Back to Privacy Centre

Legal

Data Processing Agreement

Last updated: 7 July 2026  ·  Operated by L. Bone trading as PolicifyAI  ·  England & Wales

How this DPA works. This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service between PolicifyAI (the "Processor") and the customer entity (the "Controller"). It governs the processing of personal data by PolicifyAI on behalf of the Controller in connection with the PolicifyAI platform, in compliance with Article 28 of UK GDPR and EU GDPR. By using PolicifyAI, you agree to the terms of this DPA. For a countersigned copy, email [email protected].

1.Definitions

In this DPA, the following terms have the meanings given below. Capitalised terms not defined here have the meanings given in the Terms of Service.

  • Data Controller ("Controller"): The customer (natural or legal person, public authority, agency, or other body) that determines the purposes and means of processing personal data using the PolicifyAI platform.
  • Data Processor ("Processor"): PolicifyAI, operated by L. Bone trading as PolicifyAI, which processes personal data on behalf of the Controller in connection with the provision of the Service.
  • Data Subject: An identified or identifiable natural person whose personal data is processed under this DPA.
  • Personal Data: Any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1) and EU GDPR Article 4(1).
  • Processing: Any operation or set of operations performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction.
  • Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  • Sub-processor: Any third party engaged by PolicifyAI as a processor to carry out processing activities on personal data on behalf of the Controller.
  • Supervisory Authority: The Information Commissioner's Office (ICO) in the UK, or the relevant data protection supervisory authority in the Controller's jurisdiction.
  • UK GDPR: The UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018, read with the Data Protection Act 2018.
  • EU GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
  • Applicable Data Protection Law: UK GDPR, EU GDPR, the Data Protection Act 2018, and any other applicable data protection or privacy legislation in the Controller's jurisdiction, as in force from time to time.
  • Standard Contractual Clauses (SCCs): The clauses approved by the European Commission under Decision (EU) 2021/914 for the transfer of personal data to third countries.
  • UK IDTA: The International Data Transfer Agreement issued by the ICO under Section 119A of the Data Protection Act 2018, or the ICO's Addendum to the EU SCCs.

2.Scope and context of processing

PolicifyAI processes personal data strictly as described in the table below and only as necessary to provide the platform services described in the Terms of Service. This DPA applies where the Controller uses PolicifyAI to process personal data relating to its own employees, clients, or other data subjects in the course of generating, managing, or serving legal policy documents.

ElementDetail
Subject matterProviding AI-powered legal policy generation, storage, management, and serving services via the PolicifyAI platform
Purpose of processingTo generate, store, and serve legal policy documents on behalf of the Controller; to authenticate and manage Controller user accounts; to process payments and subscription management
Nature of processingCollection, storage, retrieval, transmission to an AI request router for generation, display, editing, and deletion
Categories of data subjectsEmployees, contractors, and authorised representatives of the Controller; client users where the Controller is an agency customer
Categories of personal dataEmail addresses; names (if provided); business names, website URLs, industry classifications, jurisdiction selections, and other context entered into the generation wizard; account authentication identifiers; subscription and billing records (limited to Stripe customer ID and billing summary)
Special category dataNone — the platform is not designed to process or collect special category personal data as defined in Art 9 UK/EU GDPR
Duration of processingFor the active term of the Controller's subscription, until account deletion, or as required by applicable law (e.g. 7-year HMRC financial records retention)

3.Controller's instructions and obligations

The Controller warrants, represents, and undertakes that it shall:

  • Lawful basis: Ensure there is a valid lawful basis under Applicable Data Protection Law for all processing it instructs PolicifyAI to carry out, including any personal data entered into the generation wizard or associated with account users.
  • Privacy notices: Ensure that affected data subjects have been provided with appropriate, complete, and accurate privacy notices and, where required by law, have given valid consent before their personal data is processed through the Service.
  • Lawful instructions:Not instruct PolicifyAI to process personal data in a manner that would violate Applicable Data Protection Law or any other applicable law. Instructions shall be provided only via the platform's standard interface or by written request to [email protected].
  • Accurate information: Provide PolicifyAI with all information reasonably required to enable PolicifyAI to perform its obligations under this DPA, including accurate information about data subjects and processing activities.
  • Notification of changes: Inform PolicifyAI promptly of any data subject rights requests, supervisory authority investigations, or changes in processing instructions that affect personal data processed under this DPA.
  • Appropriate use: Not enter special category personal data (Art 9 UK/EU GDPR), including health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, or criminal conviction data, into the generation wizard or any other platform input field. The platform is not designed to handle such data.

