Legal · UK GDPR Article 28

Data Processing Agreement

Article 28 processor terms between SafeZoneAI Ltd and our customers — what we do with your data, how we secure it, and what happens at termination.

v1.0 · effective 2026-04-27 SafeZoneAI Ltd · ICO ZC133689

Status: this DPA forms part of our Terms of Service and applies automatically when you upload personal data to SafeZone. Procurement teams that need a counter-signed copy on company letterhead — email privacy@safezoneaitech.com and we'll send one within two business days.

1. Parties and roles

You (the customer) are the data controller of any personal data you upload to SafeZone — for example, names, contact details, or addresses of individuals associated with your suppliers.

SafeZoneAI Ltd ("SafeZone") is your data processor for that data. We process it only on your documented instructions and only as needed to provide the service.

This DPA is an Article 28 UK GDPR processing agreement and incorporates the UK ICO's International Data Transfer Addendum where personal data leaves the UK.

2. Scope of processing (Annex A)

Category	Detail
Subject matter	Provision of supplier-risk software and related services.
Duration	For the term of your subscription, plus the deletion period in section 6.
Nature and purpose	Storing, indexing, scoring and displaying supplier records you upload.
Categories of personal data	Business contact data: names, work email addresses, work telephone numbers, and corporate addresses associated with supplier organisations.
Categories of data subject	Employees and representatives of your suppliers; staff at your organisation who use SafeZone.
Special category data	None — you must not upload special-category or criminal-conviction data.

3. Our obligations as processor

SafeZone will:

Process personal data only on your documented instructions, including the instructions implicit in your use of the service.
Ensure persons processing the data are bound by confidentiality.
Apply appropriate technical and organisational security measures (Annex B).
Help you respond to data-subject requests within the time limits in UK GDPR.
Help you with security, breach notification, impact assessments and prior consultations as required by Articles 32–36.
Notify you of a personal-data breach without undue delay, and within 72 hours if reasonably possible.
Delete or return personal data on termination as set out in section 6.
Make information available to you to demonstrate compliance, and allow audits where reasonably required (section 7).

4. Sub-processors (Annex C)

You authorise us to engage the following sub-processors:

Sub-processor	Purpose	Location
Amazon Web Services EMEA SARL	Hosting, databases, email delivery	UK / EU (eu-west-2)
OpenAI, L.L.C.	Parsing PDF supplier lists you upload	USA
Mapbox, Inc.	Geocoding supplier addresses	USA
Stripe Payments UK Ltd	Subscription billing	UK / EU

If we add or replace a sub-processor we'll notify you at least 14 days in advance via email or a banner on the customer dashboard. You may object on reasonable data-protection grounds; if we can't accommodate, you may terminate the affected service and receive a pro-rata refund.

5. International transfers

Where personal data leaves the UK to a country without UK adequacy, we rely on the UK International Data Transfer Addendum to the EU SCCs, executed with each relevant sub-processor. A copy of the executed transfer mechanism is available on request.

6. Return and deletion

You can export your portfolio CSV at any time via the API. On termination of your subscription, or on your written instruction, we delete personal data within 30 days, except for backup snapshots that age out within 35 days, and audit/billing records we are legally required to retain.

7. Audit

You may request, no more than once per year, written confirmation that we comply with this DPA, plus a summary of our security controls and a recent penetration-test or vulnerability-scan report. On-site audits are available by mutual agreement and at the requesting party's cost.

8. Liability

Liability under this DPA is governed by the limitations in our Terms of Service, except that nothing limits a party's liability for unlawful processing of personal data where the law does not permit such limitation.

9. Annex B — security measures

HTTPS-only transport; HSTS preloaded.
Encryption at rest (AES-256) for all stored personal data.
Argon2 password hashing (managed by AWS Cognito).
Multi-factor authentication on all production AWS console access.
Principle-of-least-privilege IAM scoping; no shared credentials.
AWS Inspector vulnerability scanning gates every deployment; CRITICAL/HIGH findings block release.
CloudTrail audit logging on all production data stores.
Incident response plan with a target 72-hour breach notification window.

10. Contact

Privacy and DPA correspondence: privacy@safezoneaitech.com

Privacy · Terms · Cookie settings