Data Processing Agreement

Effective Date: The date you accept the Terms of Service

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Cloud Service Agreement (“Agreement”) between Coin-Op Technologies ltd, Company Number 15845409, whose registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ (“Provider”, “we”, “us”, or “our”) and you (“Customer”, “you”, or “your”).

1. Definitions and Interpretation

1.1 Definitions

In this DPA, the following terms shall have the meanings set out below:

  • “Applicable Data Protection Laws” means (i) UK GDPR and the Data Protection Act 2018; (ii) where Customer is established in the EEA or where EU law otherwise applies, Regulation (EU) 2016/679 (EU GDPR); and (iii) any other applicable data protection and privacy laws and regulations in force from time to time.

  • “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the meanings given in UK GDPR and, where applicable, EU GDPR.

  • “Customer Personal Data” means any Personal Data that Customer uploads, submits, or provides to Provider through the Services, including but not limited to policy documents, security questionnaires, and business contact information.

  • “International Organisation” means an organisation and its subordinate bodies governed by public international law or any other body which is set up by, or on the basis of, an agreement between two or more countries.

  • “Restricted Transfer” means (i) a transfer of Personal Data from the United Kingdom to a country outside the UK which is not subject to an adequacy decision under UK GDPR; or (ii) where EU GDPR applies, a transfer from the EEA to a country not subject to an adequacy decision under EU GDPR.

  • “Security Incident” means a Personal Data Breach or any other incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.

  • “Services” means the ResponseHub platform and related services as described in the Agreement.

  • “Subprocessor” means any third party appointed by Provider to Process Customer Personal Data on behalf of Customer.

1.2 Interpretation

References to any statute or statutory provision shall include any subordinate legislation made under it and shall be construed as references to such statute, provision, or legislation as modified, amended, extended, consolidated, re-enacted, or replaced from time to time.

2. Data Protection Contact

2.1 Provider’s Data Protection Contact

For all data protection matters, including data subject requests, objections to Subprocessors, compliance questions, or other inquiries related to this DPA, Customer should contact Provider at:

  • Email: hello@responsehub.ai
  • Address: Coin-Op Technologies ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

2.2 Customer’s Responsibility

Customer shall maintain current contact information in their account for receipt of data protection notices and communications.

3. Processing of Customer Personal Data

3.1 Relationship of the Parties

Provider shall Process Customer Personal Data only as a Processor acting on behalf of Customer as Controller and only in accordance with Customer’s documented instructions.

3.2 Provider’s Processing Instructions

Customer instructs Provider to Process Customer Personal Data:

  • To provide, maintain, and improve the Services as described in the Agreement
  • As further specified through Customer’s use of the Services
  • To comply with Customer’s reasonable written instructions where such instructions are consistent with the Agreement
  • As required by applicable law (in which case Provider shall inform Customer of that legal requirement before Processing, unless prohibited from doing so)

3.3 Processing Details

The details of Processing are set out in Schedule 1 to this DPA.

3.4 Customer Obligations

Customer shall:

  • Ensure it has all necessary lawful bases and appropriate safeguards for the Processing of Personal Data
  • Ensure the accuracy of all Customer Personal Data provided to Provider
  • Provide all necessary privacy notices and obtain all necessary consents
  • Not upload or process Special Category Data (as defined in Article 9 of UK GDPR/EU GDPR) through the Services

3.5 Logs and Diagnostic Data

Customer acknowledges that Provider processes pseudonymised diagnostic and operational data, including IP addresses, user activity logs, and system telemetry data, for the purposes of:

  • Maintaining service security and performance
  • Troubleshooting technical issues
  • Monitoring for abuse or violations of the Agreement
  • Generating aggregated analytics and service improvements

3.6 Anonymised and Aggregated Data

Provider may create and use anonymised and aggregated data derived from Customer Personal Data for the purposes of improving the Services, developing new features, and generating industry insights, provided that such data cannot be used to identify Customer or any Data Subject.

4. Provider Personnel and Confidentiality

4.1 Confidentiality

Provider shall ensure that all personnel authorised to Process Customer Personal Data:

  • Are subject to appropriate obligations of confidentiality
  • Process Customer Personal Data only in accordance with this DPA
  • Receive appropriate training on data protection and security

4.2 Access Controls

Provider shall implement appropriate access controls to ensure Customer Personal Data is accessible only to those personnel who require access to perform their duties.