4.Processor's obligations

PolicifyAI, as Processor, shall:

  • Process only on documented instructions: Process personal data only on the documented instructions of the Controller (as set out in the Terms of Service, this DPA, and any subsequent written instructions), unless required to do so by applicable law, in which case PolicifyAI shall inform the Controller of that legal requirement before processing, unless prohibited from doing so by law.
  • Confidentiality: Ensure that all personnel authorised to process personal data under this DPA are subject to appropriate confidentiality obligations (whether contractual or statutory) and have received adequate data protection training.
  • Security: Implement and maintain the technical and organisational security measures described in section 7 of this DPA, as required by Art 32 UK/EU GDPR.
  • Sub-processor management: Engage sub-processors only in accordance with section 5 of this DPA, and impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
  • Data subject assistance: Provide reasonable technical and organisational assistance to the Controller in fulfilling its obligations to respond to data subject rights requests under Arts 15–22 UK/EU GDPR, within the timeframes required by Applicable Data Protection Law.
  • Compliance assistance: Provide reasonable assistance to the Controller in ensuring compliance with Arts 32–36 UK/EU GDPR (security measures, personal data breach notification, data protection impact assessments, and prior consultation with supervisory authorities), taking into account the nature of the processing and the information available to PolicifyAI.
  • No training use: Not use personal data processed under this DPA to train, fine-tune, or improve AI models. Our AI sub-processor, OpenRouter, and the underlying model providers it routes to (primarily Anthropic and Google) state in their commercial API terms that inputs and outputs are not used to train foundation models by default — see the Privacy Policy for links to their current terms.
  • No independent use: Not process personal data for any purpose other than providing the Service to the Controller, except as required by applicable law.
  • Deletion or return:At the Controller's request, and in any event upon termination of the Terms of Service, securely delete or return all personal data in accordance with section 11 of this DPA.

5.Sub-processors

5.1 General authorisation

The Controller grants PolicifyAI general written authorisation to engage the sub-processors listed on our sub-processors page at the time of the Controller entering into the Terms of Service and this DPA. The current list includes:

  • Vercel (US) — web hosting, serverless functions, CDN, Vercel Analytics, Vercel Speed Insights
  • Supabase / AWS eu-west-2 (EU, London) — database (PostgreSQL with RLS), authentication, file storage
  • OpenRouter (US) — our direct sub-processor for AI model routing. OpenRouter in turn engages its own sub-processors — primarily Anthropic and Google, and potentially other infrastructure partners it uses — to perform the underlying model inference for policy generation. We impose the obligations of section 5.3 on OpenRouter, and OpenRouter is responsible for flowing equivalent obligations down to its own sub-processors.
  • Stripe (US) — payment processing, subscription billing, invoice management
  • Resend (US) — transactional and marketing email delivery
  • Google Analytics / Google LLC (US) — aggregated, anonymised web analytics (GA4, IP anonymised)
  • PostHog (EU, Frankfurt) — product analytics and feature usage tracking
5.2 Changes to sub-processors

PolicifyAI will notify the Controller at least 30 days in advance of engaging any new sub-processor or replacing an existing sub-processor, by updating the sub-processors page at policifyai.com/sub-processors and, where required, by emailing registered customers.

If the Controller has reasonable, specific grounds to object to the addition of a new sub-processor on data protection grounds (i.e. grounds directly related to the sub-processor's ability to meet the obligations of this DPA), it may object by written notice to [email protected] within the 30-day notice period. If the parties cannot resolve the objection within 30 days, the Controller may terminate the relevant services on written notice without penalty.

5.3 Sub-processor obligations

PolicifyAI imposes data protection obligations on each sub-processor that are no less protective than those in this DPA, including: prohibitions on using personal data to train AI models; requirements to implement appropriate technical and organisational security measures; and obligations to assist with data subject rights requests and breach notifications. PolicifyAI remains liable to the Controller for the acts and omissions of its sub-processors to the same extent it would be liable if it had performed the processing directly.

6.International data transfers

Several of our sub-processors operate in or transfer personal data to the United States, which does not benefit from a general adequacy decision from the European Commission or the UK Government covering all commercial data transfers. The following safeguards govern international transfers of personal data under this DPA:

6.1 EU controllers

Transfers of personal data from EU/EEA data subjects to US-based sub-processors are governed by the EU Standard Contractual Clauses (SCCs) approved by the European Commission under Decision (EU) 2021/914, specifically Module 2 (controller-to-processor) as incorporated into each sub-processor's standard data processing addendum.

6.2 UK controllers

Transfers of personal data from UK data subjects to US-based sub-processors are governed by the UK International Data Transfer Agreement (IDTA) issued by the ICO under Section 119A of the Data Protection Act 2018, or the ICO's International Data Transfer Addendum to the EU SCCs (the "Addendum"), as incorporated into each sub-processor's standard data processing addendum.

