Data Processing Agreement

ThirdSectorIntel.ai  ·  Template version 1.0  ·  Last updated: 27 May 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between ThirdSectorIntel.ai Limited, a company registered in England and Wales (company number 17146515) with registered office at Unit A5284, 6 Greatorex Street, London, E1 5NF (“Processor”, “we”, “us”) and the customer identified on the relevant order form or service agreement (“Controller”, “you”), together the “Parties”.

This template is published for review during procurement. A version with executed signatures, effective date, and any negotiated amendments is provided on contract. To request a Word copy: [email protected].

1. Definitions

Terms used in this DPA have the meaning given in the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (together, “UK Data Protection Law”). “Service” means the ThirdSectorIntel.ai platform as defined in the underlying agreement. “Customer Personal Data” means personal data processed by us on your behalf in providing the Service.

2. Scope and roles

For Customer Personal Data, you are the Controller and we are the Processor. We will process Customer Personal Data only on your documented instructions, as set out in the underlying agreement, this DPA, and Schedule 1.

Where we process personal data for our own purposes — including the public sector-intelligence dataset that powers the Service — we act as an independent Controller. That processing is described in our Privacy Policy and is out of scope of this DPA.

3. Our obligations as Processor (UK GDPR Art. 28)

We will:

1. process Customer Personal Data only on your documented instructions, including transfers outside the UK, unless we are required to process by law (in which case we will inform you, unless prohibited from doing so);
2. ensure that personnel authorised to process Customer Personal Data are under appropriate confidentiality obligations;
3. implement the technical and organisational measures set out in Schedule 2;
4. engage subprocessors only on the terms of Section 5;
5. taking into account the nature of the processing, assist you by appropriate technical and organisational measures in fulfilling your obligation to respond to data subject requests;
6. assist you in ensuring compliance with your obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments, prior consultation);
7. on your choice, delete or return Customer Personal Data to you at the end of the provision of the Service, and delete existing copies, unless retention is required by law;
8. make available to you all information necessary to demonstrate compliance with this DPA and Article 28 UK GDPR, and allow for and contribute to audits, including inspections, as set out in Section 7.

4. Security

We will implement and maintain the technical and organisational measures set out in Schedule 2 to ensure a level of security appropriate to the risk, including against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.

5. Subprocessors

You give us general written authorisation to engage subprocessors. Our current subprocessors are listed at /data-residency. We will notify you of any intended addition or replacement of a subprocessor at least 30 days before that subprocessor begins processing Customer Personal Data, and you may object on reasonable data-protection grounds; if we cannot accommodate your objection, you may terminate the affected part of the Service on notice.

We will impose on each subprocessor data-protection obligations equivalent in substance to those set out in this DPA, and we remain liable to you for each subprocessor's performance.

6. International transfers

Where we transfer Customer Personal Data outside the UK, we will do so only:

• to a country that benefits from UK adequacy regulations; or
• under the International Data Transfer Agreement (IDTA) issued by the Information Commissioner; or
• under EU Standard Contractual Clauses together with the UK Addendum,

and, in each case, with any supplementary measures required following the Schrems II decision. Current transfer destinations and the safeguards relied on are documented at /data-residency.

7. Audit

We will make available to you all information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice (not less than 30 days) and no more than once per 12 months, you may audit our processing of Customer Personal Data, conducted by you or by an independent auditor mutually agreed in writing, during business hours, in a manner that does not interfere with our operations or compromise the confidentiality of our other customers' data. The Parties will bear their own costs unless the audit reveals a material breach of this DPA.

We may satisfy this obligation by providing existing third-party certifications, audit reports, or attestations where available.

8. Personal data breach

We will notify you without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the information required by Article 33(3) UK GDPR to the extent then known and will be updated as more information becomes available.

9. Return or deletion

On termination or expiry of the underlying agreement, we will, at your choice, return or delete all Customer Personal Data within 30 days, including from backups within their normal rotation cycle (and in any event within 90 days), unless retention is required by law. We will certify deletion on request.

10. Liability

Each Party's liability under this DPA is subject to the limitations of liability set out in the underlying agreement. Nothing in this DPA excludes or limits a Party's liability where it cannot lawfully be excluded.

11. Order of precedence and governing law

In the event of any conflict between this DPA and the underlying agreement, this DPA prevails to the extent of the conflict in relation to the processing of Customer Personal Data. This DPA is governed by the laws of England and Wales and the courts of England and Wales have exclusive jurisdiction.

---

Schedule 1 — Details of processing

Subject matter	Provision of the ThirdSectorIntel.ai charity-sector intelligence platform.
Duration	The term of the underlying agreement, plus any period of permitted retention.
Nature and purpose	Hosting customer accounts and sessions; storing customer-authored data (shortlists, notes, saved searches, exports); ingesting customer-authorised CRM and mailbox data; surfacing sector intelligence; running AI-assisted enrichment and natural-language search against the user's query text and the public dataset (see /data-residency for what is and is not sent to AI providers).
Categories of data subject	The Controller's employees, contractors, and authorised users of the Service.
Categories of personal data	Name, work email, job title, employer, authentication metadata, IP address, usage logs, and any personal data the Controller chooses to import (e.g. from Loxo or Google Workspace).
Special category data	Not requested or required by the Service. The Controller is responsible for not importing special-category data without a lawful basis.

Schedule 2 — Technical and organisational measures

• Hosting — UK region (AWS Lightsail, eu-west-2 London) for all customer data at rest.
• Encryption — TLS 1.2+ in transit; AES-256 at rest via the underlying block-storage layer.
• Access control — SSO via Google OAuth 2.0; named-user authorisation with allow-list enforcement at sign-in; least-privilege role separation for administrative access.
• Secrets management — API keys and credentials stored as environment variables on the production host, never committed to source control; rotation on personnel change.
• Logging and monitoring — application and access logs retained 90 days; security-relevant events alerted to the founder team.
• Backups — daily snapshots of the primary database and object storage retained 30 days in the same UK region.
• Vulnerability management — dependency scanning on every deploy; security patches applied within 14 days of disclosure for high-severity issues, 7 days for critical.
• Personnel — all personnel under written confidentiality obligations; security and data-protection training on engagement and annually thereafter.
• Subprocessor governance — documented at /data-residency; written data-protection terms in place with each subprocessor.
• AI processing controls — AI model providers used only under no-training API terms; customer CRM data and identity data excluded from AI-bound payloads; processing can be pinned to a single named provider by contract.
• Incident response — documented runbook; breach notification to Controller within 48 hours of confirmation.
• Business continuity — documented recovery objectives (RPO 24h, RTO 4h); tested at least annually.
• Compliance roadmap — UK ICO registered; Cyber Essentials in progress.

For an executable copy, security questionnaire response, or architecture review under NDA: [email protected].