Back to home

Data Processing Agreement

Effective date: 28/04/2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Beecredo Ltd ("Processor", "ContractShield", "we") and the Customer ("Controller", "you"). It governs our processing of personal data on your behalf in the provision of the Service.

Where you upload contracts or other documents to the Service that contain personal data (for example, names, contact details, or other information about your counterparties or their personnel), you are the controller of that personal data and we are your processor within the meaning of the UK GDPR.

This DPA is entered into pursuant to Article 28 of the UK GDPR.

1. Definitions

Terms used in this DPA have the meanings given in the UK GDPR. "Customer Personal Data" means personal data contained in Content you upload to the Service.

2. Subject matter and duration

  • Subject matter: processing of Customer Personal Data to provide the Service.
  • Duration: for as long as you use the Service, plus any retention period set out in the Privacy Policy.
  • Nature and purpose: analysis of contracts uploaded by you, including text extraction, AI-based review, risk flagging, and generation of outputs.
  • Types of personal data: typically names, job titles, business contact details, signatures, and any other personal data that happens to appear in the contracts you upload.
  • Categories of data subjects: your personnel, your counterparties' personnel, and other individuals identified in the contracts you upload.

You are responsible for ensuring that your upload of Customer Personal Data complies with your own obligations as controller, including that you have a lawful basis to share the data with us and that you have provided any required notices to data subjects.

3. Processor obligations

We will:

(a) process Customer Personal Data only on your documented instructions, which are set out in the Terms and this DPA, and as required to provide the Service. If we are required by law to process Customer Personal Data otherwise, we will inform you of that requirement unless the law prohibits us from doing so;

(b) ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations;

(c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 1;

(d) assist you, taking into account the nature of the processing and the information available to us, in responding to requests from data subjects exercising their UK GDPR rights;

(e) assist you in complying with your obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation) to the extent reasonably possible;

(f) notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and in any event within 48 hours, and provide reasonable information to help you comply with your notification obligations;

(g) at your choice, delete or return all Customer Personal Data at the end of the provision of the Service, and delete existing copies unless legally required to retain them;

(h) make available to you all information necessary to demonstrate compliance with Article 28 of the UK GDPR, and allow for and contribute to audits as set out in Section 7.

4. Sub-processors

You authorise us to engage sub-processors to process Customer Personal Data. The current list of sub-processors, including each provider's purpose, location, and applicable safeguards, is published and maintained at https://contractshield.co.uk/sub-processors. That page forms part of this DPA and is the single source of truth for the current sub-processor list.

Note on AI processing: Content you upload is transmitted to Anthropic PBC for processing. Under Anthropic's Commercial Terms of Service, Anthropic is contractually prohibited from using API inputs or outputs to train its models. Anthropic retains API data for a maximum of 30 days for the purpose of abuse monitoring, unless we have a Zero Data Retention (ZDR) arrangement in place, in which case data is not stored at rest after the API response is returned (except as strictly required for abuse screening).

We will:

(a) enter into a written contract with each sub-processor that imposes data protection obligations substantially equivalent to those in this DPA;

(b) remain responsible for the acts and omissions of our sub-processors as if they were our own;

(c) notify you at least 30 days before adding or replacing a sub-processor, via email to the address on your account and/or an update to https://contractshield.co.uk/sub-processors. You may object on reasonable data-protection grounds within 14 days. If we cannot accommodate your objection, you may terminate the Service and receive a pro-rata refund of prepaid fees for the unused period.

5. International transfers

Where Customer Personal Data is transferred outside the UK, we will ensure an appropriate transfer mechanism is in place, including:

  • the UK International Data Transfer Agreement (IDTA); or
  • the UK Addendum to the EU Standard Contractual Clauses,

together with supplementary measures where required by applicable guidance.

You authorise us to enter into such transfer mechanisms with sub-processors on your behalf.

6. Security measures

We implement and maintain the technical and organisational measures set out in Annex 1. You acknowledge that these measures are appropriate taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk to data subjects.

7. Audits

You may audit our compliance with this DPA no more than once per calendar year, on at least 30 days' written notice, during business hours, and subject to reasonable confidentiality obligations. As a first step, we may satisfy audit requests by providing our most recent third-party security reports and answering written questionnaires. Any on-site audit is at your cost unless it identifies a material breach of this DPA.

8. Return and deletion

During the term of the Service: we do not retain uploaded contract files after processing is complete. Contract review outputs (analysis, risk flags, summaries) are retained while your account is active and may be deleted by you at any time from your dashboard or on request to support@contractshield.co.uk.

On expiry or termination of the Service:

  • you may export your review outputs via the Service for a period of 30 days; and
  • thereafter, we will delete review outputs and any remaining Customer Personal Data from active systems within 30 days, and from backups within 90 days, except where applicable law requires longer retention.

On written request, we will certify in writing that deletion has been completed.

9. Liability

The liability provisions in the Terms of Service apply to this DPA. Nothing in this DPA limits the rights of data subjects under the UK GDPR.

10. Precedence

In the event of a conflict between this DPA and the Terms of Service in relation to the processing of Customer Personal Data, this DPA prevails.

Annex 1 — Technical and organisational measures

Encryption
- Data in transit encrypted with TLS 1.2 or higher.
- Data at rest encrypted with AES-256.

Access control
- Role-based access controls for personnel.
- Multi-factor authentication required for administrative access.
- Principle of least privilege applied across systems.
- Access reviews carried out at least [QUARTERLY / SEMI-ANNUALLY].

Network and infrastructure security
- Hosting with a reputable cloud provider with ISO 27001 or equivalent certification.
- Firewalls, network segmentation, and intrusion detection.
- Regular patching of systems and dependencies.

Application security
- Secure development practices, including code review before deployment.
- Dependency and vulnerability scanning.
- [Penetration testing frequency, e.g. annually by a third party].

Operational security
- Audit logging of access to Customer Personal Data.
- Incident response plan with documented roles and escalation.
- Backups encrypted and access-controlled.
- Staff training on data protection and information security.

Personnel
- Written confidentiality obligations for all personnel with access to Customer Personal Data.
- Background checks where lawful and appropriate.
- Access revoked promptly on change of role or departure.

Business continuity
- Documented backup and recovery procedures.
- Defined recovery-time and recovery-point objectives.

Sub-processor management
- Written contracts with each sub-processor imposing equivalent data protection obligations.
- Due diligence before onboarding.

Annex 2 — Contact points

Customer contact for data protection matters: the email address on the Customer's account.

ContractShield contact: privacy@contractshield.co.uk

© 2026 ContractShield (Beecredo Ltd)