Data Processing Agreement
Status: Draft proposal. Review required by Michael (commercial/legal) before external use. Written against GDPR Article 28 requirements.
This document is a template customers may receive as part of the Standard Intelligence vendor contract. It is not yet a signed legal artefact.
Preamble
This Data Processing Agreement ("DPA") forms part of the agreement ("Principal Agreement") between Standard Intelligence Ltd ("Processor", "we") and the customer ("Controller", "you") under which Standard Intelligence provides its EU AI Act compliance platform ("Services"). The DPA applies when the Services involve processing of personal data on behalf of the Controller and is governed by Regulation (EU) 2016/679 (GDPR).
Where the Principal Agreement and this DPA conflict in respect of data protection matters, this DPA prevails.
1. Definitions
Defined terms not explicitly set out below take the meaning given in Article 4 GDPR.
- "Personal Data" — any data processed under the Principal Agreement that identifies or relates to an identifiable natural person.
- "Processing" — as defined in Art. 4(2) GDPR.
- "Sub-processor" — any third party engaged by the Processor to process Personal Data, listed in our published sub-processors register and updated per §7 below.
- "Data Subject" — the natural person to whom Personal Data relates.
- "Controller's Instructions" — documented instructions given by the Controller, including those embedded in the Principal Agreement and configured through the Services.
2. Scope, duration, nature, and purpose (Art. 28(3))
Subject matter
Processing of Personal Data provided by the Controller, or generated on the Controller's behalf, for the purpose of delivering the EU AI Act compliance Services — including AI system classification, regulatory analysis, Classification Decision Records (CDRs), and audit trail generation.
Duration
For the duration of the Principal Agreement. On termination, the Processor returns or deletes Personal Data per §11.
Nature and purpose
Enabling the Controller to operate a documented EU AI Act compliance workflow: intake of AI system details, classification against the regulatory corpus, multi-role review, sealed decision records, and evidence retention.
Type of Personal Data
- Controller end-user identifiers (name, email, role within the Controller's organisation)
- Authentication records (session tokens, sign-in events)
- Content the Controller submits describing its AI systems
- Evidence files the Controller uploads (may incidentally contain personal data per the Controller's choice of evidence)
- Audit trail events associated with the Controller's users
Categories of Data Subjects
- The Controller's authorised users of the Services
- Individuals referenced in evidence files the Controller uploads (where applicable)
No special-category data (Art. 9) or criminal-conviction data (Art. 10) is intended to be processed. The Controller must not upload such data unless it has confirmed an additional lawful basis and notified the Processor.
3. Processor's obligations
3.1 Instructions
The Processor processes Personal Data only on the Controller's documented instructions, including in respect of transfers outside the EEA. If the Processor believes an instruction infringes GDPR, it informs the Controller without delay.
3.2 Confidentiality
The Processor ensures persons authorised to process Personal Data are bound by confidentiality obligations (employee contracts for employees, written NDAs for contractors).
3.3 Security measures (Art. 32)
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption in transit (TLS 1.3 minimum on all client/server and server/sub-processor connections)
- Encryption at rest (database-level encryption for all stored Personal Data; evidence files encrypted at rest by the object-storage sub-processor)
- Multi-factor authentication enforced for all Processor personnel with access to production systems
- Tenant isolation at the application and data layers (see
docs/system/auth.md); no tenant accesses another tenant's Personal Data under any condition - Audit logging — every read/write against Personal Data generates a tamper-resistant audit record with actor, action, timestamp, and correlation identifier
- No PII in logs — email, name, IP, and free-text fields are automatically redacted from application logs
- Least-privilege access controls — production access limited to named roles, granted on a need-to-access basis, with regular review
- Vulnerability management — dependency scanning (Dependabot / OSV) on every commit; critical findings remediated within 7 days
- Business continuity — daily database backups with geographic redundancy within the EEA
- Ongoing testing — automated security test suite, quarterly penetration testing (when contractually required by a Controller)
3.4 Assistance to the Controller (Art. 28(3)(e)(f))
The Processor provides reasonable assistance, taking into account the nature of the processing and the information available, in respect of:
- Data Subject rights requests (access, rectification, erasure, restriction, portability, objection)
- Data Protection Impact Assessments (DPIAs) and prior consultations
- Notification of Personal Data breaches (§5 below)
- Compliance with Art. 32 security obligations
3.5 Records of processing (Art. 30)
The Processor maintains records of processing activities carried out on the Controller's behalf, available to the Controller or supervisory authority on reasonable request.
4. Controller's obligations
The Controller:
- Provides documented instructions for processing
- Is responsible for the lawful basis (Art. 6) of any processing it instructs
- Does not upload special-category data without notifying the Processor and establishing an additional lawful basis
- Manages its own users' access and promptly revokes access when users leave the Controller's organisation
- Responds to Data Subject requests that relate to Personal Data processed on its behalf
5. Personal Data breach notification
The Processor notifies the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's Personal Data, and in any event within 72 hours. Notification includes:
- Nature of the breach, including categories and approximate numbers of Data Subjects and records concerned
- Likely consequences
- Measures taken or proposed to address the breach and mitigate possible adverse effects
- Contact details for the Processor's data protection point of contact
Notification does not constitute an admission of liability by the Processor.
