TenderAiroTenderAiro
LoginStart Free Trial

Data Processing Agreement

Last updated: March 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Find a Contract Ltd ("Processor", "we", "us") and the subscribing organisation ("Controller", "you") for the use of the Find a Contract platform ("Service").

This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and sets out the terms on which we process personal data on your behalf in connection with the Service.

In the event of any conflict between this DPA and the Terms and Conditions, this DPA shall prevail with respect to matters of data protection.

2. Definitions

In this DPA, unless the context requires otherwise:

  • "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any successor legislation.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

3. Scope and Purpose of Processing

The Processor shall process Personal Data solely for the purpose of providing the Service to the Controller, as described in the Terms and Conditions. Processing activities include:

  • User authentication and account management
  • Storage and retrieval of organisation profiles and supplier capability data
  • Contract matching and AI-powered analysis using supplier profile data
  • Pipeline management, watchlist tracking, and saved search functionality
  • Sending transactional emails (notifications, alerts, digests, team invitations)
  • Processing subscription payments
  • Generating audit logs for compliance and security

4. Categories of Data and Data Subjects

The following categories of Personal Data are processed under this DPA:

  • Data subjects: Employees, officers, and authorised representatives of the Controller who have user accounts on the Service.
  • Identity data: Names, email addresses, job titles, user roles.
  • Organisation data: Company name, registered address, company number, sector information, certifications, geographic coverage, contract value preferences.
  • Usage data: Search queries, saved searches, pipeline items, watchlist entries, FOI request content, notes, and comments created within the Service.
  • Technical data: IP addresses, browser information, session tokens.

5. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Terms and Conditions and this DPA constitute the Controller's documented instructions.
  • Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 6.
  • Assist the Controller in responding to data subject rights requests, including access, rectification, erasure, and portability.
  • Assist the Controller in meeting obligations related to data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
  • Not engage any Sub-processor without prior written authorisation from the Controller, subject to the provisions in Section 7.

6. Security Measures

The Processor implements the following technical and organisational security measures to protect Personal Data:

  • Encryption: Data encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption at the database level.
  • Access controls: Role-based access control (RBAC) with two permission levels (super_admin and manager). Database-level Row-Level Security (RLS) policies enforce tenant data isolation.
  • Authentication: Secure authentication via Supabase Auth with hashed passwords, session management, and email verification.
  • Audit logging: All significant user and administrative actions are recorded in an audit log with timestamps, user identification, and action details.
  • Infrastructure: Application hosted on Vercel with automatic scaling and DDoS protection. Database hosted on Supabase within EU data centres.
  • Incident response: Documented incident response procedures with defined escalation paths and notification timelines.

7. Sub-processors

The Controller provides general authorisation for the Processor to engage the following Sub-processors. The Processor shall notify the Controller of any intended changes to Sub-processors, providing at least 30 days' notice before engaging a new Sub-processor:

  • Supabase Inc. — Database hosting, authentication, and backend services. Data stored in EU data centres. Processes: account data, organisation data, application content.
  • Stripe Inc. — Payment processing and subscription management. PCI DSS Level 1 certified. Processes: billing information, payment card data, subscription records.
  • Resend Inc. — Transactional email delivery. Processes: email addresses, notification content, alert summaries.
  • Anthropic PBC — AI analysis services. Processes: contract data and supplier profile data for generating match scores, briefs, and assessments. Anthropic does not use customer data for model training.
  • Vercel Inc. — Application hosting and serverless compute. Processes: technical data (IP addresses, request logs).

The Processor shall ensure that each Sub-processor is bound by data protection obligations no less onerous than those set out in this DPA.

8. International Data Transfers

Primary data storage is within the European Union (Supabase EU data centres). Where Personal Data is transferred to Sub-processors outside the UK and EU (including Stripe, Anthropic, and Vercel in the United States), such transfers are made subject to appropriate safeguards, including:

  • UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs) with the UK Addendum, as approved by the ICO.
  • Adequacy decisions issued by the UK Secretary of State, where applicable.
  • Additional technical measures, including encryption and access controls, to supplement contractual safeguards.

9. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed under this DPA, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
  • The name and contact details of the Processor's point of contact for further information.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach and mitigate its effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall not notify any supervisory authority or data subject on behalf of the Controller unless expressly instructed to do so.

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. The Controller may conduct audits, including inspections, by itself or through an appointed third-party auditor, subject to the following conditions:

  • Audit requests must be made in writing with at least 30 days' notice and limited to once per calendar year, unless required by a supervisory authority.
  • Audits shall be conducted during normal business hours and in a manner that minimises disruption to the Processor's operations.
  • The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.

Where the Processor engages third-party auditors to produce compliance reports (such as SOC 2), the Processor may provide such reports to the Controller in lieu of a direct audit, provided the reports are current and relevant.

11. Data Deletion and Return

Upon termination of the Service or upon the Controller's written request, the Processor shall:

  • Provide the Controller with the ability to export their data in a structured, commonly used format (CSV or JSON) through the Service's export functionality.
  • Delete all Personal Data processed on behalf of the Controller within 30 days of termination, unless retention is required by applicable law.
  • Provide written confirmation of deletion upon the Controller's request.

Data retained for legal compliance purposes (such as payment records required under UK tax regulations) shall be securely stored with restricted access and deleted once the retention obligation expires.

12. Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions set out in the Terms and Conditions, except that neither party limits its liability for breaches of Data Protection Laws to the extent that such limitation would be prohibited by law.

Each party shall be liable for damage caused by processing that infringes the Data Protection Laws in accordance with Article 82 of the UK GDPR.

13. Term and Governing Law

This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. Provisions that by their nature should survive termination (including data deletion obligations, audit rights, and liability) shall survive.

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any dispute arising in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

14. Contact

For queries regarding this Data Processing Agreement, please contact us at support@findacontract.co.uk.

Find a Contract Ltd
Registered in England and Wales
Website: findacontract.co.uk