This Data Processing Agreement ("DPA") forms part of the Terms of Use between RegTechPRO Limited and the Client (the "Principal Agreement") and sets out the terms under which RegTechPRO processes personal data on behalf of the Client.
This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. By subscribing to RegTechPRO's services, the Client agrees to be bound by this DPA.
Parties
This DPA is between:
Definitions
In this DPA, unless the context requires otherwise:
Terms not defined in this DPA shall have the meanings given to them in the Principal Agreement or, where applicable, the Data Protection Laws.
Scope and Purpose of Processing
Subject Matter
RegTechPRO processes Personal Data on behalf of the Client solely to provide the compliance workflow management Services described in the Principal Agreement.
Duration
Processing shall continue for the duration of the Principal Agreement, plus any retention period required by law or as specified in Section 12 (Data Deletion).
Nature and Purpose of Processing
The nature and purpose of processing includes:
- Storing and organising compliance-related records and documentation
- Facilitating task management and workflow automation
- Generating compliance reports and management information
- Providing AI-assisted compliance guidance
- Enabling audit trails and record-keeping for regulatory purposes
Processor Obligations
RegTechPRO, as the Processor, shall:
Process on Instructions
Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable law. In such case, RegTechPRO shall inform the Controller of that legal requirement before processing, unless prohibited by law.
Confidentiality
Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security Measures
Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Section 8 (Security).
Sub-processing
Only engage Sub-processors in accordance with Section 6 (Sub-processing) and impose data protection obligations on them by way of contract.
Data Subject Rights
Assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights.
Assistance with Compliance
Assist the Controller in ensuring compliance with obligations under Articles 32-36 of UK GDPR, taking into account the nature of processing and information available to RegTechPRO.
Deletion or Return
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.
Audit and Information
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Controller Obligations
The Controller warrants and undertakes that:
- It has all necessary rights, consents, and lawful bases to provide Personal Data to RegTechPRO for processing in accordance with this DPA
- It will comply with all applicable Data Protection Laws in relation to its use of the Services and its processing of Personal Data
- It will ensure that its instructions to RegTechPRO comply with applicable Data Protection Laws
- It has provided appropriate privacy notices to Data Subjects regarding the processing of their Personal Data
- It will promptly notify RegTechPRO of any changes to Data Protection Laws that may affect RegTechPRO's processing obligations
- It is responsible for independently determining whether the security measures described in this DPA meet its requirements
Important: The Controller is responsible for the accuracy, quality, and legality of Personal Data and the means by which it was obtained. RegTechPRO has no control over, and shall not be liable for, the contents of the Personal Data processed on the Controller's behalf.
Sub-processing
General Authorisation
The Controller provides general authorisation for RegTechPRO to engage Sub-processors to assist in providing the Services, subject to the requirements of this Section.
Current Sub-processors
A list of RegTechPRO's current Sub-processors is available at regtechpro.co.uk/subprocessors or upon request to info@regtechpro.co.uk.
New Sub-processors
RegTechPRO shall:
- Notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days before the change, giving the Controller the opportunity to object
- Where the Controller raises a reasonable objection within 14 days of notification, RegTechPRO shall work with the Controller in good faith to address the concerns. If no resolution can be reached, the Controller may terminate the affected Services
- Impose data protection obligations on Sub-processors by way of contract that are no less protective than those in this DPA
- Remain fully liable to the Controller for the performance of each Sub-processor's obligations
Sub-processor Categories
RegTechPRO uses Sub-processors in the following categories:
- Cloud Infrastructure: Secure UK-based hosting and data storage
- Payment Processing: Subscription billing and payment collection
- Email Services: Transactional email delivery
- Support Tools: Customer support and communication
- Analytics: Platform usage analysis (anonymised where possible)
Data Subject Rights
Assistance
RegTechPRO shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of access (Subject Access Requests)
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
Notification
If RegTechPRO receives a request from a Data Subject in relation to their Personal Data, RegTechPRO shall promptly notify the Controller and shall not respond to the request directly unless authorised to do so by the Controller or required by applicable law.
Self-Service Tools
The Platform provides data export and deletion functionality that the Controller can use to respond to Data Subject requests. Where additional assistance is required, the Controller should contact RegTechPRO at info@regtechpro.co.uk.
