Skip to main content
D
Deputise
← Back to Learn

Data Protection Agreement

How we store, access and use your data on this platform

Data Processing Agreement (DPA)

Deputise Ltd

If you require an executed copy, please contact legal@deputise.ai.

Last updated: March 15, 2026

Structure

This DPA is structured as follows:

Section Content
Section A — Key Terms Definitions and variables applicable to this DPA
Section B — Legal Terms General legal terms governing the processing
Section C — Technical and Organisational Measures Security measures implemented by the Processor

Section A — Key Terms

Variable Value
Data Controller(s) The Deputise Customer ("Controller", "you")
Data Processor(s) Deputise Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. Company number: 17082681. Contact: privacy@deputise.ai (together with the Controller(s), the "Parties")
Processing purpose Processing in the context of the Deputise Terms of Service dated 15 March 2026 (the "Base Agreement"), including operation of the AI agent marketplace platform, agent creation, agent execution, and related services
Duration of processing For the duration of the Base Agreement, plus any retention period required by law or specified in the Privacy Policy
Categories of data subjects Customers and their end users; potential clients; Agent end users; marketplace participants
Categories of personal data Contact data (name, email address); account identifiers; IP addresses; device and browser metadata; usage and interaction data; transaction and billing data; user-generated content submitted to Agents (which may include any category of personal data as determined by the Controller); authentication data
Sensitive data The Controller acknowledges that personal data submitted to Agents by end users may include special category data. The Controller is responsible for ensuring a lawful basis for any such processing and for implementing appropriate safeguards
Place of storage and processing United Kingdom, European Economic Area, United States — as further detailed in the Sub-Processors page
On-premise audits Not available. Remote audits and documentation reviews available upon request (see Section B, Clause 5.5)
Sub-processors Listed at https://deputise.ai/legal/sub-processors
Transfer outside UK/EEA Permitted, subject to appropriate safeguards (see Section B, Clause 7)

The variables defined in Section A serve as definitions throughout this DPA.

Section B — Legal Terms

1. Purpose and Scope

1.1. The purpose of this Data Processing Agreement ("DPA") is to ensure compliance with Article 28(3) and (4) of the UK General Data Protection Regulation ("UK GDPR"), Article 28(3) and (4) of the EU General Data Protection Regulation ("EU GDPR"), and any other applicable data protection legislation, with respect to each law only if and to the extent applicable to the respective processing activity.

1.2. This DPA applies to the processing of personal data as specified in Section A.

1.3. This DPA is incorporated into and forms part of the Base Agreement. It applies automatically to all Customers whose use of the Service involves Deputise processing personal data on the Customer's behalf.

2. Interpretation

2.1. Where this DPA uses terms defined in the UK GDPR, EU GDPR, or any other applicable data protection law, those terms shall have the same meaning as in the relevant law.

2.2. This DPA shall be read and interpreted in the light of the provisions of the UK GDPR and EU GDPR, as applicable.

2.3. This DPA shall not be interpreted in a way that conflicts with rights and obligations provided for in applicable data protection law, or that prejudices the fundamental rights or freedoms of data subjects.

3. Hierarchy

In the event of a conflict between this DPA and the provisions of the Base Agreement or any other agreement between the Parties, this DPA shall prevail with respect to matters relating to data protection, except where explicitly agreed otherwise in writing.

4. Obligations of the Processor

4.1 Documented Instructions

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by UK, EU, or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. The Controller's instructions are specified in Section A and the Base Agreement. Subsequent instructions may be given by the Controller throughout the duration of processing and shall be documented.

4.2 Notification of Unlawful Instructions

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes applicable data protection law.

4.3 Purpose Limitation

The Processor shall process personal data only for the specific purposes set out in Section A and shall not process personal data for any other purpose, including for the Processor's own purposes, unless instructed to do so by the Controller.

4.4 AI Model Training Prohibition

The Processor shall not use personal data processed under this DPA to train, fine-tune, or improve any artificial intelligence or machine learning model, whether owned by the Processor, its sub-processors, or any third party. This prohibition extends to aggregated or de-identified derivatives of such personal data where there is a reasonable risk of re-identification.