6. Sub-processor engagement (Art. 28(2), (4))
6.1 General authorisation
The Controller provides general written authorisation for the engagement of sub-processors listed in our published sub-processors register as at the effective date of this DPA.
6.2 Changes
The Processor gives the Controller at least 30 days' advance written notice of any intended additions or replacements of sub-processors (via email to the Controller's designated contact and an update to the sub-processors list).
6.3 Objection
The Controller may object to any new or replacement sub-processor on reasonable data-protection grounds within the 30-day notice period. On objection, the parties work in good faith to resolve the concern. If resolution is not possible, the Controller may terminate the affected Services without penalty.
6.4 Sub-processor flow-down
The Processor imposes on each sub-processor, by way of contract, data protection obligations equivalent to those imposed on the Processor under this DPA.
6.5 Sub-processor list
The authoritative list of current sub-processors is maintained at our published sub-processors register and published as part of the Processor's documentation.
7. International transfers
The Processor's data-residency posture is EU/UK by default. Every sub-processor in the production data path is hosted in the EEA, with one exception described below.
Anthropic (LLM inference, United States). Where the Controller uses AI features of the Services, AI-system descriptions submitted by Controller users are transferred to Anthropic PBC in the United States for classification. The transfer is covered by:
- the European Commission's Standard Contractual Clauses (SCCs, 2021 version, Module 2: Controller to Processor) as executed between the Processor and Anthropic;
- supplementary measures including encryption in transit, contractual zero-data-retention on the inference API, contractual commitments to challenge unlawful government access requests, and a transfer impact assessment maintained by the Processor; and
- a tenant-level kill switch that lets the Controller disable AI features entirely if the transfer is incompatible with the Controller's own assessment.
For any other sub-processor located outside the EEA or an adequate third country, the same SCC plus supplementary-measures framework applies and is documented in the sub-processor entry at our published sub-processors register. The Processor makes the relevant SCCs and transfer impact assessments available to the Controller on request.
8. Data Subject rights
8.1 Assistance
Taking into account the nature of the processing, the Processor assists the Controller through appropriate technical and organisational measures, as far as possible, in fulfilling the Controller's obligations to respond to Data Subject requests under Chapter III GDPR.
8.2 Routing
The Processor directs Data Subject requests it receives about Personal Data processed on the Controller's behalf to the Controller, without itself responding on substantive matters.
8.3 Tooling
The Services include functionality for export and deletion of the Controller's data (see docs/system/secrets.md §GDPR and the DSAR workflow planned in issue #759). Where tooling is unavailable, the Processor provides manual assistance on reasonable request.
9. Audits
The Controller may conduct audits of the Processor's compliance with this DPA:
- No more frequently than once per calendar year, except where mandated by law or following a material incident
- On at least 30 days' written notice
- During normal business hours
- Without disrupting the Processor's operations
- At the Controller's cost, save where the audit reveals a material breach, in which case the Processor bears reasonable costs
In lieu of an on-site audit, the Controller may accept:
- Independent third-party attestations (e.g. SOC 2, ISO 27001) that the Processor makes available
- The Processor's current security documentation package (
docs/system/secrets.md,docs/system/auth.md, sub-processor list, breach history summary)
10. Liability
Liability for damages caused by processing that infringes GDPR is governed by the Principal Agreement and Art. 82 GDPR. Nothing in this DPA limits a Data Subject's rights under GDPR.
11. Return or deletion of Personal Data
On termination of the Principal Agreement, the Controller instructs the Processor in writing to either:
- return all Personal Data to the Controller (via the Services' export tooling, or via encrypted transfer) and delete existing copies; or
- delete all Personal Data (including from backups, within the Processor's retention cycle, typically 30 days)
unless Union or Member State law requires storage of the Personal Data. Where such a legal requirement applies, the Processor:
- limits further processing to what is strictly required for the legal basis
- notifies the Controller of the requirement
- deletes the Personal Data when the requirement no longer applies
On completion, the Processor provides the Controller with written confirmation of deletion.
12. Order of precedence
If the Principal Agreement and this DPA conflict in data-protection matters, this DPA prevails. If the SCCs and this DPA conflict, the SCCs prevail in respect of the transfer to which they apply.
13. Contact
Processor point of contact for data-protection matters: Standard Intelligence Ltd _Contact details to be completed by the Processor at execution: designated email + optional phone + registered address._
Controller point of contact: _To be completed by the Controller at execution._
Schedule 1 — Technical and Organisational Measures
(Expands §3.3 above with a point-in-time measures catalogue at the date of execution. See docs/system/auth.md, docs/system/secrets.md, and our published sub-processors register for the current technical state. An extract may be included here at execution.)
Schedule 2 — Sub-processors
The current sub-processor list is maintained at our published sub-processors register. As at the effective date of this DPA, the list is attached as Schedule 2. Subsequent changes follow §6.
Drafted 2026-04-18 by Claude Code assistant as a proposal per #12. Review by Michael Clark and Martin Dean required before any external sharing or signing. Not a final legal document in its current form.