1. Definitions
1.1 "Personal Data", "Processing", "Controller", "Processor", and "Sub-processor" have the meanings given in the UK General Data Protection Regulation (UK GDPR) as supplemented by the Data Protection Act 2018.
1.2 "Customer Data" means Personal Data processed by the Supplier on behalf of the Customer under the Services.
1.3 "ICO" means the Information Commissioner's Office, the UK's supervisory authority for data protection.
2. Role Allocation and Scope
2.1 For Customer Data, the Customer is the Controller and the Supplier is the Processor. The Customer determines the purposes and means of processing; the Supplier processes Customer Data solely on the Customer's documented instructions.
2.2 The Supplier processes Customer Data only to provide the Services and only in accordance with the Customer's documented instructions. If the Supplier considers that an instruction infringes UK GDPR or any other UK data protection law, the Supplier will promptly inform the Customer.
2.3 The Supplier may separately act as an independent Controller for its own legitimate business administration (e.g. billing contacts, supplier CRM records, compliance records). This DPA applies only to the Supplier's processing of Customer Data on the Customer's behalf.
3. Processing Details
3.1 The processing details required by UK GDPR Article 28(3) are set out in Schedule 1 (Processing Details) below. The parties agree those details are complete and accurate for the Services as at the Effective Date.
3.2 Any material change to the processing scope (e.g. additional data categories or data subjects) requires written agreement between the parties and an update to Schedule 1.
4. Customer Instructions
4.1 The Supplier will process Customer Data only on the Customer's documented instructions, including with respect to any international transfers of Customer Data.
4.2 Documented instructions include: (a) the Engagement Terms; (b) this DPA; and (c) any instruction given in writing (including email) by the Customer's authorised contact.
4.3 The Supplier will promptly inform the Customer if, in the Supplier's reasonable opinion, an instruction would lead to a breach of UK GDPR or applicable UK data protection law.
5. Confidentiality
5.1 The Supplier will ensure that any person authorised to process Customer Data is subject to a binding duty of confidentiality (whether contractual or statutory).
5.2 The Supplier will limit access to Customer Data to those personnel who require access to perform the Services.
6. Security Measures
6.1 The Supplier will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as required by UK GDPR Article 32.
6.2 The specific measures implemented by the Supplier are described in Schedule 2 (Security Measures) below.
6.3 The Supplier will review and update these measures as appropriate, taking account of the nature of the Services and risks to data subjects.
7. Sub-processors
7.1 The Customer grants the Supplier general written authorisation to engage the Sub-processors listed in Schedule 3 (Sub-processor List) for the Services.
7.2 The Supplier will give the Customer not less than 14 days' prior written notice of any intended changes to Schedule 3 (addition or replacement of Sub-processors) and provide the Customer an opportunity to object on reasonable data protection grounds within that period.
7.3 Where the Supplier engages a Sub-processor, the Supplier will: (a) carry out appropriate due diligence on the Sub-processor's data protection practices; (b) impose equivalent data protection obligations on the Sub-processor by way of a written contract; and (c) remain fully liable to the Customer for the Sub-processor's performance of those obligations.
7.4 If the Customer objects on reasonable data protection grounds and the parties cannot resolve the matter within 14 days, the Customer may terminate the affected Services on written notice and receive a pro-rata refund of prepaid fees for unperformed Services.
8. Data Subject Rights
8.1 Taking into account the nature of the processing, the Supplier will implement appropriate technical and organisational measures to assist the Customer in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of UK GDPR (including access, rectification, erasure, restriction, portability, and objection).
8.2 The Supplier will notify the Customer without undue delay if it receives a request from a data subject in relation to Customer Data, and will not respond to any such request except on the Customer's documented instruction (unless required by UK law).
9. Personal Data Breaches
The Supplier will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, with an operational target of notification within 24 hours.
Such notification will include, to the extent reasonably known at the time:
- The nature of the breach, including the categories and approximate number of data subjects and records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
The Supplier will co-operate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any such breach.
Compliance Assistance
The Supplier will assist the Customer in ensuring compliance with the Customer's obligations under UK GDPR Articles 32–36, including obligations relating to security of processing, notification of breaches to the ICO, communication of breaches to data subjects, data protection impact assessments, and prior consultation with the ICO.
10. International Transfers
10.1 The Supplier's primary application hosting and data storage infrastructure is located in the United Kingdom.
10.2 Certain Sub-processors listed in Schedule 3 may process Customer Data outside the United Kingdom. Where such processing constitutes a "restricted transfer" under UK GDPR, the Supplier will ensure that an appropriate safeguard is in place before the transfer occurs, including (as applicable):
- The UK International Data Transfer Agreement (UK IDTA); or
- The UK Addendum to the EU Standard Contractual Clauses; or
- An adequacy decision by the Secretary of State under Section 17A of the Data Protection Act 2018.
10.3 Where required, the Supplier will conduct and document a transfer risk assessment (TRA) to verify that the level of protection in the receiving country is not materially undermined.
11. Return and Deletion
11.1 At the end of the Services (or upon earlier termination), the Supplier will, at the Customer's written election: (a) return all Customer Data in a commonly used, machine-readable format; or (b) securely delete all Customer Data and confirm deletion in writing.
11.2 Deletion or return will be completed within 30 days of the end of the Services, unless UK law requires continued storage.
