Data Processing Addendum

Effective date: 16 April 2026.

This Data Processing Addendum ("DPA") is incorporated by reference into the Terms of Service and forms part of the agreement between Crocker Digital Ltd (Company No. 17008789, registered in England and Wales — "Processor") and the customer organisation that has subscribed to AnswerVault ("Controller"). It governs the processing of personal data that Controller uploads to or generates within the AnswerVault service. Controller is deemed to have agreed to this DPA on creating an account; no separate countersignature is required for it to take effect. If Controller's procurement process requires a bilateral signed copy, contact support@answervault.co.uk.

1. Definitions

Terms not defined here have the meaning given in the UK GDPR.

  • Personal Data: information relating to an identified or identifiable natural person, as defined in Article 4(1) UK GDPR, that Controller submits to the Service. This includes Controller's team members' names + email addresses, supplier/contact PII embedded in uploaded ESG documents and questionnaire responses, and audit-log metadata that names individuals.
  • Sub-processor: a third party engaged by Processor to process Personal Data on its behalf. The current list is at /legal/subprocessors.
  • UK GDPR: the United Kingdom General Data Protection Regulation as enacted under the Data Protection Act 2018.

2. Subject matter, duration and nature of processing

  • Subject matter: processing of Personal Data necessary to provide the AnswerVault service.
  • Duration: the term of the underlying subscription, plus a 30-day deletion window after termination.
  • Nature and purpose: storage, retrieval, indexing, search, export, and email-based notifications related to ESG questionnaire response.
  • Categories of data subjects: Controller's employees, contractors, suppliers, and any natural persons named in Controller's uploaded ESG content.
  • Categories of personal data: identifiers (names, email addresses, organisation), contact details, and any personal data Controller chooses to upload as questionnaire content or evidence documents. Special-category data should not be uploaded.

3. Processor obligations

Processor will:

3.1 Process Personal Data only on documented instructions from Controller, including transfers outside the UK, except where required by law.

3.2 Ensure that personnel authorised to process Personal Data are committed to confidentiality.

3.3 Implement appropriate technical and organisational measures (TOMs) per Article 32, including those listed in Annex A.

3.4 Engage Sub-processors only with Controller's general written authorisation. Processor maintains a current Sub-processor list at /legal/subprocessors and will notify Controller via email at least 14 days before adding a new Sub-processor. Controller may object on reasonable grounds.

3.5 Assist Controller in fulfilling data-subject requests under Articles 15-22, breach-notification obligations under Articles 33-34, and DPIA obligations under Article 35.

3.6 Notify Controller without undue delay (and in any event within 48 hours) on becoming aware of a Personal Data Breach affecting Controller's data.

3.7 At Controller's choice, delete or return all Personal Data after the end of the provision of services and delete existing copies, save where storage is required by law (e.g. financial records under the Companies Act).

3.8 Make available to Controller all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller. Audits are limited to once per 12 months and require 30 days' notice, except in case of suspected breach.

4. International transfers

Processor relies on the following safeguards for transfers of Personal Data outside the UK:

  • Stripe (US): UK Extension to the EU-US Data Privacy Framework (UK Data Bridge) and SCCs where the Bridge does not apply.
  • Resend (US), Sentry (US, EU region selected), Netlify (US): UK International Data Transfer Addendum (IDTA) to the EU SCCs.
  • Supabase (EU/Frankfurt) and GoatCounter (NL): no third-country transfer.

5. Sub-processors

Current Sub-processors are listed at /legal/subprocessors. Each Sub-processor is bound by data-protection terms substantially the same as those in this DPA. Controller authorises Processor to engage these Sub-processors as of the effective date of this DPA.

6. Security measures (Annex A)

Processor implements at least:

  • Row-level security on the database, scoped per Controller organisation.
  • Encryption in transit (TLS 1.2+) and at rest.
  • HMAC-signed unsubscribe tokens; SHA-256 checksums on document exports.
  • CSRF protection on mutating endpoints; rate-limiting; signed URLs for storage downloads.
  • BEFORE-UPDATE triggers preventing privilege escalation on sensitive columns.
  • Append-only audit-log table.
  • Role-based access for Controller's team members (owner, admin, member, viewer).
  • Sub-processor list maintained transparently and updated before changes.
  • 30-day soft-delete retention with permanent purge thereafter.
  • Tier-based audit-log retention (90/365/730 days) with scheduled hard-delete.
  • Sentry-integrated incident monitoring and Sentry session-replay disabled by default.

7. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

8. Termination and return of data

On termination, Controller may export all Personal Data via the in-product export tools (PDF, XLSX, ZIP). Processor will delete Controller's Personal Data within 30 days of termination unless retention is required by law.

9. Governing law

This DPA is governed by the laws of England and Wales. Disputes are subject to the exclusive jurisdiction of the courts of England and Wales.

Contact for DPA-related queries: support@answervault.co.uk

Crocker Digital Ltd Company No. 17008789 Registered office: [to be added]