Data Processing Agreement

In this DPA, the following terms have the meanings given below:

• Data Controller ("Controller"): The customer (natural or legal person, public authority, agency, or other body) that determines the purposes and means of processing personal data.
• Data Processor ("Processor"): PolicifyAI (L. Bone trading as PolicifyAI), which processes personal data on behalf of the Controller.
• Data Subject: An identified or identifiable natural person whose personal data is processed.
• Personal Data: Any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1) and EU GDPR Article 4(1).
• Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
• Sub-processor: Any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
• Supervisory Authority: The ICO (UK) or the relevant data protection authority in the Controller's jurisdiction.
• UK GDPR: The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018.
• EU GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council.
• Applicable Data Protection Law: UK GDPR, EU GDPR, or any other applicable data protection legislation in the Controller's jurisdiction.

PolicifyAI processes personal data strictly as described in the table below and only as necessary to provide the platform services described in the Terms of Service.

The Controller warrants and agrees that it shall:

• Ensure there is a lawful basis for any processing it instructs PolicifyAI to carry out under Applicable Data Protection Law.
• Ensure that data subjects have been provided with appropriate privacy notices and, where required, have given valid consent prior to their data being processed.
• Not instruct PolicifyAI to process personal data in a manner that would violate Applicable Data Protection Law or any other applicable law.
• Provide PolicifyAI with all information reasonably required to enable PolicifyAI to perform its obligations under this DPA.
• Inform PolicifyAI promptly of any changes to data subject rights requests or supervisory authority inquiries that affect processing under this DPA.

PolicifyAI shall:

• Process only on documented instructions: Process personal data only on the documented instructions of the Controller (including those in the Terms of Service and this DPA), unless required to do so by applicable law.
• Confidentiality: Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations and have received relevant data protection training.
• Security: Implement and maintain appropriate technical and organisational security measures (see Section 7).
• Sub-processor management: Engage sub-processors only in accordance with Section 5.
• Data subject assistance: Provide reasonable assistance to the Controller in responding to data subject rights requests within the timeframes required by Applicable Data Protection Law (see Section 9).
• Compliance assistance: Assist the Controller in ensuring compliance with Articles 32–36 of the EU GDPR / UK GDPR (security, breach notification, data protection impact assessments, prior consultation) taking into account the nature of processing and information available to PolicifyAI.
• No training use: Not use personal data processed under this DPA to train AI models. This obligation is flowed down to AI sub-processors by contract.
• Deletion or return: Delete or return all personal data upon termination of the agreement (see Section 11).

The Controller grants PolicifyAI general authorisation to engage sub-processors. The current list is maintained at policifyai.com/sub-processors. Current sub-processors include: Supabase (database, EU), Vercel (hosting, global), Stripe (payments, EU/US), Anthropic (AI inference, US), OpenRouter (AI routing, US), Resend (email, EU/US), Google Analytics (analytics, US), and PostHog (product analytics, EU).

PolicifyAI will notify the Controller at least 30 days in advance of adding or replacing any sub-processor by updating the sub-processors page and emailing customers where required. If the Controller reasonably objects to a new sub-processor on legitimate data protection grounds, it may terminate the relevant services on written notice within the 30-day period.

PolicifyAI imposes data protection obligations on each sub-processor that are no less protective than those in this DPA, including prohibitions on using data to train AI models and zero-retention instructions where technically supported.

Some sub-processors (Anthropic, OpenRouter, Google Analytics, Stripe, Vercel) operate in the United States. Transfers to the US are governed by the following safeguards:

• EU controllers: Transfers are covered by the EU Standard Contractual Clauses (Module 2: controller-to-processor) approved by the European Commission under Decision 2021/914.
• UK controllers: Transfers are additionally covered by the UK International Data Transfer Agreement (IDTA) issued by the ICO under Section 119A of the Data Protection Act 2018.
• Other jurisdictions: We engage sub-processors that maintain equivalent safeguards (e.g. Binding Corporate Rules, adequacy decisions) where applicable.

On request, PolicifyAI will provide copies of the relevant SCCs or IDTA supplements by emailing [email protected].

PolicifyAI implements the following technical and organisational security measures:

• Encryption at rest: AES-256 encryption for all database volumes via Supabase (SOC 2 Type II certified).
• Encryption in transit: TLS 1.3 between client browsers and our servers, and between our servers and all sub-processors.
• Access control: Row-Level Security (RLS) ensures each customer can only access their own data. No PolicifyAI personnel can read generated policy content without explicit support access granted by the Controller.
• Authentication: Multi-factor authentication available; OAuth 2.0 / PKCE flows used for account access.
• Vulnerability management: Regular dependency updates; responsible disclosure programme for reported vulnerabilities.
• Incident response: Written incident response procedure; breach notification within 72 hours (see Section 10).

PolicifyAI will, upon written request, provide all information reasonably necessary to demonstrate compliance with this DPA, including relevant security documentation and compliance certificates maintained by sub-processors (e.g. Supabase SOC 2 report).

If the Controller requires an on-site or remote audit, it may request one with at least 30 days written notice. Audits shall be conducted at the Controller's expense, during normal business hours, and shall not unreasonably disrupt PolicifyAI's operations. PolicifyAI may require a confidentiality agreement before the audit commences.

Where a data subject contacts PolicifyAI directly with a request to exercise their rights (access, rectification, erasure, restriction, portability, or objection), PolicifyAI will:

• Notify the Controller within 72 hours of receipt where the request relates to data processed on the Controller's behalf.
• Not respond to the request directly (unless instructed by the Controller or required by law).
• Provide the Controller with reasonable assistance in fulfilling the request, including copies of relevant data.

Controllers can fulfil most requests directly via the dashboard. For technical assistance, contact [email protected]. Data subjects can also use our DSAR form.

In the event of a personal data breach, PolicifyAI will notify the Controller without undue delay and within 72 hours of becoming aware. Notification will include:

• The nature of the breach and the categories and approximate number of data subjects and records affected.
• Contact details for PolicifyAI's data protection contact ([email protected]).
• The likely consequences of the breach.
• Measures taken or proposed to address the breach and mitigate adverse effects.

The Controller remains responsible for notifying the relevant supervisory authority and affected data subjects within the timeframes required by Applicable Data Protection Law.

Upon termination or expiry of the Terms of Service, PolicifyAI will, at the Controller's choice, securely delete or return all personal data processed on the Controller's behalf within 30 days of termination, unless applicable law requires continued retention.

Written confirmation of deletion will be provided on request. Financial records (invoices, payment logs) are retained for 7 years under HMRC requirements — these are processed as a separate legal obligation, not on behalf of the Controller.

This DPA is governed by the laws of England and Wales. Disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, unless the Controller is established in an EU Member State, in which case Irish law and the courts of Ireland may apply to those aspects governed by EU GDPR.

Where required by Applicable Data Protection Law, the EU Standard Contractual Clauses or UK IDTA take precedence over this DPA to the extent of any conflict.

By using PolicifyAI, you (as the Controller) agree to this DPA as incorporated into the Terms of Service. No separate signature is required for standard compliance.

If your organisation requires a countersigned DPA (for enterprise procurement, GDPR Article 28 documentation, or vendor assessments), please:

• Email [email protected] with subject: "DPA Request — [Your Company Name]"
• Include your company name, registered address, and the email address on your PolicifyAI account.
• We will return a countersigned PDF copy within 5 business days.

Team and Agency plan customers receive a countersigned DPA as standard. Enterprise customers may request bespoke terms.