4.5 Confidentiality

The Processor shall ensure that all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data shall be limited to personnel who require it for the performance of their duties under the Base Agreement.

4.6 Security of Processing

The Processor shall implement the technical and organisational measures specified in Section C to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK GDPR and EU GDPR. In assessing the appropriate level of security, the Processor shall take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to data subjects.

4.7 Special Categories of Data

Where the processing involves special categories of personal data (as defined in Article 9 of the UK GDPR / EU GDPR), the Processor shall apply specific restrictions and additional safeguards as reasonably required by the Controller and as specified in writing.

5. Documentation and Compliance

5.1. The Parties shall be able to demonstrate compliance with this DPA.

5.2. The Processor shall deal promptly and adequately with all reasonable enquiries from the Controller relating to the processing under this DPA.

5.3. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and arising from the UK GDPR and EU GDPR.

5.4. The Processor shall maintain a record of processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the UK GDPR and EU GDPR.

5.5. Audits. At the Controller's written request (no more than once per 12-month period, unless a data breach has occurred or a supervisory authority requires it), the Processor shall make available documentation, records, and information necessary to demonstrate compliance with this DPA. The Controller may, at its own cost, mandate an independent third-party auditor (subject to reasonable confidentiality obligations) to conduct a remote audit. The scope of any audit shall be limited to information relevant to the processing under this DPA and shall give due regard to the Processor's confidentiality obligations and legitimate interests in protecting business secrets. The Processor shall cooperate in good faith with any such audit. On-premise audits are not available.

5.6. The Processor shall make audit results and compliance documentation available to a competent supervisory authority upon request, if and to the extent required by applicable law.

6. Sub-Processors

6.1. General authorisation. The Controller grants the Processor general authorisation to engage sub-processors. The current list of sub-processors is set out in Section A and maintained at https://deputise.ai/legal/sub-processors.

6.2. Notification of changes. The Processor shall notify the Controller in writing (including by email) at least 30 days before engaging a new sub-processor or replacing an existing one. The notification shall identify the sub-processor, its location, and the processing activities to be performed.

6.3. Right to object. The Controller may object to a new or replacement sub-processor on reasonable data protection grounds by notifying the Processor in writing within the 30-day notice period. If the Controller objects and the Processor cannot reasonably accommodate the objection (for example, by offering an alternative sub-processor or configuration), either Party may terminate the affected processing and, if necessary, the Base Agreement, without penalty. The Controller shall receive a pro-rata refund of any prepaid fees for the period following termination.

6.4. Sub-processor obligations. The Processor shall impose on each sub-processor, by way of a written contract, data protection obligations no less onerous than those set out in this DPA. The Processor shall ensure that sub-processors comply with such obligations.

6.5. Liability. The Processor shall remain fully responsible to the Controller for the performance of each sub-processor's obligations. The Processor shall notify the Controller promptly of any failure by a sub-processor to fulfil its contractual obligations.

6.6. Copies. The Processor shall provide, at the Controller's request, a copy of any sub-processor agreement (which may be redacted to protect confidential commercial terms not relevant to data protection).

7. International Transfers

7.1. Any transfer of personal data to a country outside the United Kingdom or the European Economic Area ("Third Country") shall be undertaken only in compliance with Chapter V of the UK GDPR, the Data Protection Act 2018, and/or Chapter V of the EU GDPR, as applicable.

7.2. Where transfers to a Third Country are necessary, the Processor shall ensure appropriate safeguards are in place, which may include:

  • Transfers to countries subject to an adequacy decision by the UK Secretary of State or the European Commission
  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses
  • EU Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2) of the EU GDPR
  • Binding Corporate Rules approved by a competent supervisory authority
  • Any other legally recognised transfer mechanism

7.3. The Processor shall conduct and maintain a transfer impact assessment where required, and shall implement supplementary measures where necessary to ensure an essentially equivalent level of protection for transferred personal data.

