Data Processing Agreement
Last updated: 7 May 2026
This Data Processing Agreement explains how Crocker Digital Ltd processes Customer Personal Data on behalf of business customers using AnswerVault.
This Data Processing Agreement ("DPA") is entered into between:
(1) Crocker Digital Ltd, a company incorporated in England and Wales with company number 17008789, registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ ("Processor", also "AnswerVault", "we"); and
(2) the legal entity identified in the Customer's AnswerVault account, acting as controller of the personal data it uploads or causes to be processed through the service ("Controller", "Customer", "you").
This DPA forms part of and is incorporated into the AnswerVault Terms of Service at https://answervault.co.uk/legal/terms-of-service/ (the "Agreement"). In the event of conflict between this DPA and the Agreement in relation to the processing of Customer Personal Data, this DPA prevails.
This DPA is offered to any business Customer — typically an SME responding to ESG questionnaires from buyers, investors, or regulators — that processes personal data through the service. It takes effect automatically: this DPA is incorporated into the Agreement as a matter of contract when the Customer creates an account, and applies whenever the Customer uploads or causes to be processed personal data relating to people who are not users of the service (for example, employees named in diversity metrics, supplier contacts, board members, modern-slavery-statement signatories, or correspondents named in uploaded evidence). The Customer does not need to sign or tick a box separately for this DPA to apply — automatic incorporation into the Agreement is how we meet UK GDPR Article 28 for every business Customer. A printable copy is available at /legal/dpa/.
1. Interpretation
1.1 In this DPA, the following expressions have the meanings set out below. Terms not defined here have the meaning given in the Agreement, and capitalised terms not defined in either have the meaning given in UK Data Protection Law.
"Affiliate" — any entity controlling, controlled by, or under common control with a party.
"Applicable Data Protection Law" or "UK Data Protection Law" — the UK General Data Protection Regulation (as retained and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any successor legislation, together with any guidance or code of practice issued by the Information Commissioner.
"Customer Personal Data" — personal data provided by or on behalf of the Customer to the Processor for processing under the Agreement, namely the ESG and operational content the Customer uploads or causes to be processed: ESG facts, evidence documents, questionnaire responses, supplier contact details, employee diversity metrics, board-composition data, and any personal data appearing in correspondence or evidence the Customer submits. For clarity, Customer Personal Data does not include (a) the account data of the Customer's own admin and team users (names, email addresses, organisation, hashed passwords, role assignments, billing contact details, and feedback or cancellation comments submitted via in-product flows) or (b) audit-log entries the service generates in the course of operating the account; both are processed by the Processor as an independent Controller as described in clause 3.2 and the Privacy Policy.
"Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Controller", "Processor", and "Special Category Data" — as defined in UK Data Protection Law.
"Restricted Transfer" — a transfer of Personal Data from the UK to a country which is not the subject of UK adequacy regulations.
"Schedule 1" — the processing description set out at the end of this DPA.
"Schedule 2" — the technical and organisational measures set out at the end of this DPA.
"Schedule 3" — the list of approved sub-processors referred to in clause 5.
"UK Transfer Mechanism" means, as applicable, UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, the UK Extension to the EU-US Data Privacy Framework, or any replacement mechanism recognised under UK Data Protection Law.
1.2 In this DPA, references to "writing" include email.
2. Subject matter, nature, purpose, duration
2.1 The Processor processes Customer Personal Data only to provide the AnswerVault service in accordance with the Agreement and this DPA, and only on the Customer's documented instructions.
2.2 The full description of processing — subject matter, duration, nature, purpose, categories of Data Subjects, and types of Personal Data — is set out in Schedule 1.
2.3 This DPA takes effect on the day the Customer first uses the service and continues until the later of (a) termination of the Agreement, and (b) the Processor completing the deletion or return of Customer Personal Data in accordance with clause 9.