6.3 EU/UK data residency

The primary database (Supabase / AWS eu-west-2) and product analytics (PostHog EU Cloud, Frankfurt) are hosted within the EU/EEA. Personal data is transferred to US-based sub-processors only where necessary for the specific purpose indicated (e.g. AI generation inputs sent to OpenRouter; payment data sent to Stripe; email addresses sent to Resend).

6.4 Transfer documentation

On request, PolicifyAI will provide copies of the applicable SCCs, IDTA, or transfer impact assessments in relation to specific sub-processors. To request these documents, email [email protected] with the subject "Transfer Documentation Request". We will respond within 10 business days.

7.Technical and organisational security measures

PolicifyAI implements the following technical and organisational security measures (TOMs) in accordance with Art 32 UK/EU GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing:

7.1 Encryption
  • At rest: AES-256 encryption for all database volumes via Supabase (backed by AWS eu-west-2). File storage is encrypted using Supabase Storage encryption.
  • In transit: TLS 1.3 enforced for all connections between client browsers, PolicifyAI servers, and sub-processor APIs. Outdated TLS versions are rejected.
  • Password hashing: User passwords are hashed with bcrypt before storage. Plaintext passwords are never stored.
7.2 Access controls
  • Row-Level Security (RLS): Supabase database RLS policies ensure that each customer can only access their own data at the database level. Cross-account data access is prevented at the infrastructure layer.
  • Minimal personnel access: PolicifyAI personnel cannot access the content of Controller-generated policies without explicit support access granted by the Controller.
  • OAuth 2.0 / PKCE: All authentication flows use OAuth 2.0 with Proof Key for Code Exchange (PKCE) to prevent authorisation code interception.
  • Principle of least privilege: Internal access to production systems is restricted to personnel who require it to perform their role.
7.3 Infrastructure security
  • Vercel: Application hosting with automatic DDoS mitigation, edge-level WAF, and SOC 2 Type II certification.
  • Supabase: SOC 2 Type II certified, with automated daily backups, point-in-time recovery, and private networking. Postgres extensions for audit logging are in use.
  • Dependency management: Regular dependency updates and security patch application. Automated vulnerability scanning via Dependabot and related tooling.
7.4 Organisational measures
  • Written incident response procedure covering detection, containment, eradication, recovery, and post-incident review.
  • Data protection training for personnel with access to personal data.
  • Responsible disclosure programme for externally reported security vulnerabilities (see security page).
  • Regular review of security measures in line with evolving threat landscape and best practices.

8.Audit rights

PolicifyAI will, upon reasonable written request from the Controller, provide all information necessary to demonstrate compliance with the obligations set out in this DPA, including:

  • Relevant security documentation and compliance certificates (e.g. Supabase SOC 2 Type II report, Vercel security documentation).
  • Descriptions of the technical and organisational security measures in section 7.
  • Sub-processor information and applicable transfer safeguards (section 5 and 6).
  • Confirmation of data deletion or return upon termination (section 11).

If the Controller requires an on-site or remote audit of PolicifyAI's processing activities, it may request one with at least 30 days' written notice. Audit conditions:

  • Audits are conducted at the Controller's expense, by the Controller or a third-party auditor bound by appropriate confidentiality obligations.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt PolicifyAI's operations or those of other customers.
  • PolicifyAI may require the Controller to sign a confidentiality agreement before providing access to audit materials.
  • No more than one audit shall be conducted in any 12-month period, unless a personal data breach or regulatory requirement necessitates additional review.

9.Data subject rights assistance

PolicifyAI will provide reasonable assistance to the Controller in fulfilling its obligations to respond to data subject rights requests under Arts 15–22 UK/EU GDPR (rights of access, rectification, erasure, restriction, portability, and objection).

9.1 Where PolicifyAI receives a direct request

Where a data subject contacts PolicifyAI directly with a rights request in relation to data processed on the Controller's behalf, PolicifyAI will:

  • Notify the Controller within 72 hours of receipt, so the Controller can respond within the applicable legal timeframe.
  • Not respond to the request directly without the Controller's instruction, unless required to do so by applicable law.
  • Provide the Controller with reasonable assistance in fulfilling the request, including copies of relevant data held by PolicifyAI.
9.2 Self-service rights fulfilment

Many data subject rights can be fulfilled directly by the Controller or data subject through the PolicifyAI platform:

  • Rectification: Account data can be updated directly in Dashboard → Settings.
  • Erasure: Account deletion (including all generated policies) can be initiated via Dashboard → Settings.
  • Portability: Data export in JSON format is available via Dashboard → Settings → Export.

For technical assistance with rights requests, contact [email protected]. Data subjects can also submit requests directly via our DSAR page.

