delivery, subject solely to the Idempotency Reference described in Clause 4.3;
3. Tier 3 Data (operational metadata) is retained for the duration of the Controller's account plus thirty (30) days; and
4. Tier 4 Data (billing and account data) is retained in accordance with the applicable Sub-processor's data processing terms as set out in Annex III.

3.3 Personal Data Processed under this DPA may include Special Category Data within the meaning of Article 9 of the UK GDPR (notably health data processed as part of medical document redaction workflows) and data relating to criminal convictions and offences within the meaning of Article 10 of the UK GDPR (which may be encountered in data subject access request workflows). The Controller is responsible for establishing the lawful basis for the processing of such data under Articles 9(2) and 10 of the UK GDPR (and the equivalent provisions of the EU GDPR where applicable). The Processor shall provide the technical safeguards described in Annex II to support such Processing.

3.4 Details of the Processing, including the subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects, are set out in Annex I.

4.1 General Obligations

The Processor shall:

1. Process Personal Data only on the Controller's documented instructions, unless required to do so by applicable law, in which case the Processor shall (to the extent permitted by law) inform the Controller of that legal requirement before Processing;
2. ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. implement and maintain the technical and organisational measures set out in Annex II;
4. not engage another processor without complying with Clause 5;
5. taking into account the nature of the Processing, assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights as set out in Clause 7;
6. assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR, taking into account the nature of the Processing and the information available to the Processor;
7. at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data; and
8. make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Clause 4 and allow for and contribute to audits, including inspections, in accordance with Clause 9.

4.2 Non-Retention Commitment

The Processor does not retain Tier 1 Data beyond the Processing Window. The Processor does not retain Tier 2 Data beyond the delivery of the API response to the Controller. These commitments are contractually binding obligations and not statements of best-efforts intent.

For the avoidance of doubt:

1. Tier 1 Data is held in volatile memory only for the duration of the API request-response cycle and is purged automatically upon completion;
2. Tier 2 Data is transmitted to the Controller as part of the API response payload and is not stored, cached, or persisted by the Processor after transmission, subject only to the Idempotency Reference described in Clause 4.3; and
3. the Processor does not use Tier 1 Data or Tier 2 Data for model training, analytics, product improvement, or any purpose other than performing the Service as instructed by the Controller.

4.3 Idempotency Reference Exception

The Processor maintains an idempotency operation-reference cache to prevent duplicate processing of the same API request. This cache:

1. stores only a unique operation-reference identifier (the Idempotency Reference) and does not contain any Tier 1 Data;
2. has a limited cache time-to-live and is purged automatically upon expiry; and
3. is stored on an Authorised Sub-processor listed in Annex III.

4.4 Controller Instructions

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Data Protection Laws.

5.1 General Authorisation

The Controller provides general authorisation for the Processor to engage the Authorised Sub-processors listed in Annex III as at the Effective Date.

5.2 Notice of Changes

The Processor shall give the Controller at least thirty (30) days' prior written notice of any intended addition to or replacement of Authorised Sub-processors, providing the Controller with sufficient information (including the proposed Sub-processor's name, location, and the nature of Processing) to enable the Controller to exercise its right to object.

5.3 Right to Object

The Controller may object in writing to the appointment of a new or replacement Sub-processor within the thirty (30) day notice period referred to in Clause 5.2. If the Controller raises a reasonable objection and the Processor cannot reasonably accommodate the objection (including by offering an alternative Sub-processor or configuration), the Controller may terminate the Principal Agreement and this DPA without penalty, with effect from the date on which the proposed Sub-processor would have commenced Processing.

5.4 Sub-processor Obligations

Where the Processor engages an Authorised Sub-processor, the Processor shall:

1. carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Personal Data required by this DPA and Data Protection Laws;
2. ensure that the arrangement between the Processor and the Sub-processor is governed by a written contract that imposes on the Sub-processor data protection obligations no less onerous than those imposed on the Processor under this DPA; and
3. remain fully liable to the Controller for the performance of the Sub-processor's obligations.