3. Roles of the parties
3.1 In respect of Customer Personal Data uploaded or caused to be processed by the Customer (as defined in clause 1.1), the Customer is the Controller and the Processor is the Processor. This captures, for example, employee names appearing in diversity metrics or training records, supplier individual contact details, board-member biographical information, founder or director names in governance disclosures, and personal data appearing incidentally in uploaded modern-slavery statements, SECR submissions, or buyer-questionnaire responses (such as EcoVadis-style or supplier-sustainability assessments). For the avoidance of doubt, the account data of the Customer's own users and the audit-log entries generated by the service are not Customer Personal Data and are processed by AnswerVault as an independent Controller per clause 3.2.
3.2 In respect of the account data of the Customer's own users (names, email addresses, organisation, hashed passwords, role assignments, audit-log entries, billing contact details, and feedback or cancellation comments submitted via in-product flows), the Processor is an independent Controller. Processing of that data is described in the Processor's Privacy Policy at https://answervault.co.uk/legal/privacy-policy/.
3.3 Nothing in this DPA creates a joint-controllership arrangement under Article 26 of the UK GDPR in respect of Customer Personal Data.
3.4 Controller rights and obligations. The Customer is responsible for determining the purposes and lawful basis of the processing of Customer Personal Data, providing any required privacy notices, ensuring it has authority to upload or instruct processing of the data, maintaining the accuracy of Customer Personal Data, and complying with the content restrictions in the Acceptable Use Policy. The Customer's rights under this DPA include the right to give documented instructions, receive reasonable compliance information, object to new sub-processors, request assistance with data-subject rights and DPIAs, and choose return or deletion of Customer Personal Data on termination.
4. Processor obligations (UK GDPR Article 28(3))
The Processor shall:
4.1 Instructions. Process Customer Personal Data only on the documented instructions of the Customer, including with regard to Restricted Transfers. The Customer's instructions are those contained in (a) the Agreement, (b) this DPA, (c) the configuration options the Customer sets in-product, and (d) any further written instruction notified to support@answervault.co.uk. If the Processor considers that an instruction would infringe Applicable Data Protection Law, it shall notify the Customer without undue delay. If the Processor is required by applicable law to process Customer Personal Data other than on the Customer's instructions, the Processor shall inform the Customer of that legal requirement before processing, unless the law prohibits such notice.
4.2 Confidentiality. Ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality.
4.3 Security (Article 32). Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures in force at the date of this DPA are set out in Schedule 2. The Processor may update Schedule 2 from time to time provided the level of protection is not materially diminished.
4.4 Sub-processors. Engage sub-processors only in accordance with clause 5.
4.5 Data-subject rights assistance (Articles 12–23). Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights. In particular:
- The service provides a Customer-operated export of account + ESG content (PDF, XLSX, ZIP) accessible from account settings, a delete-account flow that initiates the 30-day soft-delete recovery window described in the Data Retention Policy, and in-product correction of profile fields and uploaded fact entries.
- For Data Subject requests that cannot be fulfilled through the self-serve tooling (e.g. requests made by employees, suppliers, board members, or other individuals named in uploaded ESG content rather than by the Customer's own account holders), the Customer is responsible for responding to the Data Subject. The Processor will supply reasonably-necessary data or information on request to enable that response.
4.6 Article 32–36 assistance. Assist the Customer, taking into account the nature of the processing and the information available to the Processor, in ensuring compliance with the Customer's obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments, prior consultation).
4.7 Return or deletion (clause 9). At the end of the provision of services, return or delete Customer Personal Data in accordance with clause 9.
4.8 Audit information (clause 10). Make available to the Customer all information necessary to demonstrate compliance with this clause 4, and allow for and contribute to audits in accordance with clause 10.
4.9 Records. Maintain records of all categories of processing activities carried out on behalf of the Customer as required by Article 30(2) of the UK GDPR.
5. Sub-processors
5.1 The Customer grants the Processor a general authorisation to engage the sub-processors listed in Schedule 3 (and those currently listed at https://answervault.co.uk/legal/subprocessors/, which forms part of Schedule 3 by reference), for the purposes set out against each entry.
5.2 The Processor shall:
(a) impose on each sub-processor, by written contract, data-protection obligations substantially equivalent to those imposed on the Processor under this DPA;
(b) remain liable to the Customer for the performance of each sub-processor's obligations;
(c) give at least 30 days' prior notice of the addition or replacement of a sub-processor, by email to the Customer's registered billing contact and by updating the public sub-processor list.