10.Personal data breach notification

In the event of a Personal Data Breach affecting personal data processed under this DPA, PolicifyAI will:

  • Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  • Provide the following information (in initial notification or as soon as practicable thereafter):
    • A description of the nature of the breach, including the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected.
    • The name and contact details of PolicifyAI's data protection contact ([email protected]).
    • A description of the likely consequences of the breach.
    • A description of the measures taken or proposed to address the breach and, where appropriate, mitigate its possible adverse effects.
  • Cooperate with the Controller in any regulatory investigation or notification to the Supervisory Authority and/or affected data subjects.

The Controller remains responsible for notifying the relevant Supervisory Authority (e.g. ICO) and affected data subjects within the timeframes required by Applicable Data Protection Law. PolicifyAI's breach notification to the Controller does not constitute an admission of fault or liability.

To report a suspected security breach or vulnerability to PolicifyAI: [email protected].

11.Termination & data deletion

Upon termination or expiry of the Terms of Service (for any reason), PolicifyAI will, at the Controller's election:

  • Delete: Securely delete all personal data processed on the Controller's behalf from the live database within 30 days of the termination effective date.
  • Return: On request (made within 30 days of termination), provide the Controller with an export of their personal data in JSON format before deletion.

Upon completion of deletion, PolicifyAI will provide written confirmation of deletion on request within 5 business days.

Exceptions to deletion
  • Financial records: Invoices, payment logs, and subscription billing records are retained for 7 years to comply with HMRC requirements under the Taxes Management Act 1970. These records are held in Stripe and our billing record system and are processed as a separate legal obligation, not on behalf of the Controller.
  • Backup retention: Encrypted database backups may retain personal data for up to 30 days after the deletion of live data. These backups are destroyed according to our standard backup rotation schedule.
  • Legal obligation: Where applicable law requires PolicifyAI to retain specific data for a defined period, that data will be retained only for the legally mandated period and will not be used for any other purpose.

12.Liability under the DPA

Each party's liability under this DPA (whether in contract, tort, statute, or otherwise) is subject to the limitations and exclusions set out in the Terms of Service. Where a party has caused loss or damage by processing personal data in breach of Applicable Data Protection Law, that party shall be liable to the other party in accordance with Art 82 UK/EU GDPR and the limitations in the Terms of Service.

PolicifyAI shall be liable to the Controller for any confirmed Personal Data Breach directly caused by PolicifyAI's failure to implement and maintain the security measures described in section 7, to the extent permitted by the liability cap in the Terms of Service.

The Controller shall indemnify and hold harmless PolicifyAI from any regulatory fines, penalties, or third-party claims arising from the Controller's breach of its obligations as Controller under Applicable Data Protection Law or its obligations under this DPA.

13.Governing law

This DPA is governed by the laws of England and Wales. Disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, except where:

  • The Controller is established in an EU Member State, in which case the applicable SCCs and their governing law provisions shall apply to those aspects specifically governed by EU GDPR.
  • EU Standard Contractual Clauses or UK IDTA take precedence over this DPA to the extent of any conflict with their specific provisions.

14.Amendments to this DPA

PolicifyAI may amend this DPA from time to time to reflect:

  • Changes in Applicable Data Protection Law or regulatory guidance from supervisory authorities.
  • Changes to our sub-processors, technical architecture, or processing activities.
  • Changes to the EU SCCs or UK IDTA issued by relevant authorities.

We will notify Controllers of any material amendments by email to the account address and/or a notice within the Service at least 30 days before the amendment takes effect, except where a shorter period is required by applicable law, a court order, or a supervisory authority direction.

Continued use of the Service after the amendment effective date constitutes acceptance of the revised DPA. Controllers who do not accept the revised terms may terminate their account prior to the effective date and receive a pro-rata refund of any prepaid subscription fees.

15.How to execute this DPA

By using PolicifyAI and accepting the Terms of Service, you (as the Controller) agree to this DPA as incorporated into the Terms of Service. No separate signature is required for standard GDPR/UK GDPR compliance.

If your organisation requires a countersigned DPA — for enterprise procurement, GDPR Article 28 documentation, vendor questionnaire responses, or regulatory audits — please:

  • Email [email protected] with subject line: "DPA Request — [Your Company Name]"
  • Include your company name, registered address, jurisdiction, and the email address associated with your PolicifyAI account.
  • Specify whether you require a UK IDTA, EU SCC, or both, and whether you need Module 1 (controller-to-controller) or Module 2 (controller-to-processor) SCCs.
  • We will return a countersigned PDF copy within 5 business days.

Agency and Enterprise plan customers receive a countersigned DPA as a standard part of their onboarding. Enterprise customers may request bespoke DPA terms or amendments — contact [email protected] to discuss.