7.4. Where the Processor engages a sub-processor in a Third Country, the Processor shall ensure that the sub-processor agreement incorporates appropriate safeguards as set out in this Clause 7.

8. Data Subject Rights

8.1. The Processor shall promptly notify the Controller of any request received directly from a data subject to exercise their rights under applicable data protection law. The Processor shall not respond to such a request unless authorised to do so by the Controller.

8.2. The Processor shall assist the Controller, by appropriate technical and organisational measures and insofar as is possible, in fulfilling the Controller's obligations to respond to data subject requests, including:

  • The right of access
  • The right to rectification
  • The right to erasure ("right to be forgotten")
  • The right to restriction of processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision-making and profiling
  • The right to withdraw consent

8.3. The Processor shall assist the Controller in responding to data subject complaints submitted to a supervisory authority concerning data processed under this DPA.

9. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments ("DPIAs") and, where required, in consulting with the relevant supervisory authority, taking into account the nature of the processing and the information available to the Processor.

10. Personal Data Breach

10.1. In the event of a personal data breach concerning data processed under this DPA, the Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach.

10.2. The notification shall include, to the extent available:

  • A description of the nature of the breach, including (where possible) the categories and approximate number of data subjects and personal data records concerned
  • The name and contact details of the Processor's point of contact for further information
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

10.3. Where it is not possible to provide all information simultaneously, the Processor shall provide the information in phases without undue delay.

10.4. The Processor shall cooperate with and assist the Controller in:

  • Investigating and remediating the breach
  • Fulfilling the Controller's obligation to notify the competent supervisory authority (within 72 hours of the Controller becoming aware, per Article 33 UK GDPR / EU GDPR)
  • Communicating the breach to affected data subjects where required (per Article 34 UK GDPR / EU GDPR)

11. Data Deletion and Return

11.1. Upon termination or expiry of the Base Agreement, or upon the Controller's written request, the Processor shall, at the Controller's election:

  • Return all personal data to the Controller in a commonly used, machine-readable format; or
  • Securely delete all personal data and existing copies

11.2. Deletion shall be completed within 30 days of the request or termination, unless applicable law requires continued storage.

11.3. The Processor shall certify in writing, upon the Controller's request, that deletion has been completed.

11.4. Personal data contained in routine backups shall be deleted in accordance with the Processor's standard backup rotation schedule, and shall not be actively processed after termination.

12. Termination

12.1. The Controller may instruct the Processor to temporarily suspend processing of personal data if the Processor is in breach of this DPA, until compliance is restored or the DPA is terminated.

12.2. The Controller may terminate this DPA where:

  • The Processor's breach is material and compliance is not restored within 30 days of written notice
  • The Processor is in substantial or persistent breach of this DPA or applicable data protection law, and such breach cannot reasonably be expected to be remedied
  • The Processor fails to comply with a binding decision of a competent court or supervisory authority

12.3. This DPA shall remain in force for the duration of the Base Agreement. Provisions that by their nature should survive termination (including Clauses 4.4, 5, 10, and 11) shall continue in effect after termination.

13. Liability

Each Party's liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set out in the Base Agreement, except that no limitation shall apply to liability arising from a Party's wilful or grossly negligent breach of its obligations under applicable data protection law.

Section C — Technical and Organisational Measures

The following measures describe the security controls implemented by the Processor to protect personal data processed under this DPA. The Processor shall review and, where necessary, update these measures periodically to maintain an appropriate level of security.