5.3 If the Customer has a reasonable, data-protection-based objection to a new sub-processor, it shall notify the Processor within 14 days of the notice. The parties shall work in good faith to resolve the objection. If no resolution is agreed within a further 30 days, the Customer may terminate the Agreement without penalty and the Processor shall refund any pre-paid but unused portion of the subscription.
6. International transfers
6.1 The Processor shall not transfer Customer Personal Data to a country outside the UK unless one of the following applies:
(a) the country is the subject of UK adequacy regulations; (b) the transfer is governed by a UK Transfer Mechanism; (c) another transfer mechanism permitted by Applicable Data Protection Law is in place.
6.2 Where the Processor relies on a UK Transfer Mechanism for a Restricted Transfer to a sub-processor, the Processor is authorised by the Customer to enter into the relevant clauses on the Customer's behalf as exporter. The Customer acknowledges that the current Restricted Transfers supporting the service are set out in Schedule 3.
6.3 The Processor has completed a Transfer Risk Assessment for each Restricted Transfer it relies upon. A summary of those TRAs is available to the Customer on reasonable request.
7. Personal data breach
7.1 The Processor shall notify the Customer in writing without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.
7.2 The notification shall include, to the extent known at the time:
(a) the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; (c) the measures taken or proposed to be taken to address the Personal Data Breach and to mitigate its possible adverse effects; (d) the name and contact details of the Processor's point of contact for further information.
7.3 The Processor shall cooperate with the Customer in investigating, mitigating, and remediating the Personal Data Breach, including providing reasonable assistance with any notification to the Information Commissioner (Article 33) and to affected Data Subjects (Article 34).
7.4 For the avoidance of doubt, notification of a Personal Data Breach is not an admission of fault or liability by the Processor.
8. Data subject requests
8.1 If the Processor receives a request directly from a Data Subject to exercise any right under UK Data Protection Law in respect of Customer Personal Data, the Processor shall, without undue delay, forward the request to the Customer and shall not respond to the Data Subject directly except (a) to confirm receipt and forward, or (b) as instructed by the Customer or required by law.
8.2 Where the request is made by a Data Subject whose personal data is processed by the Processor as Controller under clause 3.2 (e.g. the Customer's own account holder exercising rights in relation to their account record), the Processor shall handle the request directly as Controller.
9. Return and deletion
9.1 On termination or expiry of the Agreement, the Processor shall, at the Customer's choice expressed in writing within 30 days of termination, delete or return to the Customer all Customer Personal Data, and delete existing copies, except to the extent that the Processor is required to retain a copy by applicable law (for example, billing records under the Companies Act and HMRC retention requirements).
9.2 If the Customer does not make a choice within the 30-day window, the Processor shall default to deletion in accordance with the Data Retention Policy at https://answervault.co.uk/legal/data-retention/. Account closure triggers a 30-day soft-delete recovery window during which the account and all associated data remain restorable on request to support@answervault.co.uk; after the recovery window expires the data is hard-deleted by the scheduled-maintenance sweep.
9.3 Deletion is deemed complete when the data is no longer accessible in the Processor's production environment and ordinary backup rotation has expired that copy. Backup retention follows the Processor's hosting sub-processor policy (Supabase point-in-time recovery, minimum 7 days on paid tiers); deleted data shall be no longer present in any backup no later than 90 days from the date of the deletion instruction (or the default date under 9.2).
9.4 The Processor may retain de-identified, aggregated, or anonymised data for product-analytics purposes where such data no longer constitutes Personal Data.
10. Audit
10.1 The Processor shall make available to the Customer, on reasonable request and not more than once per 12-month period, the following information in order to demonstrate compliance with this DPA:
(a) the Processor's current Technical and Organisational Measures (Schedule 2); (b) the Processor's Records of Processing Activities to the extent relevant to the Customer; (c) the most recent independent audit reports or security certifications held by the Processor or any of its sub-processors (for example, SOC 2 reports, ISO 27001 certifications — as held by Supabase, Stripe, and Netlify); (d) a summary of any material Personal Data Breach affecting Customer Personal Data in the preceding 12 months.
