Data Processing Agreement

This Data Processing Agreement (‘DPA’) forms part of the agreement between Vancap Technologies Ltd (company number 17057839), of C/O Roxburgh Milkins Limited, Merchants House North, Wapping Road, Bristol BS1 4RW (‘Vancap’, ‘Processor’), and the customer organisation that has agreed to Vancap’s Terms of Service or signed an order with Vancap (the ‘Customer’, ‘Controller’) (together, the ‘Agreement’).

It governs Vancap’s processing of personal data on the Customer’s behalf when the Customer uses the Vancap Platform (the ‘Services’). Where this DPA and the Terms of Service conflict on the subject of data protection, this DPA prevails.

1. Definitions

Terms such as ‘personal data’, ‘processing’, ‘controller’, ‘processor’, ‘data subject’, ‘personal data breach’, and ‘supervisory authority’ have the meanings given in UK Data Protection Law, meaning the UK GDPR (Regulation (EU) 2016/679 as it forms part of UK law) and the Data Protection Act 2018, and any successor legislation.

• Customer Personal Data — personal data within the Customer Content that Vancap processes on the Customer’s behalf under the Agreement, as described in Annex 1.
• Sub-processor — a third party engaged by Vancap to process Customer Personal Data.

2. Roles and scope

2.1 As between the parties, the Customer is the controller and Vancap is the processor of the Customer Personal Data described in Annex 1.

2.2 Each party will comply with its obligations under UK Data Protection Law. The Customer is responsible for the lawfulness of the Customer Personal Data it provides and of the instructions it gives, including having a valid lawful basis and, where required, having provided notice to, or obtained consent from, the relevant data subjects (for example, individuals whose personal data appears in uploaded photos, documents, or messages).

2.3 This DPA governs Vancap’s processing of Customer Personal Data as a processor. Separately, for personal data that each party processes about the other’s personnel in order to manage the business relationship (such as the contact details of administrators and signatories), each party acts as an independent controller and is responsible for its own compliance with UK Data Protection Law.

3. Vancap’s obligations as processor

Vancap will:

3.1 Process only on documented instructions. Process Customer Personal Data only on the Customer’s documented instructions (including as set out in the Agreement and through the Customer’s configuration and use of the Services), and not for its own purposes. Vancap will not sell Customer Personal Data and will not use it to train artificial intelligence models. If Vancap is required by law to process beyond those instructions, it will inform the Customer first unless the law prohibits this.

3.2 Confidentiality. Ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and access it only as needed to provide the Services.

3.3 Security. Implement appropriate technical and organisational measures to protect Customer Personal Data, as set out in Annex 2 and as required by Article 32 UK GDPR.

3.4 Sub-processors. Engage sub-processors in accordance with section 4.

3.5 Assist with data subject rights. Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under UK Data Protection Law. If Vancap receives such a request directly, it will, without undue delay, inform the data subject to contact the Customer and notify the Customer.

3.6 Assist with compliance. Taking into account the nature of processing and the information available to Vancap, assist the Customer in ensuring compliance with its obligations relating to security (Article 32), personal data breach notification (Articles 33–34), data protection impact assessments (Article 35), and prior consultation (Article 36).

3.7 Personal data breach. Notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data, and provide the Customer with the information reasonably available to it to meet its own notification obligations.

3.8 Deletion or return. On termination or expiry of the Agreement, and at the Customer’s choice, delete or return all Customer Personal Data and delete existing copies, within 30 days, unless UK Data Protection Law requires continued storage. The Customer may export its Content before the end of this period.

3.9 Records and audits. Make available to the Customer information reasonably necessary to demonstrate compliance with this section and Article 28 UK GDPR, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. Such audits are limited to once per year, on reasonable prior notice, during business hours, and subject to confidentiality; Vancap may satisfy an audit request by providing existing reports or certifications.

4. Sub-processors

4.1 The Customer gives general authorisation for Vancap to engage the sub-processors listed in Annex 3 (the current sub-processor list) to process Customer Personal Data.

4.2 Vancap will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable to the Customer for its sub-processors’ performance.

4.3 Vancap will give the Customer 30 days’ prior notice of any intended addition or replacement of a sub-processor (by updating the published list and/or notifying the Customer). The Customer may object on reasonable data protection grounds; the parties will work in good faith to resolve the objection, and if they cannot, the Customer may terminate the affected Services.

5. International transfers

5.1 Vancap stores Customer Personal Data primarily in the United Kingdom and the European Union. Certain sub-processors (including the AI, authentication, document-preview, and content-delivery providers in Annex 3) process data in the United States or other countries.

5.2 Where Vancap transfers Customer Personal Data outside the UK, it will ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement or Addendum to the EU Standard Contractual Clauses, or reliance on a valid adequacy decision.

6. Liability

The parties’ liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service / Agreement. That cap applies to this DPA; no separate data-protection super-cap applies.

7. Term and termination

This DPA takes effect when the Customer accepts the Agreement and continues for as long as Vancap processes Customer Personal Data. Sections that by their nature should survive (including sections 3.8, 3.9, 5, and 6) survive termination.

8. Governing law

This DPA is governed by the laws of England and Wales, consistent with the Terms of Service / Agreement of which it forms part, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

Annex 1 — Details of the processing

• Subject matter: Vancap’s provision of the Services to the Customer.
• Duration: the term of the Agreement, plus any deletion/return period.
• Nature and purpose: hosting, storage, organisation, retrieval, display, transmission, AI-assisted text summarisation and draft-report generation, and related processing, in order to provide the Services.
• Types of personal data:
  • Account users: name, email address, optional phone number, role, IP address, and authentication identifiers.
  • Within Customer Content: any personal data the Customer or its field workers include in inspection jobs — for example names, addresses, and contact details in notes, documents, and messages; sender phone numbers and usernames from messaging integrations; precise location/GPS data; and personal data appearing in photographs, audio, and video (e.g. individuals at inspection sites). Vancap does not process special-category data (Article 9) by design. The Customer must not upload special-category data without its own lawful basis and Article 9 condition for processing.
• Categories of data subjects: the Customer’s staff and authorised users; and third parties whose personal data appears in Customer Content, such as property occupants, site visitors, and people who send messages into a job.

Annex 2 — Technical and organisational security measures

Vancap maintains measures including:

• Tenant isolation: strict per-organisation separation enforced at the database level (row-level security), so one organisation cannot access another’s data; files are stored under per-organisation paths.
• Encryption: encryption in transit (HTTPS/TLS) for connections to the Services; encryption at rest provided by the storage and database platforms.
• Access control: role-based access within the Services; least-privilege internal access; authentication via the Customer’s Google or Microsoft single sign-on.
• Logging and monitoring: audit and access logging of sensitive actions, including IP addresses, for security purposes.
• Application hardening: rate limiting, validation of uploaded files, signed/ verified inbound integration webhooks, and content/prompt safeguards for AI features.
• AI data minimisation: only text is sent to the AI provider; images, audio, and video are never sent.

Encryption at rest is enabled by the underlying storage and database platforms (Supabase and AWS) as standard. Further formal measures (documented backup policy, breach-response plan, staff training, penetration testing) will be added here as they are established.

Annex 3 — Authorised sub-processors

The current list of authorised sub-processors is maintained by Vancap and provided to the Customer on request. It records, for each sub-processor, its purpose, the data processed, and its processing location.