Data Processing Agreement

Last updated: May 2026 (v1.1)

This Data Processing Agreement (“DPA”) forms part of your agreement with Rowpa and governs how we process personal data on your behalf under Article 28 of the UK GDPR and, where applicable, the EU GDPR. By using Rowpa, you agree to the terms of this DPA.

1. Definitions

In this DPA:

Controller: you, the organisation using Rowpa.
Processor: TeZe Ltd (company number 17137231), operating Rowpa.
Services: the Rowpa platform, including AI-powered ROPA generation, compliance analysis, and vendor enrichment.
Sub-processor: third-party services that process personal data on our behalf, currently Supabase, Vercel, Anthropic, Resend, and Stripe.
Personal Data: any information relating to an identified or identifiable natural person.
Customer Personal Data: Personal Data that we process on your behalf in connection with the Services.
Applicable Data Protection Law: the UK GDPR, the Data Protection Act 2018 (including amendments under the Data (Use and Access) Act 2025), the EU GDPR where it applies to you, and any related law.
UK IDTA: the UK International Data Transfer Agreement.
EU SCCs: the EU Standard Contractual Clauses approved by Commission Decision (EU) 2021/914.

2. Scope of Processing

As your Processor, we process the following categories of Customer Personal Data on your behalf:

Data Category	Purpose	Data Subjects	Lawful Basis	Retention
Business profile	Service delivery and account management	Your employees and representatives	Contract (Rowpa Terms of Service)	Duration of agreement plus 30 days
Account data	Authentication and access control	Your users	Contract	Duration of agreement plus 30 days
ROPA content	Generating Records of Processing Activity	Your employees, customers, vendors, and service providers	Legitimate interest (GDPR compliance)	Duration of agreement plus 30 days
DSR metadata	Tracking Data Subject Requests	Your data subjects	Legal obligation (UK GDPR Articles 15-22)	Duration of agreement plus 30 days

You decide what data to input into Rowpa. We only process data you choose to upload or enter. We do not collect Customer Personal Data from external sources on your behalf.

You will not provide special category data or criminal-offence data through the Services unless we have agreed in writing that you may, and have recorded that fact in our records.

3. Processor Obligations

As your Processor, we commit to the following:

Documented instructions: we process Customer Personal Data only on your documented instructions. The Services Agreement, your in-product configuration, and the normal operation of Rowpa together constitute documented instructions. We will inform you immediately if we believe an instruction infringes the Applicable Data Protection Law.
Confidentiality: we ensure all personnel with access to Customer Personal Data are bound by confidentiality obligations and receive regular data protection training.
Security: we implement appropriate technical and organisational measures (see Section 4).
Assistance with rights: we assist you in responding to data subject requests (access, rectification, erasure, portability, objection) within 5 business days of a documented request.
Assistance with compliance: we provide information and evidence necessary for you to meet your obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, DPIA, prior consultation).
Sub-processor authorisation: we engage Sub-processors only in line with Section 5.
Data subject communication: we do not respond to your data subjects directly regarding their rights. We forward any direct request to you and act under your instructions.
Deletion or return: upon termination, we delete or return Customer Personal Data (your choice) within 30 days. See Section 9.
Audit rights: we permit you to audit our processing activities as set out in Section 8.
Article 30 records: we maintain records of our processor activities under UK GDPR Article 30(2) and will make them available to you or to a regulator on reasonable request.

3.1 No use of Customer Personal Data for our own purposes

We will not process Customer Personal Data for our own purposes, including without limitation: developing or improving our products (except as strictly necessary to provide the Services to you), marketing, profiling, analytics beyond your instructed use, or onward sale, licensing, or transfer to any third party other than authorised Sub-processors.

3.2 No AI training on Customer Personal Data

We will not, and we will procure that our Sub-processors do not, use Customer Personal Data to train, fine-tune, or otherwise improve any artificial intelligence, machine learning, or generative model. Rowpa's AI features (delivered via the Anthropic API) process your inputs solely to produce the output you have requested, are configured for zero retention by Anthropic under their API terms, and are not retained by Anthropic for any other purpose.

3.3 No joint controllership

Nothing in this DPA or the Rowpa Terms of Service creates a joint controller relationship under Article 26 of the UK GDPR or EU GDPR. If a proposed change to your use of the Services would, in our reasonable view, create joint controllership, we will discuss it with you in good faith before implementing it.

3.4 Insurance

We maintain professional indemnity insurance and cyber liability insurance at levels appropriate to the nature and scale of the Services. We will, on reasonable written request, provide a redacted certificate or summary evidencing such cover.

4. Security Measures

We implement technical and organisational measures appropriate to the risk, designed to ensure a level of security in line with Article 32 of the UK GDPR. For our current security posture in detail, please visit our Security page.

Key measures include:

Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256).
Row-level security in the application database; tenant isolation enforced at the database layer.
Role-based access controls (RBAC) and least-privilege access for our personnel.
Multi-factor authentication enforced on every administrative system.
Regular review of access, sub-processors, and security configuration.
Documented Information Security Management System: information security, acceptable use, access control, data retention, incident response, risk register. Reviewed at least annually.
ICO registration ZC134108. Cyber Essentials certification in progress (May 2026).
Personnel training on data protection on joining and at least annually.
Incident response procedure with 48-hour breach notification to you.