10.2 If the information provided under 10.1 does not reasonably address the Customer's concern, the Customer may, on 30 days' written notice and at the Customer's cost, conduct an on-site audit of the Processor's facilities and processing operations relevant to this DPA. The Customer shall appoint an independent auditor who is not a competitor of the Processor, and the auditor shall enter into reasonable confidentiality undertakings.
10.3 The parties shall agree the audit scope, timing, and methodology in good faith. Audits shall be conducted during business hours and shall not unreasonably interfere with the Processor's operations.
10.4 Where an audit is unusually broad, repetitive, disruptive, or requires material support beyond the information provided under clause 10.1, the Processor may require the Customer to reimburse reasonable, pre-agreed costs.
11. Liability
11.1 The liability of each party arising from or in connection with this DPA is governed by the limitation of liability provisions of the Agreement. For the avoidance of doubt, the limitation-of-liability cap in the Agreement is a single cap that applies to the Agreement and this DPA together, and the Processor's total aggregate liability shall not exceed that cap.
11.2 Nothing in this DPA excludes or limits either party's liability for (a) death or personal injury caused by negligence, (b) fraud or fraudulent misrepresentation, or (c) any other liability that cannot be limited or excluded under applicable law.
11.3 As between the parties, the Customer shall remain responsible for ensuring that it has a lawful basis for the processing it instructs the Processor to carry out, including collecting any consents or providing any notices required of the Customer as Controller. The Customer shall indemnify the Processor against any claim, loss, or regulatory action arising from the Customer's failure to do so, except to the extent caused or materially contributed to by the Processor.
12. General
12.1 Order of precedence. This DPA prevails over any conflicting term of the Agreement in respect of processing of Customer Personal Data.
12.2 Variations. The Processor may amend this DPA on at least 30 days' notice to reflect changes in Applicable Data Protection Law or to the service. If the amendment materially reduces the Customer's protections, the Customer may terminate the Agreement for convenience on notice given within the 30-day window, and the Processor shall refund any pre-paid but unused subscription fees.
12.3 Governing law and jurisdiction. This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.
12.4 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions continue in full force and effect.
12.5 Notices. Notices to the Processor shall be sent to support@answervault.co.uk and (for notices of a legal nature) copied to the Processor's registered office. Notices to the Customer shall be sent to the registered billing contact on the Customer's account.
12.6 Entire agreement. This DPA, together with the Agreement, constitutes the entire agreement between the parties in respect of processing of Customer Personal Data.
Schedule 1 — Processing description (UK GDPR Art 28(3))
| Element | Detail |
|---|---|
| Subject matter | Provision of the AnswerVault ESG-questionnaire-response and evidence-management service to the Customer. |
| Duration | From the date this DPA takes effect until the return or deletion of Customer Personal Data under clause 9. |
| Nature of processing | Storing, organising, retrieving, indexing, structuring, searching, exporting, transmitting, and erasing personal data; sending email notifications related to questionnaire workflows and account events. |
| Purpose | (a) storing and reusing ESG facts, evidence documents, and questionnaire response templates; (b) generating questionnaire responses and exports (PDF, XLSX, ZIP) for buyer, investor, and regulator submissions (for example, SECR submissions, modern-slavery statements, EcoVadis-style buyer questionnaires, and supplier-sustainability assessments); (c) tracking deadlines and audit-log activity; (d) enabling the Customer to share or export this information to its buyers, investors, regulators, or its own advisors. |
| Categories of Data Subjects | (a) the Customer's own employees and contractors named in diversity metrics, training records, or governance disclosures; (b) the Customer's suppliers and supplier-individual contacts named in supplier-sustainability questionnaires or modern-slavery due-diligence; (c) board members, founders, and directors named in governance, ownership, or modern-slavery statements; (d) any other natural persons named in correspondence or evidence the Customer uploads. |
