Data processing

This page summarises the standing Data Processing Agreement (DPA) between Northbrik Systems Ltd ("processor") and a client organisation ("controller") for any engagement in which we process personal data on behalf of the controller. Signed engagement terms may add or amend clauses; where they do, the signed terms prevail.

A full, counter-signable Word version of this DPA — matching the UK Information Commissioner's Office template — is available on request by emailing hello@northbrik.com. Most procurement teams sign this document before kick-off.

For personal data the client organisation entrusts to Northbrik to deliver an engagement — end-user records, employee data, customer data — the client is the controller. Northbrik processes that data only under the client's documented instructions and is the processor.

For personal data Northbrik holds as part of its own business relationship with the client — the named buyer, billing contact, signatories, portal users employed by Northbrik — Northbrik is the controller. That processing is covered by our Privacy notice rather than this DPA.

Every engagement documents the specifics in an Annex 1 attached to the signed DPA. The standing defaults are:

Subject-matter

The engagement's bespoke software delivery — scoping, design, build, integration, launch and ongoing maintenance of agreed systems.

Duration

The period of the engagement plus a 30-day handover window. After that, we return or delete personal data on written instruction.

Nature and purpose

Building, hosting and supporting the agreed systems. We do not use personal data for our own marketing, product development, or model training.

Categories of data subjects

Typically the controller's staff, customers, suppliers or members, as defined in Annex 1.

Categories of personal data

Typically identifiers, contact details, account records and transactional metadata. Special-category data is processed only where explicitly in scope and with written consent.

In line with Art. 28(3) UK GDPR we will:

• Only process personal data on documented instructions from the controller, including for transfers to a third country, unless required to do so by UK or EU law.
• Ensure persons authorised to process personal data are under a duty of confidentiality.
• Implement appropriate technical and organisational measures (see Security annex).
• Assist the controller in fulfilling data-subject rights requests, including access, rectification, erasure, restriction, portability and objection.
• Assist the controller with DPIAs, consultations with the ICO, and security of processing.
• Make available all information necessary to demonstrate compliance, and allow for audits (see Audits).
• Return or delete all personal data at the end of the engagement, at the controller's choice, unless retention is required by law.
• Inform the controller immediately if an instruction infringes UK GDPR.

We only use sub-processors that are necessary to deliver the engagement, and we impose processor obligations on them equivalent to the ones we accept.

Supabase · database, auth, storage

EU/UK regions. Under their processor terms and the EU SCCs / UK IDTA.

Vercel · hosting, compute

EU regions where available. Under their processor terms and SCCs/IDTA.

Resend · transactional email

EU-region sending. Covered by their DPA and SCCs.

Stripe · payments

Stripe Payments Europe Ltd (Ireland). Joint responsibilities under their payments services terms.

We will notify the controller in writing at least 14 days before adding or replacing a sub-processor on an active engagement. The controller may object on reasonable grounds; if we cannot resolve the objection, either party may terminate the affected engagement without penalty for the remaining scope.

Where an engagement requires personal data to leave the UK or EEA, we rely on appropriate safeguards under Art. 46 UK GDPR. Our default instrument is the UK International Data Transfer Addendum to the European Commission's Standard Contractual Clauses (SCCs). Where a Data Protection Framework (DPF) adequacy mechanism is available for a specific US-resident provider, we can rely on it instead; we document the choice in Annex 2.

Our technical and organisational measures, as summarised here, form Annex 2 of the signed DPA. More detail is available for security reviews under a mutual NDA.

• Encryption in transit (TLS 1.2+) and encryption at rest for storage and backups.
• Role-based access control, including row-level security at the database where implemented.
• MFA required on every administrative account.
• Centralised secret management; no secrets in source control.
• Continuous dependency scanning and pinned builds.
• Logical separation of environments (development, staging, production).
• Documented joiners/movers/leavers process.
• Annual review of the technical and organisational measures.

If we become aware of a personal data breach affecting the controller's data, we will notify the controller without undue delay, and in any event within 48 hours of becoming aware, by email to the engagement's nominated security contact. Our notification will describe the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures we are taking or propose to take.

We will support the controller in its obligation to notify the ICO within the 72-hour window where applicable, and will not make unilateral public statements about a breach without the controller's agreement.

The controller may audit our compliance with this DPA once per year, on reasonable notice and during UK working hours. In practice we offer a written security questionnaire and shared evidence pack as a first step; on-site or remote audits are available where a written questionnaire is not sufficient. We will make senior technical staff available for audit calls at no additional cost.

On termination of the engagement — or earlier on written request — we will, at the controller's choice, return all personal data to the controller in a structured machine-readable format, or delete it from our systems and those of our sub-processors, within 30 days. Retention of a read-only backup for the duration of our backup-rotation window (up to 90 days) is permitted and disclosed.

Liability under this DPA runs with the liability cap in the signed engagement terms, unless statute prevents limitation. Nothing in this DPA limits liability for fraud, gross negligence, or a party's own statutory fines under UK GDPR. Where both parties share fault, liability is apportioned proportionately.