BeaconHQ — Data Processing Agreement
Between: Aitronyx Ltd (company number 16965157), trading as BeaconHQ, of Grove House, Lutyens Close, Chineham Court, Basingstoke, Hampshire RG24 8AG ("the Processor"); and the Customer identified in the Terms of Service ("the Controller").
Effective from: 1 June 2026 Version: 1.0
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the BeaconHQ Terms of Service between the parties (the "Agreement"). It governs the Processor's processing of personal data on behalf of the Controller. Capitalised terms not defined here have the meanings given in the Terms of Service. In the event of conflict between this DPA and the Terms of Service in respect of the processing of personal data, this DPA prevails.
1. Definitions
In this DPA, "UK GDPR", "controller", "processor", "data subject", "personal data", "processing", "personal data breach" and "supervisory authority" have the meanings given in the UK GDPR and the Data Protection Act 2018 (together, "Data Protection Law"). "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
2. Roles and scope
2.1 This DPA applies to the Processor's processing of personal data contained within Customer Data that the Controller uploads to or generates within the Service. In respect of that personal data, the Controller is the controller and the Processor is the processor.
2.2 For the avoidance of doubt, the Processor is an independent controller in respect of the Controller's own account and billing data, and that processing is governed by the BeaconHQ Privacy Policy rather than this DPA.
2.3 The subject-matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1.
3. Processor obligations
The Processor shall:
3.1 Instructions. Process the personal data only on the documented instructions of the Controller, including the Agreement, this DPA, and the Controller's use of the Service, unless required to do otherwise by law (in which case the Processor will inform the Controller, unless legally prohibited).
3.2 Confidentiality. Ensure that persons authorised to process the personal data are subject to an appropriate duty of confidentiality.
3.3 Security. Implement and maintain the technical and organisational measures set out in Annex 2, which are appropriate to the risk in accordance with Article 32 UK GDPR.
3.4 Sub-processors. Engage sub-processors only in accordance with clause 4.
3.5 Data subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Data Protection Law.
3.6 Assistance. Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of the processing and the information available to the Processor.
3.7 Breach notification. Notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's personal data, and provide the Controller with sufficient information to enable it to meet its own obligations under Articles 33 and 34 UK GDPR.
3.8 Deletion or return. At the Controller's choice, delete or return all personal data to the Controller after the end of the provision of the Service, and delete existing copies unless storage is required by law. The mechanism and timing for export and deletion are as set out in the Terms of Service (clause 16) and the Privacy Policy.
3.9 Records and audit. Make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and Article 28 UK GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. Such audits shall take place on reasonable prior notice, no more than once per year (save where required by a supervisory authority or following a personal data breach), during business hours, and subject to reasonable confidentiality and security conditions. The Processor may satisfy an audit request by providing relevant third-party certifications, reports, or the security documentation referenced in Annex 2.
4. Sub-processors
4.1 The Controller provides general authorisation for the Processor to engage the sub-processors listed in Annex 3 for the purposes described there.
4.2 The Processor shall impose on each sub-processor, by written contract, data-protection obligations no less protective than those in this DPA, and remains liable to the Controller for the performance of each sub-processor's obligations.
4.3 The Processor shall give the Controller reasonable prior notice of any intended addition or replacement of a sub-processor that processes the Controller's personal data, so as to give the Controller the opportunity to object on reasonable data-protection grounds. Where the Controller objects and the parties cannot agree a resolution, the Controller may terminate the affected part of the Service in accordance with the Terms of Service.
5. International transfers
5.1 The Processor stores and primarily processes the Controller's personal data within the European Union, as described in the Privacy Policy. Certain sub-processors (identified in Annex 3) process personal data outside the UK/EEA.
5.2 Where the Processor or a sub-processor transfers personal data outside the UK/EEA, that transfer is made subject to an appropriate safeguard under Article 46 UK GDPR — the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as incorporated in the relevant sub-processor's data processing agreement.
5.3 The Controller acknowledges that the analysis of uploaded contracts necessarily involves the transfer of the document text (which may contain third-party personal data) to the Processor's AI model provider in the United States, as described in Annex 1 and the Privacy Policy.
6. Liability
The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
7. Term and termination
This DPA takes effect on the Effective Date and continues for as long as the Processor processes personal data on behalf of the Controller under the Agreement. The obligations relating to deletion or return of personal data, and confidentiality, survive termination.
8. Governing law
This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.
Annex 1 — Details of the processing
- Subject-matter: the provision of the BeaconHQ contract risk analysis Service.
- Duration: for the term of the Subscription and any retention period set out in the Terms of Service and Privacy Policy.
