Legal
Data Processing Agreement
Last updated: May 2025 — Compliant with UK GDPR Article 28
Need a signed copy?
Email hello@usageregister.co.uk and we will send a countersigned PDF within one business day.
Parties
Data Controller: The client organisation named in the engagement proposal (referred to below as "Controller" or "you").
Data Processor: Usage Register (referred to below as "Processor" or "we").
This DPA forms part of the contract between the parties and supplements the Terms of Service. It is effective from the date the engagement commences.
1. Subject matter and duration
The Processor provides AI usage discovery, register management, and current-state review services to the Controller. In doing so, the Processor processes personal data of the Controller's employees and staff on the Controller's behalf.
This Agreement applies for the duration of the engagement and for up to 90 days thereafter (the data return and deletion period).
2. Nature and purpose of processing
The Processor processes personal data for the following purposes:
- Sending and managing AI discovery survey invitations
- Collecting and analysing survey responses
- Generating aggregated reports, risk classifications, and governance recommendations
- Maintaining the client's AI register within the platform
- Providing platform access to authorised client users
3. Categories of personal data and data subjects
| Category | Data elements | Data subjects |
|---|---|---|
| Survey participants | Name (optional), work email, job role, department, AI tools used, use case descriptions, risk indicators | Employees and contractors of the Controller |
| Platform users | Name, work email, job title, role, login activity | Authorised administrators and managers at the Controller |
No special category data (as defined under Article 9 UK GDPR) is intentionally collected. The Controller is responsible for ensuring no special category data is included in free-text survey responses.
4. Processor obligations (Article 28(3))
The Processor shall:
- Process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required by law
- Ensure all persons authorised to process the personal data are under a duty of confidentiality
- Implement appropriate technical and organisational security measures (see Annex A)
- Not engage sub-processors without the Controller's prior written or standing consent (see Section 5)
- Assist the Controller in responding to data subject rights requests, at the Controller's cost
- Assist the Controller with security obligations, breach notification, DPIAs, and consultation as required
- Delete or return all personal data on termination of the engagement (see Section 7)
- Provide all information necessary to demonstrate compliance with this Article and allow for audits
5. Sub-processors
The Controller provides standing authorisation for the Processor to use the following sub-processors. The Processor will notify the Controller of any intended changes and allow a reasonable period to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon Inc. | Cloud database hosting (PostgreSQL) | EU (Frankfurt) |
| Resend Inc. | Transactional email delivery | USA (SCCs in place) |
| Replit Inc. | Application hosting | EU/EEA (European deployment) |
6. Security measures (Annex A)
The Processor maintains the following technical and organisational measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access control — client staff can only access their own organisation's data
- Survey responses are stored separately and never individually attributed to named individuals in reports
- Small-group suppression: departments with fewer than 5 respondents are aggregated to prevent re-identification
- Password hashing using bcrypt with a work factor of 12
- Access credentials are never stored in plain text
- Audit logging of key administrative actions
- Incident response: the Processor will notify the Controller without undue delay (and within 72 hours) of becoming aware of a personal data breach
7. Data return and deletion
On expiry or termination of the engagement, the Controller may request an export of their data within 30 days. The Processor will then delete or anonymise all personal data within a further 60 days, except where retention is required by law.
Survey responses are anonymised (names and email addresses removed) rather than deleted where necessary to maintain the integrity of aggregate historical reports, unless the Controller requests full deletion.
8. Data subject rights
Where a data subject exercises a right under UK GDPR (access, erasure, rectification, portability, restriction, objection), the Controller remains responsible for responding. The Processor will assist within a reasonable timeframe and may charge a reasonable fee for significant requests.
9. Audit rights
The Controller may, on at least 30 days' written notice and no more than once per year, conduct (or commission a third party to conduct) an audit of the Processor's processing activities. The Processor will cooperate and provide access to relevant records and systems. Audit costs are borne by the Controller unless a material breach is found.
10. Governing law
This Agreement is governed by the laws of England and Wales. Any dispute arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.
To obtain a signed copy of this Agreement for your records, email hello@usageregister.co.uk.