A Data Processing Agreement (DPA) is the contract that sits underneath any service where one business handles personal information on behalf of another. UK GDPR (Article 28) makes one legally required. This page is our standard DPA, written in plain English and ready to sign.
What's a DPA, and why do I need one?
If you're a UK business and you ask another business to handle personal data — yours, your staff's, your customers' — UK law requires a written agreement between you covering how that's done. That's a DPA.
For most of our clients, you (the business) are the data controller — you decide why personal data is collected and what's done with it. SimplyAi Solutions is the data processor — we handle it on your instructions to deliver the AI worker service.
This page is our standard DPA. If you need adjustments — bespoke retention periods, additional residency requirements, your own template — just ask. We'll review and usually agree.
The parties
Controller: The client business named on the Statement of Work or Order Form. That's you.
Processor: SimplyAi Solutions Ltd (company number 17217525, registered office 6 Cavendish Walk, Bolsover, Chesterfield S44 6DB) — registered in England & Wales. That's us.
This DPA forms part of our Terms of Service and applies for as long as we process personal data on your behalf.
What we process
| Aspect | Detail |
|---|---|
| Purpose | Running the AI worker(s) set out in your Statement of Work |
| Duration | For as long as your subscription or project is active |
| Nature of processing | Reading, drafting, sorting, summarising, scheduling, replying |
| Categories of data | Names, email addresses, phone numbers, business addresses, message content, calendar entries, billing references, anything else inside the systems your worker is connected to |
| Categories of data subjects | Your staff, your clients, your suppliers, anyone else who corresponds with the connected systems |
| Special category data | Only if your worker is explicitly configured to handle it (e.g. health data in a care provider use case), and only under additional safeguards agreed in writing |
Our duties as processor
As your data processor, we:
- Only process personal data on your documented instructions (the Statement of Work, the configuration you sign off, and any further written instructions you give us).
- Make sure everyone we let near your data is bound by confidentiality — staff contracts and sub-processor agreements both cover this.
- Help you respond to data subject requests (subject access, deletion, correction) within reasonable timescales.
- Help you meet your UK GDPR obligations on security, breach notification, impact assessments, and consultation with the Information Commissioner's Office.
- Delete or return all personal data at the end of the contract, as set out below.
- Make available all information needed to demonstrate compliance with these obligations.
Security measures
We use technical and organisational measures that match the risk:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Two-factor authentication mandatory on all staff and client accounts
- Role-based access control — staff only see what they need to do their work
- Hardened cloud infrastructure (UK or EU region by default)
- Audit logging of all access to client data
- Documented incident response plan, tested annually
- Annual penetration testing by an independent firm
- Staff training on data protection at induction and annually
- Background checks on all staff before they access client systems
For Private Setup clients, additional measures apply — typically including data segregation, your own dedicated infrastructure, and reduced reliance on third-party AI providers.
Sub-processors
We use a small list of carefully chosen sub-processors to deliver the service. Each is bound by a written agreement with security and confidentiality obligations no weaker than this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI model API calls | USA (with IDTA in place) |
| OpenAI, LLC | AI model API calls | USA (with IDTA in place) |
| Google LLC (Gemini) | AI model API calls | EU / USA |
| Amazon Web Services | Cloud hosting | UK (London region) |
| Stripe Payments UK Ltd | Billing & payments | UK / Ireland |
| Resend / Postmark | Transactional email | EU |
We'll give you at least 30 days' notice before adding a new sub-processor or replacing an existing one. If you have a reasonable objection on data protection grounds, you can terminate the affected service without penalty for the unused portion of the term.
Private Setup clients: by design, no third-party AI sub-processor is used — AI runs inside your own systems.
International transfers
Where personal data leaves the UK to a sub-processor (typically Anthropic and OpenAI for AI model calls), we rely on:
- The UK International Data Transfer Agreement (IDTA), or
- The EU Standard Contractual Clauses with the UK Addendum, or
- An adequacy decision by the UK Government, where applicable
We also apply additional safeguards where the sub-processor is in a country without an adequacy decision — including data minimisation, no training on your data, and contractual restrictions on government access.
Helping you respond to data subjects
If one of your clients or staff exercises their UK GDPR rights — to see their data, correct it, delete it, port it — and we hold the relevant data, we'll help you respond within tight timescales. Usually we can answer your operational request within 5 working days, leaving you the rest of the statutory 30 days to reply to the data subject.
Breach notification
If we become aware of a personal data breach affecting your data, we'll tell you without undue delay — and in any event within 72 hours. The notification will include:
- What happened, when, and how we found out
- The categories and approximate volume of data affected
- The likely consequences
- What we've done about it and what we're recommending
- Who to contact for more information
72 hours is the maximum, not the aim. The aim is "as soon as we know, you know".
Audits
You have the right to audit our processing of your personal data. In practice:
- We'll provide our annual compliance summary on request — no charge, no notice required
- If you want a deeper review (questionnaire, evidence pack, call with our team), give us 30 days' notice and we'll arrange it at no charge once per calendar year
- If you need a physical or on-premises audit, that's available on reasonable notice with costs shared fairly
- Larger Private Setup clients can negotiate more frequent or independent auditor reviews in their Statement of Work
End of processing
When our contract ends — whether you cancel, we cancel, or the project finishes — we will, at your written choice:
- Return all personal data we hold to you in a structured, machine-readable format, within 14 days, or
- Delete it from all our systems, including backups, within 30 days
The default is deletion. If you'd like a return-then-delete sequence, just say so in writing at the time.
Limited copies may be retained for longer where the law requires (for example, HMRC requires us to keep transaction records for 6 years). Those copies are not used for any other purpose.
Signing this DPA
For most clients, this DPA is incorporated by reference into your Statement of Work — by signing the SoW or accepting your first invoice, you accept this DPA at its current version.
If you need a separately signed counterpart for your records, email letstalkai@simplyaisolutions.co.uk and we'll send you a signable PDF.
If you have your own DPA template you'd prefer to use, send it to us. We'll review it. We're usually happy to sign reasonable third-party DPAs — particularly common templates such as the IAPP or your industry body's.