ParaplanAI · legal · DPA
Data Processing Agreement.
The Article 28 (UK GDPR) contract between your firm (controller) and ParaplanAI (processor). Required if your firm uploads any personal data about end clients — typically anonymised in our flow but the DPA covers the residual case where free-text fields carry PII.
Headline terms
- Roles. Your firm is the data controller. ParaplanAI is the data processor.
- Purpose limitation. We process personal data only to provide the calculator + audit-trail service you have subscribed to. No analytics, no AI training, no resale.
- Sub-processors. The current list is in /privacy §4. We notify you 30 days before adding any new sub-processor; you can object.
- Security. AES-256 at rest, TLS 1.3 in flight, RLS on every tenant-scoped table. See /security.
- International transfers. Document extraction transmits the PDF to Anthropic in the US under the UK Extension to the EU–US DPF + SCCs as fallback. See /privacy §2.3 + §5.
- Breach notification. ICO + affected firms within 72 hours of detection.
- Sub-processor audit rights. Annual right of access to our latest controls report + sub-processor DPAs.
- Return / deletion on termination. Within 30 days of subscription end, we export your firm's calc audit trail (JSONL) and delete operational data per the retention schedule in /privacy §6.
Signed PDF
The countersigned DPA PDF is available on request — email hello@paraplanai.co.uk with your firm name and primary contact. We send a DocuSign link the same business day. The DPA stays in force for the duration of your subscription and 6 years post-cancellation (FCA SYSC 9 retention).
If your firm requires our DPA to be cross-signed onto your standard supplier contract instead, reply to the email above with your template attached and we'll review within 5 business days.
See also
- /privacy → — controller-side personal data, retention, sub-processors
- /terms → — commercial terms, liability cap, billing
- /security → — controls + breach-notification commitment