5. Subprocessors

5.1 Authorised Subprocessors

Customer generally authorises Provider to engage the following Subprocessors:

For the ResponseHub Platform:

SubprocessorLocationProcessing Activities
DigitalOcean LLCNetherlands (AMS3 region)Cloud hosting and infrastructure
Amazon Web Services, Inc.EU regionsAI/ML processing (Bedrock), object storage (S3), transactional email delivery (SES)
Mistral AIFranceAI/ML processing services
Stripe, Inc.UK/EUPayment processing (where applicable)
AppSignal B.V.NetherlandsApplication performance monitoring

For the Free Policy Generator Tool Only:

SubprocessorLocationProcessing Activities
Make.comUnited StatesWorkflow automation and integration services
TallyBelgiumForm creation and data collection
AnthropicUnited StatesAI model provider for natural language processing
Piwik PROGermanyWebsite analytics and performance tracking

5.2 New Subprocessors

Provider may engage additional or replacement Subprocessors by:

  • Updating the list of Subprocessors on its website or in the Services documentation
  • Providing at least 10 days’ prior notice to Customer (via email or through the Services)
  • Giving Customer the opportunity to object to such changes

5.3 Customer Objection Rights

If Customer reasonably objects to a new Subprocessor on data protection grounds within 10 days of notice:

  • The parties shall discuss the objection in good faith
  • If the objection cannot be resolved, Customer may terminate the affected Services as its sole remedy

5.4 Subprocessor Agreements

Provider shall:

  • Enter into written agreements with all Subprocessors containing data protection obligations no less protective than those in this DPA
  • Remain fully liable for any acts or omissions of Subprocessors in relation to the Processing of Customer Personal Data

6. Security Measures

6.1 Technical and Organisational Measures

Provider shall implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against Security Incidents, including:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest
  • Regular security updates and patch management
  • Access controls and authentication mechanisms
  • Regular backups and disaster recovery procedures
  • Network security and firewall protection
  • Security incident detection and response procedures

6.2 Security Policy

Provider shall maintain a written security policy describing its security measures, which shall be made available at [URL to be provided] or upon reasonable request.

6.3 Security Updates

Provider may update its security measures from time to time provided that such updates do not materially decrease the overall level of security provided.

7. Security Incidents

7.1 Incident Notification

Provider shall:

  • Notify Customer without undue delay and in any event within 72 hours of becoming aware of a Security Incident
  • Provide notification via email to Customer’s registered email address
  • Include reasonable details about the nature and scope of the incident

7.2 Incident Response

Following a Security Incident, Provider shall:

  • Promptly investigate the incident
  • Take reasonable steps to mitigate any harmful effects
  • Cooperate with Customer in any investigation
  • Document the incident and actions taken

7.3 No Admission of Liability

Provider’s notification of or response to a Security Incident shall not be construed as an acknowledgment of fault or liability.

8. Data Subject Rights

8.1 Assistance with Requests

Provider shall provide reasonable assistance to Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

8.2 Provider’s Response to Requests

If Provider receives any request from a Data Subject regarding Customer Personal Data:

  • Provider shall not respond directly to the Data Subject
  • Provider shall promptly notify Customer of the request
  • Provider shall follow Customer’s reasonable instructions regarding such requests

9. International Data Transfers

9.1 Transfers Within the UK and EEA

Customer acknowledges and agrees that Provider may transfer Customer Personal Data between the UK and EEA as necessary to provide the Services, with primary storage in the Netherlands.

9.2 Restricted Transfers

Where Provider transfers Customer Personal Data outside the UK or EEA:

  • Provider shall ensure appropriate safeguards are in place as required by UK GDPR and, where applicable, EU GDPR
  • Such safeguards may include the UK International Data Transfer Agreement (UK IDTA), UK Addendum to the EU Standard Contractual Clauses, or EU Standard Contractual Clauses as appropriate
  • Customer hereby provides general authorisation for such transfers subject to appropriate safeguards

9.3 Transfer Mechanisms

For any Restricted Transfers, Provider shall rely on one of the following transfer mechanisms:

  • An adequacy decision by the UK Secretary of State or European Commission (as applicable)
  • UK IDTA, UK Addendum, or EU Standard Contractual Clauses incorporated by reference into this DPA
  • Another valid transfer mechanism under UK GDPR or EU GDPR (as applicable)

10. Data Retention and Deletion

10.1 Retention During Agreement

Provider shall retain Customer Personal Data only for as long as necessary to provide the Services and comply with its legal obligations.

10.2 Data Export and Deletion During Agreement

  • Deletion: Customer may delete Customer Personal Data at any time through the Services’ interface
  • Export: Customer may request export of Customer Personal Data by contacting support@responsehub.ai
  • Format: Exports will be provided in commonly used machine-readable formats (e.g., JSON, CSV)

10.3 Deletion Upon Termination

Upon termination of the Agreement:

  • Customer may request data export within 30 days by contacting support@responsehub.ai
  • Provider shall delete all Customer Personal Data within 60 days after termination
  • Backup copies will be deleted in accordance with Provider’s standard backup rotation schedule, not exceeding 90 days

10.4 Exceptions to Deletion

Provider may retain Customer Personal Data where:

  • Required by applicable law or legal proceedings
  • Necessary for the establishment, exercise, or defence of legal claims
  • The data has been anonymised and cannot be attributed to Customer or any Data Subject

11. Audit and Compliance

11.1 Compliance Information

Provider shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, which may be satisfied by providing:

  • Relevant security certifications or audit reports (when available)
  • Responses to reasonable written questionnaires
  • Documentation of security measures and policies

11.2 Audit Rights

For Enterprise Customers with executed Order Forms only:

  • Customer may request audit information once per year
  • Audits shall be limited to review of documentation, certifications, and written responses
  • On-site audits may be conducted only if specifically required by a competent data protection authority
  • Customer bears all costs of any audit
  • All audit activities must be conducted under a non-disclosure agreement

For Self-Service Customers:

  • Audit rights are limited to receipt of Provider’s standard security documentation and certifications when available

11.3 Records

Provider shall maintain appropriate records of its Processing activities as required by Applicable Data Protection Laws.