5.5 Current Sub-processors

The current list of Authorised Sub-processors, including the categories of Personal Data each Sub-processor may access, the applicable retention periods, and the relevant data processing agreement references, is set out in Annex III.

6.1 The Processor processes all Tier 1 Data and Tier 2 Data exclusively within the European Union. Persistent infrastructure operated by the Processor is hosted in AWS region eu-west-1 (Ireland). Large language model inference is routed via an AWS Bedrock Geographic cross-Region inference profile scoped to the EU geography (system-defined inference profiles prefixed eu.); the Processor does not guarantee inference in any specific EU region but does guarantee that inference takes place exclusively within the European Union. AWS confirms that data transmitted between regions under a Geographic profile remains on the AWS private network, does not traverse the public internet, and is encrypted in transit. No routing of Tier 1 Data or Tier 2 Data outside the European Economic Area takes place.

6.2 Tier 3 Data and Tier 4 Data are processed by the Sub-processors identified in Annex III. As at the Effective Date, all such Sub-processors process data within the European Economic Area or in jurisdictions recognised as providing an adequate level of data protection, save where a Sub-processor identified in Annex III has been engaged on the basis of Standard Contractual Clauses or an equivalent transfer mechanism, in which case Annex III identifies the mechanism relied upon.

6.3 The Processor shall not transfer Personal Data to a country outside the United Kingdom or the European Economic Area unless:

1. the Controller has provided prior written consent;
2. appropriate safeguards are in place in accordance with Chapter V of the UK GDPR (or Chapter V of the EU GDPR, as applicable); and
3. the Processor complies with its obligations under Data Protection Laws with respect to such transfer.

6.4 In the event that a change in the Processor's infrastructure or Sub-processor arrangements would result in a transfer of Personal Data outside the European Economic Area, the Processor shall notify the Controller in advance in accordance with Clause 5.2 and the Parties shall cooperate to put in place the appropriate transfer mechanism before the transfer takes place, which may include the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an alternative lawful transfer mechanism.

7.1 The Processor shall, taking into account the nature of the Processing, assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, to enable the Controller to fulfil its obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the UK GDPR (and Chapter III of the EU GDPR where applicable).

7.2 The Processor shall:

1. promptly notify the Controller if it receives a request from a Data Subject in respect of Personal Data Processed under this DPA, and shall not respond to such request except on the Controller's documented instructions or as required by applicable law;
2. provide reasonable assistance to the Controller in responding to Data Subject requests within ten (10) Business Days of the Controller's written request for assistance; and
3. maintain appropriate records and technical capabilities to support the Controller in fulfilling Data Subject requests.

7.3 The Controller acknowledges that, given the ephemeral nature of Tier 1 Data and Tier 2 Data Processing, the Processor's ability to assist with Data Subject requests relating to such data is limited to confirming the non-retention of that data.

7.4 The Processor may charge the Controller a reasonable fee for assistance provided under this Clause 7 where such assistance is disproportionate in scope, complexity, or frequency, provided the Processor notifies the Controller in advance of the estimated cost.

8.1 The Processor shall notify the Controller of any Personal Data Breach without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.

8.2 The notification under Clause 8.1 shall include, to the extent reasonably available at the time of notification:

1. a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
2. the name and contact details of the Data Protection Contact, from whom further information may be obtained;
3. a description of the likely consequences of the Personal Data Breach; and
4. a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.3 Where it is not possible to provide the information specified in Clause 8.2 at the time of initial notification, the Processor shall provide the information in phases without further undue delay as such information becomes available.

8.4 The Processor shall cooperate with the Controller and take such commercially reasonable steps as the Controller may direct to investigate, mitigate, and remediate the Personal Data Breach.

8.5 The Processor shall document any Personal Data Breach, including the facts relating to the breach, its effects, and the remedial action taken, and make such documentation available to the Controller and the Supervisory Authority upon request.

8.6 The Processor's obligation to notify the Controller under this Clause 8 shall not be construed as an acknowledgement of fault or liability by the Processor.

9.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws.