1. Organisational Measures

1.1 Security Governance

  • A documented information security policy is maintained and reviewed at least annually
  • A designated individual is responsible for data protection and information security matters
  • Roles and responsibilities related to the processing of personal data are clearly defined and documented
  • Upon change of role or termination of employment, access rights are promptly revoked and responsibilities are handed over

1.2 Personnel Security

  • All personnel with access to personal data are bound by confidentiality obligations (contractual or statutory)
  • Security awareness training is provided during onboarding and at regular intervals thereafter
  • Personnel are informed of their responsibilities under applicable data protection law and the consequences of non-compliance

1.3 Incident Response

  • A documented incident response plan is maintained, covering identification, containment, eradication, recovery, and notification procedures for personal data breaches
  • The Processor shall report any confirmed personal data breach to the Controller within the timeframe specified in Clause 10 of Section B
  • Incident response procedures are tested and reviewed at least annually

1.4 Business Continuity

  • Procedures are in place to ensure continuity and availability of the IT systems processing personal data in the event of an incident
  • Recovery time and recovery point objectives are defined for critical systems
  • Business continuity plans are tested at least annually

1.5 Change Management

  • Changes to IT systems used for processing personal data are subject to documented change management procedures, including risk assessment, testing, and approval prior to deployment

1.6 Vendor Management

  • Sub-processors are assessed for adequate security posture before engagement
  • Sub-processor agreements include data protection obligations consistent with this DPA
  • Sub-processor compliance is reviewed periodically

2. Technical Measures

2.1 Access Control

  • Role-based access control (RBAC) is implemented across all systems processing personal data
  • Access is granted on a need-to-know and least-privilege basis
  • Shared or generic accounts are avoided; where unavoidable, usage is logged and justified
  • Multi-factor authentication (MFA) is required for access to production systems and administrative interfaces
  • Access rights are reviewed at least quarterly and upon any change of role

2.2 Authentication

  • Passwords must meet minimum complexity requirements (minimum 12 characters, including mixed case, numbers, and special characters) or equivalent authentication strength
  • Authentication credentials are never transmitted in plaintext
  • Failed authentication attempts are rate-limited and logged

2.3 Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • Personal data at rest is encrypted using AES-256 or equivalent
  • Encryption keys are managed securely with appropriate rotation schedules

2.4 Network Security

  • Network segmentation is used to isolate systems processing personal data
  • Firewalls and intrusion detection/prevention systems are deployed and monitored
  • DDoS protection is in place (provided via Cloudflare)

2.5 Logging and Monitoring

  • Access to personal data (including viewing, modification, and deletion) is logged
  • Logs are retained for a minimum of 12 months and are protected against tampering
  • Automated alerting is in place for anomalous access patterns and potential security incidents

2.6 Data Backup

  • Automated backups are performed on a regular schedule
  • Backups are encrypted and stored in a geographically separate location from primary data
  • Backup restoration procedures are tested at least annually
  • Backup retention periods are defined and enforced

2.7 Secure Development

  • The Processor follows secure software development lifecycle (SDLC) practices
  • Code is subject to peer review prior to deployment
  • Dependencies are monitored for known vulnerabilities and patched in a timely manner
  • Production environments are separated from development and staging environments

2.8 Data Minimisation and Deletion

  • Only personal data necessary for the specified processing purposes is collected and retained
  • Automated processes are in place to delete or anonymise personal data when the retention period expires
  • Physical media is securely destroyed or overwritten before disposal

3. AI-Specific Measures

Given the nature of the Service, the following additional measures apply to processing involving AI systems:

3.1 AI Provider Controls

  • Third-party AI model providers (as listed in the Sub-Processors page) are contractually prohibited from using Controller data for model training
  • API-based AI processing is configured to use zero-data-retention or equivalent options where available from the provider
  • AI provider data processing agreements are reviewed to ensure compliance with this DPA

3.2 Input and Output Handling

  • User inputs to AI Agents and AI-generated outputs are processed and stored in accordance with the same security controls applied to all personal data
  • The Processor does not persistently store AI conversation data beyond the retention periods specified in the Privacy Policy, unless the Controller configures the Service to do so

3.3 Transparency

  • End users are informed that they are interacting with an AI system, in compliance with applicable AI transparency regulations including the EU AI Act

Contact

For questions about this DPA, contact:

Deputise Ltd 71-75 Shelton Street Covent Garden London WC2H 9JQ

Email: legal@deputise.ai