Skip to content

Data Processing Agreement

Last updated: · Version 1.0

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between Godfrey Engineering Ltd (“Processor”, “we”, “us”) and the entity or person agreeing to it (“Controller”, “you”) for the provision of services as described in the Terms of Service (“Agreement”).

This DPA applies where and only to the extent that Godfrey Engineering processes personal data on behalf of the Controller in the course of providing the Services, and such personal data is subject to the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), or any other applicable data protection legislation.

The terms used in this DPA have the meanings given in the UK GDPR unless otherwise defined herein.

2. Definitions

  • “Applicable Data Protection Law” means all laws and regulations relating to the processing of personal data, including the UK GDPR, the Data Protection Act 2018, the EU GDPR, and the Privacy and Electronic Communications Regulations 2003 (PECR), as applicable.
  • “Controller” means the entity that determines the purposes and means of the processing of personal data.
  • “Data Subject” means the individual to whom the personal data relates.
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation or set of operations performed on personal data, including collection, storage, use, disclosure, and deletion.
  • “Processor” means the entity that processes personal data on behalf of the Controller.
  • “Sub-Processor” means a third party engaged by the Processor to process personal data on behalf of the Controller.
  • “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor shall process personal data on behalf of the Controller for the purpose of providing the Services described in the Agreement, including:

  • Hosting and delivering the Controller’s account and application data
  • Processing engineering calculations and analyses via ChainSolve
  • Sending transactional communications on behalf of the Controller
  • Providing customer support

3.2 Categories of Data Subjects

  • The Controller’s employees and representatives
  • The Controller’s end users and customers
  • Any other individuals whose personal data is submitted to the Services by the Controller

3.3 Types of Personal Data

  • Names and contact information (email addresses, telephone numbers)
  • Account credentials (hashed passwords)
  • Usage data (pages visited, features used, timestamps)
  • Engineering data (calculation inputs and outputs)
  • Payment and billing information (processed by Stripe)
  • Communication content (support messages, contact form submissions)

3.4 Duration of Processing

The Processor shall process personal data for the duration of the Agreement, unless otherwise agreed in writing. Upon termination of the Agreement, the Processor shall handle personal data in accordance with Section 10 of this DPA.

4. Obligations of the Processor

The Processor shall:

  • Process personal data only on the documented instructions of the Controller, unless required by law to do otherwise. In such case, the Processor shall inform the Controller of the legal requirement before processing, unless prohibited by law from doing so.
  • Ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 7.
  • Not engage another processor (Sub-Processor) without the prior written authorisation of the Controller, subject to Section 6.
  • Assist the Controller in ensuring compliance with the obligations relating to security of processing, notification of security incidents, data protection impact assessments, and prior consultation with supervisory authorities.
  • At the choice of the Controller, delete or return all personal data upon termination of the Services, and delete existing copies unless applicable law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits and inspections conducted by the Controller or its authorised auditor.

5. Obligations of the Controller

The Controller shall:

  • Ensure that the processing of personal data under this DPA is lawful, fair, and transparent in accordance with Applicable Data Protection Law.
  • Provide the Processor with documented instructions for the processing of personal data, and ensure that such instructions comply with Applicable Data Protection Law.
  • Ensure that Data Subjects have been informed of, and have given any necessary consent to, the processing of their personal data by the Processor.

6. Sub-Processors

6.1 Authorised Sub-Processors

The Controller provides general written authorisation for the Processor to engage the following Sub-Processors:

Sub-ProcessorPurposeData Location
Cloudflare, Inc.Hosting, CDN, securityGlobal (EU/US)
Supabase, Inc.Database, authenticationEU (Frankfurt)
Stripe, Inc.Payment processingEU
Resend, Inc.Transactional emailUS (with SCCs)
PostHog, Inc.Product analyticsEU (Frankfurt)

6.2 Changes to Sub-Processors

The Processor shall notify the Controller at least 14 days in advance of any intended changes to its Sub-Processors (additions or replacements). The Controller may object to such changes within 14 days of notification. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the Agreement.

6.3 Sub-Processor Obligations

The Processor shall ensure that each Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA.

7. Security Measures

The Processor shall implement and maintain the following technical and organisational measures:

  • Encryption in transit: TLS 1.3 for all data in transit
  • Encryption at rest: AES-256 encryption for stored data
  • Access controls: Role-based access control with least-privilege principle
  • Authentication: Multi-factor authentication for all administrative access
  • Password hashing: bcrypt with a work factor of 12
  • Monitoring: Continuous monitoring via Cloudflare for infrastructure security and request-level observability
  • Backup: Regular automated backups of application data with encryption
  • Incident response: Documented incident response procedures with defined roles and escalation paths

8. Security Incidents

8.1 Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Security Incident affecting the Controller’s personal data.

8.2 Notification Content

The notification shall include:

  • A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and personal data records concerned
  • The name and contact details of the Processor’s point of contact
  • A description of the likely consequences of the Security Incident
  • A description of the measures taken or proposed to address the Security Incident

8.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.

9. International Data Transfers

Where the Processor transfers personal data to a Sub-Processor located outside the United Kingdom or the EEA, the Processor shall ensure that one of the following safeguards is in place:

  • An adequacy decision by the UK Secretary of State or the European Commission
  • The UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs)
  • Certification under an approved transfer mechanism (e.g., EU-US Data Privacy Framework)

Details of the transfer safeguards for each Sub-Processor are available upon request.

10. Data Return and Deletion

10.1 Upon Termination

Upon termination of the Agreement, the Processor shall, at the Controller’s election:

  • Return all personal data to the Controller in a structured, commonly used, and machine-readable format (JSON or CSV); or
  • Securely delete all personal data and certify such deletion in writing

10.2 Retention Exceptions

The Processor may retain personal data to the extent required by Applicable Data Protection Law, provided that the Processor shall ensure the confidentiality of such data and shall process it only for the purpose of complying with the legal obligation.

11. Audits

11.1 Right to Audit

The Controller shall have the right to audit the Processor’s compliance with this DPA, subject to reasonable notice (at least 30 days) and during normal business hours.

11.2 Audit Scope

Audits may include inspection of the Processor’s facilities, systems, and records relating to the processing of personal data, and interviews with the Processor’s personnel.

11.3 Costs

The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.

12. Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

14. Contact

For questions about this DPA or to request a signed copy, please contact:

Godfrey Engineering Ltd
United Kingdom

All legal documents legal@godfreyengineering.com