| Types of Personal Data | Names, business contact details (email, telephone, postal address), job titles, organisation, employment metadata (e.g. team or department for diversity reporting), supplier-relationship metadata, board-composition information, signatory details on uploaded statements, and any personal data the Customer chooses to upload as questionnaire content or evidence documents. |
| Special Category Data (Article 9 UK GDPR) | Special-category data is not actively solicited as identifiable inputs. Diversity metrics (ethnicity, disability, religion, sexual orientation, etc.) submitted as compliance evidence must be aggregated or de-identified at source unless the Customer has documented an Article 9 UK GDPR lawful basis AND, where the data concerns British employees, an applicable basis in DPA 2018 Schedule 1. Where special-category data appears incidentally in uploaded correspondence, the Customer must identify its lawful basis under Article 9. The Acceptable Use Policy mirrors this restriction. |
| Criminal-offence data (Article 10 UK GDPR) | Article 10 UK GDPR data (criminal convictions, allegations of criminal conduct, related security-measure data) is governed by a separate regime from Article 9 and is not actively solicited. The Customer may not upload such data without documenting both an Article 10 lawful authority basis AND, where applicable, the relevant condition in DPA 2018 Schedule 1 Part 1 or Part 2. The Processor does not process criminal-offence data on behalf of Customers under any documented standing instruction. The Acceptable Use Policy mirrors this restriction. |
| Children's data | Not expected. AnswerVault is a business service and the categories of Data Subjects above are adults in their employment, supplier, or governance capacity. The Customer remains Controller and is responsible for the lawful basis if any data relating to a person under 18 nonetheless appears in uploaded content. |
| Frequency of processing | Continuous for the duration of the subscription. |
Schedule 2 — Technical and organisational measures
The Processor implements, at minimum, the following measures as at the date of this DPA:
- Encryption in transit. HTTPS enforced on all public endpoints. HSTS preload. TLS 1.2 minimum.
- Encryption at rest. Postgres volumes encrypted at rest (AES-256) by the Supabase-managed infrastructure. Storage objects encrypted at rest by the same.
- Access control. Row-level security policies on every table that stores Customer Personal Data, scoped per Customer organisation. Client calls pass through the authenticated session; service-role calls are confined to the server runtime and never exposed to the browser. Role-based access for the Customer's team members (owner, admin, member, viewer).
- Authentication. Supabase Auth with email + password. Password reset requires a signed link. Session cookies are first-party. Mutating endpoints are CSRF-protected; storage downloads use signed URLs.
- Privilege protection. BEFORE-UPDATE triggers prevent privilege escalation on sensitive columns. HMAC-signed unsubscribe tokens. SHA-256 checksums on document exports for integrity verification.
- Personnel. The Processor's personnel with production access are bound by written confidentiality obligations. Access is granted on the principle of least privilege and reviewed quarterly.
- Sub-processor management. Sub-processors are selected and engaged in accordance with clause 5. Each material sub-processor holds its own SOC 2 Type II report or equivalent (Supabase, Stripe, Netlify, Sentry).
- Backups. Supabase's automated daily backups with point-in-time recovery (minimum 7 days on paid tiers). Backup media is encrypted.
- Audit log. An in-product audit log captures account-relevant events (sign-in, data export, deletion, role change, invitation). The audit-log table is append-only — a database trigger blocks UPDATE and DELETE so a compromised admin cannot rewrite history. Tier-based retention applies (Starter 90 days; Professional 1 year; Business 2 years), with scheduled hard-delete after expiry. PII is stripped from audit-log entries themselves; only identifiers and action metadata are retained.
- Vulnerability management. Dependencies are tracked; security patches applied within 30 days of vendor release for high-severity CVEs, or sooner if actively exploited. Error monitoring via Sentry (EU region selected) with request-body stripping and session-replay disabled by default.
- Rate limiting. Per-IP and per-user rate-limiting via Upstash Redis for abuse prevention; counters are short-TTL only and contain no account or questionnaire content.
- Bot protection. Cloudflare Turnstile on signup, login, and password-reset forms. Device fingerprint token + IP address remain Cloudflare-side only and do not flow back to AnswerVault for storage.