5. Sub-processors

You authorise us to engage the following Sub-processors to deliver Rowpa:

Supabase Inc. (Frankfurt, EU) - database and authentication
Vercel Inc. (global edge, EU primary) - application hosting
Anthropic PBC (United States) - AI inference for ROPA generation, configured for zero retention
Resend Inc. (United States) - transactional email
Stripe Payments UK Ltd / Stripe Inc. (UK / EU / United States) - payment processing

The complete current Sub-processor list, with locations, purposes, and transfer mechanisms, is maintained at our Sub-processors page and is incorporated into this DPA by reference.

Before adding or replacing a Sub-processor, we will notify you at least 30 days in advance. You may object on reasonable grounds related to the protection of Personal Data; if we cannot resolve the objection within 30 days, you may terminate the affected Services without penalty for early termination.

We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. We remain fully liable to you for each Sub-processor's performance.

6. International Data Transfers

We process Customer Personal Data within the UK and EEA wherever possible. Our database (Supabase) sits in Frankfurt, EU. Limited transfers to Sub-processors outside the UK and EEA are listed in Section 5 and protected as follows.

UK Adequacy. Transfers to UK Sub-processors benefit from the UK GDPR domestic regime.

EU Adequacy. Where EU GDPR applies, transfers within the EEA benefit from the GDPR's free-flow principle. Transfers to the UK benefit from the EU adequacy decision for the UK (June 2021).

UK IDTA / EU SCCs. Transfers to the United States (Anthropic, Resend, parts of Stripe) are protected by the UK IDTA where the UK GDPR applies, and the EU SCCs Module 2 (controller-to-processor) with the UK Addendum where the EU GDPR also applies. The UK IDTA and EU SCCs are incorporated into this DPA by reference and the corresponding details (data exporter, data importer, categories of data, security measures) are populated from this DPA and the Sub-processors page.

Transfer Impact Assessment. We have conducted, and maintain, a Transfer Impact Assessment for each transfer of Customer Personal Data to a Sub-processor outside the UK or EEA, in line with Schrems II and ICO / EDPB guidance. The assessment considers the laws and practices of the destination country (particularly relating to public-authority access) and the supplementary measures we apply to ensure essentially equivalent protection. We will share the relevant assessment in summary form on reasonable written request.

Honest acknowledgement. You acknowledge that transfers to the United States carry residual legal risk due to US surveillance laws (FISA s.702, EO 12333). If you require strict EU-or-UK-only processing without any US Sub-processor, please contact compliance@rowpa.app. We will work with you to find a viable configuration; some Services rely on US-hosted infrastructure and may not be available on an EU-only basis.

7. Breach Notification

If we become aware of a personal data breach affecting Customer Personal Data, we will notify you without undue delay, and in any event within 48 hours of becoming aware. Our notification will include, to the extent then known:

The nature and scope of the breach, including categories and approximate number of affected data subjects and records.
The likely consequences for affected data subjects.
The measures taken or proposed to address the breach and mitigate its effects.
The name and contact details of our data protection point of contact (compliance@rowpa.app).

We will provide further information as it becomes available. You remain responsible for notifying your own data subjects and supervisory authorities where the Applicable Data Protection Law requires.

We will not publicly disclose, including to press, any breach affecting your Customer Personal Data without your prior written consent, except where required by law or by a supervisory authority.

8. Audit and information rights

On reasonable prior written notice (and no more than once in any 12-month period unless you have reasonable grounds to suspect non-compliance), we will:

Make available the information reasonably necessary to demonstrate compliance with this DPA, including any then-current certifications, our security summary, and the most recent assessment or audit report.
Allow for and contribute to audits or inspections conducted by you or an auditor mandated by you, subject to reasonable confidentiality obligations.

Audits must take place during normal business hours, with reasonable advance notice, and in a manner that does not unreasonably disrupt our operations or the security of other customers' data. You bear our reasonable costs for any audit beyond a once-yearly desktop review.

9. Term, deletion and return

Duration. This DPA applies for the duration of the Rowpa Terms of Service.

On termination. Within 30 days of termination, we will at your choice:

Delete all Customer Personal Data from live systems, with backup copies purged within a further 90 days in line with backup rotation; or
Return Customer Personal Data in a structured, commonly-used, machine-readable format and then delete all copies.

You may request deletion or export at any time during the term; we will comply within 5 business days, except where retention is required by law.

On request, we will provide written confirmation of deletion.

10. Acceptance, updates and conflict

Acceptance. This DPA is incorporated by reference into the Rowpa Terms of Service. By accepting the Terms of Service or by using Rowpa, you accept this DPA. For a separately signed copy, contact compliance@rowpa.app.

Updates. We may update this DPA from time to time. Any change that materially reduces your rights or our obligations will be notified to you at least 30 days in advance, and you may object on reasonable grounds related to the protection of Personal Data. If we cannot resolve your objection within 30 days, you may terminate the affected Services without penalty for early termination. Changes that improve protection for data subjects or are required by changes to law take effect on publication.

Conflict. In case of conflict between this DPA, the Rowpa Terms of Service, and any other document, the order of precedence is: (i) the UK IDTA / EU SCCs, (ii) this DPA, (iii) the Rowpa Terms of Service, (iv) any other document.

11. Notices

For data protection notices to us, use compliance@rowpa.app. Notices sent by email are deemed received at the time of transmission, provided the sender has not received a non-delivery message. We will respond to substantive notices within a reasonable timeframe and confirm receipt within 5 business days where you have provided a return address.

12. Governing law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over disputes arising under it, subject to any mandatory provisions of the UK IDTA or EU SCCs.