11.3 The Customer acknowledges that certain backup and archive systems may not permit immediate deletion. Where that is the case, the Supplier will put the data beyond use, apply appropriate protective measures, and delete it as soon as reasonably practicable.
12. Audits and Information Rights
12.1 The Supplier will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and UK GDPR Article 28 obligations.
12.2 The Supplier will allow for and contribute to audits and inspections conducted by the Customer or a qualified auditor appointed by the Customer, subject to reasonable prior written notice (not less than 14 days), confidentiality obligations on the auditor, and reasonable scope limitations.
12.3 To keep audits proportionate, the parties agree that audit requirements will be satisfied primarily by: (a) written responses to the Customer's questions; (b) provision of security policies and procedures; (c) provision of relevant third-party audit reports or certifications; and (d) a remote review meeting.
13. Anonymised-First Approach
The Supplier advocates an anonymised-first approach. Where feasible, the Customer is encouraged to provide data that has been effectively anonymised such that no living individual can be identified from it.
Effectively anonymised data falls outside the scope of UK GDPR and this DPA. Pseudonymised data (i.e. data that can be re-identified using a separately held key) remains Personal Data and is fully within scope.
If the Customer later instructs the Supplier to process non-anonymised Customer Data (e.g. during a Pilot or Retainer phase), such processing is governed by this DPA and the parties will update Schedule 1 as necessary.
Precedence and Term
If there is any conflict between this DPA and the Engagement Terms, this DPA prevails in respect of data protection matters. This DPA remains in effect for the duration of the Services and will automatically terminate when the Supplier ceases all processing of Customer Data on the Customer's behalf.
Schedules
Schedule 1 — Processing Details
Required by UK GDPR Article 28(3)
Subject Matter
Preparation of approval-first workflow drafts (e.g. client chasing emails, document request checklists, engagement summaries) and workflow analytics for the Client's professional services operations.
Duration
Diagnostic: 5 business days. Pilot (if applicable): 30 calendar days. Retainer (if applicable): Monthly rolling, as per Engagement Terms. Processing ceases upon completion or termination of the applicable Service phase.
Nature and Purpose
Workflow mapping and analysis; document classification; text summarisation; draft generation for client-facing communications; task creation and tracking; audit log generation; time-saved reporting. All outputs are approval-first drafts — no communication is sent, no document is filed, and no action is taken on Customer systems without the Customer's explicit prior approval.
Categories of Data Subjects
Customer staff (employees and contractors); Customer end-clients (individuals and businesses to whom the Client provides services); Prospective clients of the Customer.
Types of Personal Data
Contact details (name, email address, telephone number); business identifiers (client reference numbers, UTR where applicable); communications content (email threads, messages, notes); financial and administrative context only insofar as required for the specific workflow. Special category data (Article 9) and criminal offence data (Article 10) are excluded unless explicitly agreed in writing.
Schedule 2 — Security Measures
Implemented in accordance with UK GDPR Article 32
| Measure | Implementation |
|---|---|
| Access Control | Least-privilege, role-based access. Only authorised personnel with a documented need-to-know may access Customer Data. |
| Authentication | Multi-factor authentication (MFA) enforced on all administrative accounts, hosting dashboards, and systems that process Customer Data. |
| Encryption | Data encrypted in transit using TLS 1.2 or higher. Data encrypted at rest where supported (AES-256 or equivalent). |
| Secrets Management | API keys, tokens, and credentials stored in dedicated environment variables or secrets management services. No credentials stored in source code. |
| Audit Logging | All agent workflow actions are logged with timestamp, actor, and action taken. Logs retained for the duration of the engagement. |
| Data Minimisation | Only the minimum Customer Data necessary for each specific workflow is processed. Anonymised-first approach adopted wherever practical. |
| Customer Segregation | Customer Data is logically segregated. No co-mingling of Customer Data between different clients. |
| Hosting | Primary application hosting and data storage located in the United Kingdom (AWS eu-west-2, London). |
| Incident Response | Documented incident response process. Breach notification within 24 hours of confirmed breach. Post-incident review and remediation. |
| Payment Processing | All payment processing handled via Stripe, a PCI DSS Level 1 service provider. The Supplier does not handle or store raw card data. |
Schedule 3 — Authorised Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| AWS | Application hosting, compute, and data storage | UK (eu-west-2) |
| Anthropic (Claude API) | AI model inference for workflow drafting, classification, and summarisation. API data is not used for model training. Inputs and outputs auto-deleted within 7 days. | EU / US * |
| Stripe | Payment processing and invoicing. Business contact and billing data only — no Customer end-client data. | IE / US * |
| Resend | Transactional email delivery (system notifications only). No bulk client communications. | US * |
* Restricted transfer. Safeguards in place via UK IDTA / SCCs. See Security for details.
Note on AI Model Processing
- Customer Data submitted for AI inference is processed ephemerally. Anthropic automatically deletes API inputs and outputs within 7 days.
- Anthropic's commercial API terms confirm that API customer data is not used for model training.
- The Supplier sends only the minimum data required for each workflow task. Where feasible, personally identifiable fields are redacted or pseudonymised before submission.
- The Supplier will notify the Customer if Anthropic materially changes its data processing location, retention period, or training policy.
Accepted via tick-box at checkout and/or payment under the Engagement Terms.
Agentised Ltd
Company No: 16884307
This document is a template and does not constitute legal advice. Both parties are advised to obtain independent legal advice.
Email: support@agentised.ai
Return to Homepage