9.2 The Controller (or its appointed third-party auditor) may conduct one (1) audit per calendar year of the Processor's Processing activities and compliance with this DPA, subject to the following conditions:

1. the Controller shall give the Processor at least thirty (30) days' prior written notice of any proposed audit;
2. the audit shall be conducted by a mutually agreed independent third-party auditor, who shall enter into appropriate confidentiality obligations with the Processor;
3. the audit shall be conducted during the Processor's normal business hours and shall not unreasonably interfere with the Processor's business operations;
4. the scope of the audit shall be limited to the Processor's Processing of Personal Data under this DPA; and
5. the Controller shall bear the costs of the audit, including the third-party auditor's fees, unless the audit reveals material non-compliance by the Processor with this DPA, in which case the Processor shall bear such costs.

9.3 To the extent that the Processor obtains ISO/IEC 27001 certification or an equivalent industry-standard security certification, the Processor may offer the relevant certification report as supplementary evidence of its technical and organisational measures. Such certification shall supplement, but shall not replace, the Controller's audit rights under this Clause 9.

9.4 The Processor shall promptly remediate any material non-compliance identified through an audit conducted under this Clause 9 and shall provide the Controller with written confirmation of the remedial steps taken.

10.1 Each Party's liability arising under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement.

10.2 Nothing in this DPA shall limit or exclude either Party's liability for:

1. fraud or fraudulent misrepresentation;
2. any liability that cannot be limited or excluded by applicable law; or
3. any indemnity expressly given under the Principal Agreement.

10.3 The Processor shall indemnify the Controller against all claims, liabilities, costs, expenses, and damages (including reasonable legal fees) arising from the Processor's breach of this DPA or Data Protection Laws to the extent caused by the Processor's negligence or wilful default, subject to the limitations on liability in the Principal Agreement.

11.1 This DPA shall come into effect on the date the Principal Agreement is executed and shall remain in force for the duration of the Principal Agreement.

11.2 This DPA shall automatically terminate upon the termination or expiry of the Principal Agreement, save that the provisions of this DPA that relate to the Processing of Personal Data shall continue to apply for so long as the Processor retains any Personal Data Processed under this DPA.

11.3 Upon termination of the Principal Agreement or this DPA:

1. the Processor shall, at the Controller's written election, either return all Personal Data to the Controller in a commonly used machine-readable format or securely delete all Personal Data in the Processor's possession, and shall confirm such deletion in writing within thirty (30) days;
2. the obligation to delete under paragraph (a) shall not apply to the extent that the Processor is required by applicable law to retain any Personal Data, provided the Processor shall (i) notify the Controller of such requirement, (ii) restrict its Processing of such Personal Data to that required by law, and (iii) ensure the continued protection of such Personal Data in accordance with this DPA;
3. Tier 1 Data and Tier 2 Data will, by virtue of the non-retention commitment in Clause 4.2, already have been purged at the time of termination;
4. Tier 3 Data shall be deleted within thirty (30) days following the termination date; and
5. Tier 4 Data shall be deleted in accordance with the applicable Sub-processor's data processing terms and the Processor's legal retention obligations.

11.4 Clauses 1 (Definitions and Interpretation), 4.2 (Non-Retention Commitment), 8 (Personal Data Breach Notification), 10 (Liability), 11 (Term and Termination), and 12 (General Provisions) shall survive the termination or expiry of this DPA.

12.1 Entire Agreement

This DPA, together with the Principal Agreement and the Annexes hereto, constitutes the entire agreement between the Parties in relation to the Processing of Personal Data and supersedes all prior agreements, understandings, and arrangements (whether oral or written) relating to such Processing.

12.2 Amendments

This DPA may be amended only by a written instrument signed by both Parties, save that the Processor may update Annex II (Technical and Organisational Measures) from time to time to reflect improvements to its security posture, provided that such updates do not materially diminish the level of protection afforded to Personal Data.

12.3 Governing Law

This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales.

12.4 Jurisdiction

Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

12.5 Severability

If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of that provision shall not affect the other provisions of this DPA, and all provisions not affected by such invalidity or unenforceability shall remain in full force and effect.

12.6 Notices

All notices under this DPA shall be in writing and shall be delivered to the addresses specified in the Principal Agreement, or, in the case of notices to the Processor concerning data protection matters, to the Data Protection Contact at inbox@redactr.io, or to such other address as may be notified by one Party to the other from time to time.

