Data Processing Agreement (DPA)

Our commitments for GDPR-compliant data processing

Effective: 17 February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and Sevenpoynt Ltd, trading as PolicySuite ("Data Processor") and governs our processing of personal data under UK GDPR.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person that you submit to the Service.
Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.

2. Scope and Roles

You are the Data Controller and determine the purposes and means of processing Personal Data. We are the Data Processor and process Personal Data only on your documented instructions.

3. Processing Instructions

We will process Personal Data only:

  • As necessary to provide the Service under our Terms of Service
  • As instructed by you through the Service interface
  • As required by applicable law

4. Security Measures

We implement appropriate technical and organisational measures, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication
  • Regular security testing and audits
  • Incident response procedures

5. Sub-Processors

We may engage sub-processors (hosting, email delivery) to assist in providing the Service. Current sub-processors:

  • Render.com - Hosting infrastructure (USA, Standard Contractual Clauses)
  • Amazon Web Services - Database hosting (UK/EU regions)

6. Data Subject Rights

We will assist you in responding to data subject requests (access, rectification, erasure, portability) by providing tools and data export capabilities.

7. Data Breach Notification

We will notify you without undue delay (within 48 hours) of any personal data breach affecting your data.

8. Data Return and Deletion

Upon termination, we will delete or return all Personal Data within 90 days, unless legally required to retain it.

9. Audits

We maintain SOC 2 Type II certification. You may request audit reports or conduct audits (with reasonable notice and at your expense).

Swiss nDSG Addendum

Where the Data Controller is domiciled in Switzerland or where Swiss data subjects' personal data is processed, this DPA is supplemented by the requirements of the Swiss Federal Act on Data Protection (nDSG), including the Ordinance on Data Protection (VDSG). Cross-border transfers comply with nDSG Articles 16-17.

10. Contact

DPA questions: dpa@policy-suite.com
Data Protection Officer: dpo@policy-suite.com

Legal entity: Sevenpoynt Ltd, trading as PolicySuite