12. Assistance with Compliance

12.1 Data Protection Impact Assessments

Provider shall provide reasonable assistance to Customer in conducting data protection impact assessments where required by Applicable Data Protection Laws, taking into account the nature of Processing and information available to Provider.

12.2 Regulatory Inquiries

Provider shall reasonably cooperate with Customer in responding to inquiries or investigations by data protection authorities relating to the Processing of Customer Personal Data.

13. Liability

13.1 Liability Cap

Each party’s liability under this DPA shall be subject to the limitations of liability set out in Section 10 of the Agreement.

13.2 Excluded Claims

The limitations in Section 13.1 shall not apply to breaches of Sections 3.1 (Relationship of Parties), 5 (Subprocessors), or 9 (International Data Transfers) of this DPA.

14. Californian Privacy Rights

14.1 CCPA Compliance

To the extent the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA) applies:

  • Provider shall Process Customer Personal Data only as a “Service Provider” as defined in the CCPA/CPRA
  • Provider shall not sell or share Customer Personal Data
  • Provider shall not retain, use, or disclose Customer Personal Data except as necessary to provide the Services or as permitted by applicable law
  • Provider certifies that it understands and will comply with these restrictions

15. General Provisions

15.1 Relationship to Agreement

This DPA supplements and forms part of the Agreement. In case of conflict between this DPA and the Agreement regarding the Processing of Customer Personal Data, this DPA shall prevail.

15.2 Duration

This DPA shall commence on the Effective Date and continue for the duration of the Agreement.

15.3 Survival

The obligations in this DPA shall survive termination of the Agreement to the extent necessary to protect Customer Personal Data remaining in Provider’s possession.

15.4 Governing Law and Jurisdiction

This DPA shall be governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

15.5 Amendments

  • For self-service customers: Provider may update this DPA by posting a revised version on its website, with continued use constituting acceptance
  • For enterprise customers with Order Forms: Amendments require mutual written agreement

15.6 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.7 No Third-Party Rights

Nothing in this DPA creates any rights for third parties under the Contracts (Rights of Third Parties) Act 1999.

Schedule 1: Processing Details

1. Categories of Data Subjects

  • Customer’s employees, staff members, and other authorised users
  • Customer’s clients, vendors, or business partners (to the extent their information appears in uploaded documents)
  • Individuals referenced in security questionnaires or policy documents
  • Prospective customers or users during trial periods

2. Categories of Personal Data

Account and Authentication Data:

  • Names and usernames
  • Business email addresses
  • Password hashes and authentication tokens
  • Account preferences and settings

Contact Information:

  • Business phone numbers
  • Job titles and departments
  • Company names and addresses

System and Activity Data:

  • IP addresses and device identifiers
  • Browser type and operating system
  • Login times and session duration
  • Feature usage and interaction data

Content Data:

  • Information contained within uploaded policy documents
  • Data within security questionnaires and responses
  • Notes, comments, and annotations added by users

Billing Data (where applicable):

  • Billing contact details
  • Payment method information (processed via Stripe)
  • Invoice history and subscription details

3. Special Category Data

No special category data should be processed. Customer warrants that it will not upload special category data to the Services.

4. Nature of Processing Operations

  • Collection and ingestion of documents and questionnaires
  • Storage and hosting of Customer Personal Data
  • AI-powered analysis and processing for response generation
  • Indexing and searching of document content
  • Transmission to authorised Subprocessors
  • Backup and disaster recovery operations
  • Deletion upon Customer instruction or Agreement termination

5. Purpose of Processing

  • Providing the ResponseHub platform services
  • Automating responses to security questionnaires based on Customer’s policies
  • Maintaining and improving service functionality
  • Providing customer support (without accessing Customer Personal Data)
  • Ensuring platform security and preventing abuse
  • Complying with legal obligations

6. Duration of Processing

  • Active Processing: Throughout the term of the Agreement
  • Post-termination: Up to 60 days for primary data deletion, up to 90 days for backup deletion
  • Legal Retention: As required by applicable law

7. Data Locations and Transfers

  • Primary Storage: Netherlands (DigitalOcean AMS3 region)
  • Processing Locations: UK, EEA (primarily Netherlands and France)
  • Transfers: Between UK and EEA for service provision; outside UK/EEA only with appropriate safeguards

8. Transfer Mechanisms for Restricted Transfers

Where applicable:

  • UK International Data Transfer Agreement (UK IDTA)
  • UK Addendum to EU Standard Contractual Clauses
  • EU Standard Contractual Clauses (for EU GDPR transfers)
  • Adequacy decisions where available

BY ACCEPTING THE TERMS OF SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS DATA PROCESSING AGREEMENT.

Version: 1.0
Last Updated: 26 August 2025
Effective Date: 26 August 2025