- Nature and purpose: storage of, and AI-based analysis of, contract documents uploaded by the Controller, in order to produce contract risk analysis Output for the Controller.
- Types of personal data: personal data contained within the contracts and documents uploaded by the Controller, which may include names, job titles, business contact details, signatories, addresses and other personal data of the Controller's counterparties and other third parties referenced in those documents.
- Categories of data subjects: the Controller's counterparties, their personnel and signatories, and other individuals named or referenced in uploaded documents.
- Special category data: the Service is not intended for the processing of special category personal data; the Controller should not upload documents whose primary purpose is to contain such data.
Annex 2 — Technical and organisational measures (Article 32 UK GDPR)
The measures below are appropriate to the risk presented by the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing. The processing concerns business-contract data; it does not, by design, involve consumer financial data or special categories of personal data.
- Encryption. All connections to the Service and all traffic between its components are encrypted in transit. Persistent personal data is held only in the database and storage layer, encrypted at rest in accordance with the provider's published standards. The application and analysis tiers are stateless and retain no persistent personal data.
- Access control and authentication. Access to accounts is authenticated by a one-time passcode delivered to the registered email address, with controlled session expiry and rate-limiting. Row-level controls restrict each record to the organisation and user to which it belongs. Privileged, server-side access is restricted to trusted system components, with credentials held in managed secret stores and never exposed client-side. Operator access is limited to named, authorised personnel and is auditable.
- Secret and credential management. Production credentials are held in managed, encrypted secret stores, never committed to source control, and rotated on defined triggers including personnel departure and provider security disclosures.
- Logging, monitoring and audit. System activity is logged and monitored for errors and anomalies. Billing changes, subscription transitions and operator actions are recorded in an audit log. An automated reconciliation process runs regularly to surface anomalies.
- Resilience, backup and recovery. The database is backed up automatically with point-in-time recovery. Deployments are immutable and can be rebuilt from source. Because the processing tiers retain no persistent data, a failed analysis can be safely re-run. Hosting is single-region within the EU, a deliberate choice in favour of data residency, with a recovery approach proportionate to a business service in which short, infrequent interruptions are acceptable.
- Network and platform protection. Public forms are protected by automated bot-detection. The hosting edge layer mitigates standard volumetric and protocol-level attacks. Authenticated routes enforce authentication and validate request shape before processing.
- Personnel and offboarding. Access to production systems is limited to named individuals with separate credentials on each platform; there are no shared logins. Personnel are subject to confidentiality obligations. On a person leaving, their access is removed and any credential they may have had visibility of is rotated.
- Incident detection and response. Incidents are detected through telemetry with alerting, provider status feeds, and the reconciliation process. The Processor assesses suspected breaches without undue delay and notifies the Controller in accordance with clause 3.7.
- Sub-processor security. Each sub-processor is bound by its published data processing agreement incorporating its own technical and organisational measures and, for non-UK/EEA transfers, appropriate transfer safeguards. The Processor reviews the sub-processor list and the currency of each agreement at least annually and on material architecture change.
- Review. The Processor reviews these measures at least annually and on material change to the architecture of the Service, and may update them provided the level of protection is not reduced.
Planned enhancements (roadmap — not yet implemented): the following are scheduled but not in place as at the date of this DPA, and are recorded as commitments rather than current measures: extension of error monitoring to the analysis-worker tier; an optional customer-enabled two-factor authentication option; and rotation of the production payment-provider secret at activation of live-mode billing. This Annex will be updated as each is implemented.
Annex 3 — Authorised sub-processors
| Sub-processor | Purpose | Location & transfer |
|---|---|---|
| Supabase | Database, authentication, file storage | Hosted EU (Ireland); US-headquartered group |
| Anthropic, PBC | AI analysis of uploaded contracts | United States — international transfer |
| Stripe, Inc. (via Stripe Payments UK Limited) | Billing and payment processing | United States, with UK/EEA processing per Stripe's DPA |
| Resend, Inc. | Transactional email | United States — international transfer |
| Sentry (Functional Software, Inc.) | Application error monitoring | United States — international transfer |
| Vercel, Inc. | Application hosting and edge network | EU compute (Dublin); global edge; US-headquartered |
| Railway Corp. | Hosting for the analysis worker | EU compute (Amsterdam); US-headquartered group |
| Cloudflare, Inc. | Bot-detection on public forms | Global; US-headquartered |
| Formspree, Inc. | Receipt of public-form submissions | United States — international transfer |
Aitronyx Ltd, trading as BeaconHQ. Company number 16965157.