Security Measures
Technical and Organisational Measures
RegTechPRO implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
| Category | Measures |
|---|---|
| Encryption | TLS 1.2+ encryption for data in transit; AES-256 encryption for data at rest |
| Access Control | Role-based access controls; multi-factor authentication available; principle of least privilege; unique user credentials |
| Infrastructure Security | UK-based data centres; firewall protection; intrusion detection; DDoS protection; regular security patching |
| Data Segregation | Logical separation of client data; unique client identifiers; secure multi-tenant architecture |
| Backup & Recovery | Regular automated backups; encrypted backup storage; documented disaster recovery procedures |
| Personnel | Staff confidentiality agreements; security awareness training; background checks for staff with data access |
| Monitoring & Logging | Security event logging; access logs; anomaly detection; audit trails |
| Vendor Management | Due diligence on Sub-processors; contractual security requirements; periodic reviews |
Ongoing Security
RegTechPRO shall regularly test, assess, and evaluate the effectiveness of these measures and implement improvements as appropriate, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.
Personal Data Breaches
Notification
RegTechPRO shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's data, and in any event within 48 hours where feasible.
Information to be Provided
The notification shall include, to the extent known:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned
- The name and contact details of the point of contact for further information
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects
Assistance
RegTechPRO shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. RegTechPRO shall not inform any third party of a breach without the Controller's prior consent, unless required by applicable law.
Note: The Controller remains responsible for determining whether notification to the ICO or affected Data Subjects is required under Data Protection Laws and for making such notifications.
International Data Transfers
Data Location
Personal Data processed under this DPA is primarily stored and processed within the United Kingdom.
Transfer Safeguards
RegTechPRO shall not transfer Personal Data to a country outside the UK or EEA unless:
- The transfer is to a country that has been determined to provide an adequate level of protection by the UK Government or European Commission
- Appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses, or Binding Corporate Rules
- A derogation under Article 49 of UK GDPR applies
Sub-processor Transfers
Where Sub-processors process Personal Data outside the UK/EEA, RegTechPRO ensures appropriate transfer mechanisms are in place with such Sub-processors before any transfer occurs.
Audit Rights
Information Requests
Upon reasonable request, RegTechPRO shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of UK GDPR.
Audit Procedures
RegTechPRO shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:
- The Controller shall provide at least 30 days' prior written notice of any audit, unless a shorter period is required by a regulatory authority
- Audits shall be conducted during normal business hours and shall not unreasonably interfere with RegTechPRO's operations
- The Controller and any auditor shall comply with RegTechPRO's reasonable security and confidentiality requirements
- Audits shall be limited to once per year, unless required more frequently by a regulatory authority or following a Personal Data Breach
- The Controller shall bear its own costs in conducting audits
Third-Party Certifications
Where available, RegTechPRO may satisfy audit requests by providing the Controller with copies of relevant third-party certifications, audit reports, or compliance documentation.
Data Deletion and Return
Upon Termination
Upon termination or expiry of the Principal Agreement, RegTechPRO shall, at the Controller's election:
- Provide the Controller with a copy of all Personal Data in a commonly used, machine-readable format; and/or
- Delete all Personal Data from its systems
Retention Period
The Controller shall have 30 days from termination (the "Grace Period") to export their data using the Platform's data export tools or by requesting a data export from RegTechPRO.
After the Grace Period, RegTechPRO shall delete the Controller's Personal Data within 30 days, except where retention is required by applicable law.
Certification
Upon request, RegTechPRO shall provide written certification of deletion of Personal Data.
Backup Retention: Personal Data may persist in backup systems for a limited period after deletion from primary systems, but such backups are encrypted and access-restricted. Backups are overwritten in the normal course of business.
Liability
Liability Cap
The total liability of each party under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement.
Indemnification
Each party shall indemnify the other against all claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from any breach of this DPA by the indemnifying party, except to the extent that the other party contributed to such breach.
Regulatory Fines
Neither party excludes liability for regulatory fines or penalties imposed on it by a supervisory authority for its own breach of Data Protection Laws. Each party shall be responsible for any fines issued to it by a supervisory authority.
Term and Termination
Duration
This DPA shall come into effect upon the Client's acceptance of the Principal Agreement and shall continue in force until the Principal Agreement terminates or expires, or until all Personal Data has been deleted or returned in accordance with Section 12.
Survival
The provisions of this DPA that by their nature should survive termination (including confidentiality, liability, and data deletion obligations) shall survive any termination or expiry of this DPA.
General Provisions
Conflicts
In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the processing of Personal Data.
Amendments
RegTechPRO may update this DPA from time to time to reflect changes in Data Protection Laws or our processing practices. Material changes will be notified to the Controller at least 30 days before taking effect. Continued use of the Services after such changes constitutes acceptance of the updated DPA.
Severability
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.
Entire Agreement
This DPA, together with the Principal Agreement, constitutes the entire agreement between the parties regarding the subject matter hereof and supersedes all prior agreements, representations, and understandings.
Questions about this DPA?
For queries regarding data processing, Sub-processors, or this agreement, please contact us.
info@regtechpro.co.uk