12.7 Third Party Rights

No person other than a Party to this DPA shall have any right under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this DPA.

12.8 Waiver

No failure or delay by a Party to exercise any right or remedy provided under this DPA or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy.

12.9 Assignment

The Processor may not assign or transfer this DPA or any rights or obligations under it without the prior written consent of the Controller.

Schedule 1: Subject Matter and Duration

Schedule 2: Types of Personal Data by Tier

Schedule 3: Categories of Data Subjects

Data Subjects may include:

1. Employees, contractors, and agents of the Controller whose personal data appears in documents submitted for redaction;
2. Customers, clients, and patients of the Controller whose personal data appears in submitted documents;
3. Third parties whose personal data appears in documents submitted by the Controller;
4. The Controller's own personnel who interact with the Service (Tier 3 and Tier 4 Data); and
5. Any other individual whose personal data is contained in files submitted to the Service by the Controller.

Schedule 4: Connector-Mediated Processing

The Service supports two modes of Personal Data ingestion. The Controller chooses the mode on a per-request basis.

Mode 1 — Direct upload. The Controller transmits the file to the Service as part of the API request body. The Processor receives the file, Processes it within the Processing Window, and the file content is released from volatile memory at the end of that window, in accordance with Clause 4.2 and Schedule 2.

Mode 2 — Connector-mediated. The Controller configures a connector that authorises the Processor to read source files from, and (optionally) write redacted outputs to, storage that the Controller continues to operate (currently supported drivers include AWS S3, DigitalOcean Spaces, MinIO, and Backblaze B2; the supported list is published in the Service documentation and may be extended without amending this DPA). On each Processing call:

1. The Processor fetches a transient working copy of the source file from the Controller's storage into Tier 1 (volatile memory) for the Processing Window. The transient working copy is governed by the same non-retention commitment in Clause 4.2 as Tier 1 Data ingested by direct upload.
2. If an output connector is configured on the call, the Processor writes the redacted output back to the Controller's storage and discards its working copy. The Processor retains no persistent copy of the result.
3. The source file and any output written back remain in the Controller's storage at all times. The Controller is the data controller for files at rest in their connected storage, and is responsible for their retention, access control, encryption, and deletion in accordance with the Controller's own obligations under Data Protection Laws. The Processor's data-protection obligations under this DPA extend to the transient working copy and the output the Processor writes back; they do not extend to files at rest in the Controller's storage.
4. Connector configurations (credentials, endpoints, bucket names, and equivalent) are treated as Controller credentials, not as Personal Data. The Processor stores connector configurations encrypted at rest on the Processor's infrastructure, excludes them from the audit trail, and never writes them to application logs, exception messages, or queue payloads in plaintext.
5. Connector paths (object keys, file paths, or equivalent) follow the same gating as upload filenames described in Annex II — in default configuration they do not appear in application logs, exception messages, or error tracker payloads; the Controller may opt in to obfuscated path logging on a per-team basis if path context is needed for debugging.

The Processor implements and maintains the following technical and organisational measures in accordance with Article 32 of the UK GDPR, structured in alignment with ISO/IEC 27001:2022 Annex A control domains. The Processor maintains an information security management system (ISMS) aligned to ISO/IEC 27001 principles.

A.5 — Information Security Policies

• Documented information security policies cover data classification, access control, incident response, and acceptable use.
• Policies are reviewed at least annually and updated to reflect changes in the threat landscape, technology, or regulatory requirements.

A.6 — Organisation of Information Security

• Responsibility for information security is assigned at senior management level.
• Separation of duties is implemented to reduce opportunities for unauthorised or unintentional modification or misuse of Personal Data.

A.7 — Human Resource Security

• All personnel with access to Personal Data are subject to appropriate background checks (to the extent permitted by law) and are bound by enforceable confidentiality obligations.
• Security awareness training is provided to all personnel upon onboarding and at regular intervals thereafter.
• Confidentiality obligations survive termination of engagement.