- Incident response. The Processor operates a written incident-response runbook and notifies affected Customers under clause 7. A post-incident review is conducted for every P0/P1 incident.
- Deletion. Account deletion follows the published Data Retention Policy — soft-delete for 30 days, then hard-delete by a scheduled sweep. Customer-triggered record-level soft-deletes follow the same 30-day cycle.
- Physical security. Delegated to the hosting sub-processors (Supabase, Netlify). The Processor does not operate its own data-centre.
Schedule 3 — Approved sub-processors
The current sub-processor list is maintained at https://answervault.co.uk/legal/subprocessors/ — single source of truth. The Processor's commitment to 30-day change notice is set out in clause 5.2(c).
As at the date of this DPA the sub-processors are:
| Sub-processor | Legal entity | Purpose | Region | Transfer mechanism |
|---|---|---|---|---|
| Supabase | Supabase Inc. (US) / Supabase Ltd (UK) | Database, authentication, file storage | UK (London) — eu-west-2 |
Supabase processes in the UK region for this account; no Restricted Transfer triggered in ordinary operation. SCCs held in the sub-processor DPA as a fallback for administrative metadata, including US management-plane access by Supabase Inc. (US). |
| Stripe | Stripe Payments Europe, Limited (EU contracting entity — One Wilton Park, Wilton Place, Dublin 2, D02FX04, Ireland), with Stripe, Inc. and Stripe LLC (US) as importers for group support operations | Payments, subscription billing, Customer Portal | EU (Ireland) primary; US for group support operations | Adequacy (EU/UK) for the EU contracting entity; UK Extension to the EU-US Data Privacy Framework (UK Data Bridge) for US-importer transfers, with the UK Addendum to EU SCCs in the Stripe DPA as a fallback. |
| Resend | Plus Five Five, Inc. (operating as Resend; US) | Transactional email (password resets, billing alerts, account notifications) | US | UK IDTA / UK Addendum to EU SCCs. |
| Netlify | Netlify, Inc. (US) | Hosting, edge functions, scheduled crons | US with EU edge | UK IDTA / UK Addendum to EU SCCs. |
| Upstash | Upstash, Inc. (US) | Rate-limiting cache (Redis) — IP-keyed and user-keyed request counters for abuse prevention. Short-TTL counters only; no account or ESG-content data. | EU (Ireland) primary, US fall-back | UK IDTA / UK Addendum to EU SCCs in the Upstash DPA, applied to US fall-back traffic only. |
| Cloudflare | Cloudflare, Inc. (US) | Turnstile bot challenge on signup, login, and password-reset. Device fingerprint token + IP address (Cloudflare-side only). | Global edge | UK IDTA / UK Addendum to EU SCCs in the Cloudflare customer DPA. |
| GoatCounter | Martin Tournoij (NL, sole trader) | Cookieless analytics — does not ordinarily process Customer Personal Data (aggregated only) | EU | Not a Restricted Transfer. |
| Sentry | Functional Software, Inc. (US) | Error monitoring. Request bodies stripped before reporting; session replay disabled. | EU (de.sentry.io) |
EU region selected; SCCs held as fallback. |
| Microsoft 365 | Microsoft Ireland Operations Limited | Support mailbox + DSR-instruction inbox processing (support@answervault.co.uk) |
Ireland (EU) | Adequacy (EU/UK); Microsoft's Online Services DPA. |
AI / LLM providers. As at the Last Updated date, AnswerVault does not send Customer Personal Data to any third-party AI model provider. If this changes, the relevant provider will be added to the sub-processor list before use in accordance with clause 5.
If your procurement process requires a bilateral signed copy, contact us at support@answervault.co.uk.
This DPA is incorporated into the Agreement automatically and applies to every business Customer without a separate acceptance step. The Customer is deemed to have accepted this DPA by (a) creating an AnswerVault account (the Agreement at https://answervault.co.uk/legal/terms-of-service/ incorporates this DPA by reference), or (b) continuing to use the AnswerVault service after the "Last updated" date shown at the top of this DPA.
Crocker Digital Ltd — Company No. 17008789 — registered in England and Wales — ICO registration ZC128626.