Data Processing Agreement

"Controller" means the ProPolicyForge customer who determines the purposes and means of processing personal data using the platform.

"Processor" means ProPolicyForge (operated by Andrew David Reilly, sole trader), which processes personal data on behalf of the Controller.

"Personal Data" has the meaning given in UK GDPR — any information relating to an identified or identifiable natural person.

"Sub-processor" means any third party engaged by ProPolicyForge to process personal data in connection with the delivery of the platform.

"Services" means the ProPolicyForge compliance document generation and management platform available at propolicyforge.com.

The customer (Controller) is responsible for determining the lawful basis for processing personal data entered into ProPolicyForge, ensuring that data subjects have been informed of the processing, and ensuring that personal data entered into the platform is limited to what is necessary for the generation of compliance documents.

ProPolicyForge (Processor) will process personal data only on the documented instructions of the Controller — specifically, to generate, store and manage compliance documents as directed by the customer's use of the platform.

ProPolicyForge will not process personal data for any purpose other than delivering the Services, unless required to do so by UK law, in which case ProPolicyForge will notify the Controller before processing unless prohibited by law.

ProPolicyForge processes the following categories of personal data on behalf of customers:

Organisation details — organisation name, location, sector and size, entered during document generation.

Personnel names — names of key personnel (e.g. Registered Manager, Health and Safety Officer, Data Protection Lead) entered during document generation and woven throughout generated compliance documents.

Staff names and email addresses — entered when customers use the staff acknowledgement, Compliance Hub or inspection sharing features.

The purpose of processing is to generate organisation-specific compliance documents, store them in the customer's private vault, facilitate staff acknowledgement workflows, and enable audit trail and inspection sharing features.

ProPolicyForge does not process special category personal data (as defined in UK GDPR Article 9) as part of its core service. Customers should not enter special category data into document generation prompts.

ProPolicyForge implements the following technical and organisational security measures:

All data in transit is encrypted using TLS 1.2 or above. Document content for subscribed users is stored in Vercel Blob (EU region) with server-side encryption at rest. Vault metadata and document index data is stored in Upstash Redis (London region) with token-based authentication. Access to production systems is restricted to the platform operator. Authentication to the platform uses NextAuth with bcrypt password hashing and session token management.

In the event of a personal data breach, ProPolicyForge will notify the Controller without undue delay and within 72 hours of becoming aware of the breach, providing sufficient information for the Controller to meet its own notification obligations to the ICO where applicable.

ProPolicyForge engages the following sub-processors in connection with the delivery of the Services. By accepting these terms, the Controller provides general authorisation for the use of these sub-processors.

Anthropic (United States) — AI model processing for document generation. Personal data transmitted: organisation details and personnel names entered during generation. Retention: not retained beyond the processing request.

Vercel (United States, EU edge) — hosting infrastructure and document storage (Vercel Blob, EU region). Personal data transmitted: document content for subscribed users, authentication session data.

Upstash (United States, London region store) — Redis database for vault metadata, document index, audit trails and reminder scheduling. Personal data transmitted: document metadata, staff names and email addresses for acknowledgement workflows.

Resend (United States) — transactional email delivery. Personal data transmitted: email addresses and names for review reminders, acknowledgement requests and inspector communications.

Stripe (United States) — payment processing. Personal data transmitted: billing contact details and payment information. Card details are not transmitted to or stored by ProPolicyForge.

ProPolicyForge will notify the Controller of any intended changes to sub-processors by updating this DPA. Continued use of the platform following such notification constitutes acceptance of the updated sub-processor list.

Several ProPolicyForge sub-processors are based in the United States. Transfers of personal data to these processors are made under the following mechanisms:

Anthropic — UK-US Data Bridge and Anthropic's standard data processing commitments.

Vercel — Vercel's Data Processing Addendum incorporating standard contractual clauses approved for use under UK GDPR.

Upstash — Upstash's Data Processing Agreement incorporating standard contractual clauses.

Resend — Resend's Data Processing Agreement incorporating standard contractual clauses.

Stripe — Stripe's standard contractual clauses and UK-US Data Bridge participation.

Where a data subject exercises their rights under UK GDPR in relation to personal data processed by ProPolicyForge on the Controller's behalf, ProPolicyForge will assist the Controller in responding to the request, to the extent technically possible and within the constraints of the platform's architecture.

Specifically, ProPolicyForge will: provide the Controller with the ability to access, download and delete their vault data via the platform interface; respond to Controller requests for data export or deletion within 30 days; and notify the Controller if ProPolicyForge receives a data subject request directly relating to data processed on the Controller's behalf.

ProPolicyForge will ensure that all persons authorised to process personal data on behalf of the Controller are subject to a duty of confidentiality. As a sole trader operation, access to production systems and customer data is restricted to the platform operator and sub-processors listed in Section 5.

The Controller has the right to request information from ProPolicyForge to demonstrate compliance with this DPA. ProPolicyForge will respond to reasonable information requests within 30 days. Where an on-site audit is requested, ProPolicyForge will discuss reasonable arrangements with the Controller, subject to operational constraints as a sole trader operation.

This DPA applies for the duration of the Controller's subscription to the ProPolicyForge platform. On termination of the subscription, ProPolicyForge will retain the Controller's data for 30 days to allow document download, after which vault content will be permanently deleted.

ProPolicyForge will, on request, provide the Controller with written confirmation that deletion has been completed within 60 days of termination.

This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

For any questions about this DPA or to exercise rights under it, contact ProPolicyForge at support@propolicyforge.com. ProPolicyForge's ICO registration number is ZC116446.

Registered business address: Combe Rigg, Kirkcroft, Cumwhitton, Brampton, Cumbria, CA8 9EY.