A.8 — Asset Management

• An inventory of information assets involved in the Processing of Personal Data is maintained.
• The four-tier data classification model defined in Clause 1.1 governs the handling, storage, and disposal of Personal Data throughout its lifecycle.

A.9 — Access Control

• Access to systems Processing Personal Data is restricted to authorised personnel on a need-to-know basis, enforced through role-based access controls (RBAC).
• Multi-factor authentication (MFA) is required for all administrative access to production systems.
• Access rights are reviewed quarterly and promptly revoked upon personnel change or departure.
• Privileged access to production infrastructure is logged and subject to periodic review.

A.10 — Cryptography

• All Personal Data is encrypted in transit using TLS 1.2 or higher.
• Tier 3 Data and Tier 4 Data at rest are encrypted using AES-256 or equivalent industry-standard encryption.
• Encryption keys are managed through AWS Key Management Service (KMS) with automated key rotation.
• Tier 1 Data, processed in volatile memory only, is not written to persistent storage; the ephemeral processing architecture eliminates the need for at-rest encryption of file contents.

A.12 — Operations Security

• Application and infrastructure logs are maintained and monitored. Logging explicitly excludes Tier 1 Data and Tier 2 Data content.
• Filenames are excluded from operational logs and exception contexts by default; Controllers may opt in to obfuscated filename logging via account settings.
• Change management procedures govern all changes to production systems, including peer review and staged deployment.
• Development, testing, and production environments are separated. No Personal Data is used in development or testing environments.
• Automated vulnerability scanning is performed regularly against production infrastructure.

A.13 — Communications Security

• All API communications between the Controller and the Service are encrypted using TLS 1.2 or higher.
• Network segmentation is implemented to isolate systems Processing Personal Data from other infrastructure.
• AWS Virtual Private Cloud (VPC) configurations restrict inbound and outbound network traffic to authorised endpoints.

A.14 — System Acquisition, Development and Maintenance

• Security requirements are incorporated into the development lifecycle for the Service.
• Code is subject to peer review prior to deployment to production.
• Dependency management processes ensure timely patching of third-party libraries and frameworks.

A.16 — Information Security Incident Management

• A documented incident response plan covers detection, containment, eradication, recovery, and post-incident review.
• Personal Data Breaches are escalated in accordance with Clause 8 (72-hour notification).
• Post-incident reviews are conducted following any security incident affecting Personal Data, and lessons learned are incorporated into security policies and procedures.

A.17 — Business Continuity

• Tier 3 Data and Tier 4 Data are backed up using automated, encrypted backup procedures with backups stored within the EU (eu-west-1 region).
• Backup integrity is tested periodically through restoration exercises.
• The non-retention architecture for Tier 1 Data and Tier 2 Data means that business continuity measures for those tiers are inherently satisfied by the stateless API design.

A.18 — Compliance

• The Processor's technical and organisational measures are reviewed and tested at regular intervals, including through internal audits and penetration testing.
• Lock-in tests are performed to verify that Tier 1 Data is not persisted beyond the Processing Window and that Tier 2 Data is not retained beyond API response delivery.
• Results of security testing and compliance reviews are available to the Controller upon request as part of the audit rights described in Clause 9.

Retention and Deletion Controls

• Tier 1 Data: Automatically purged from volatile memory upon completion of the API request-response cycle. No manual deletion is required as no persistent storage occurs.
• Tier 2 Data: Not stored by the Processor. Idempotency Reference cache entries are purged automatically upon cache TTL expiry.
• Tier 3 Data: Deleted within thirty (30) days following account termination through automated data lifecycle management processes.
• Tier 4 Data: Deleted in accordance with the applicable Sub-processor's data processing agreement and the Processor's statutory retention obligations.

Sub-processor Security Governance

• All Authorised Sub-processors are subject to due diligence prior to engagement, including review of their security certifications, data processing practices, and incident response capabilities.
• Sub-processor agreements include data protection obligations no less onerous than those contained in this DPA.
• Sub-processor compliance is reviewed on an ongoing basis.

The following Sub-processors are authorised by the Controller as at the Effective Date:

See also: Privacy Policy, Terms, and our trust page.