Data Processing Agreement
Last updated 2026-05-11.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and us ("Processor"). It governs our processing of personal data on your behalf.
1. Subject matter and duration
The Processor processes personal data of UK right-to-work applicants on behalf of the Controller for the duration of the Service subscription. Processing is strictly transient — typically <15 seconds per check.
2. Nature and purpose of processing
Driving a session against gov.uk's right-to-work share-code service to obtain the structured result on behalf of the Controller. Personal data processed includes: share code, applicant date of birth, applicant name (returned by gov.uk), nationality, photo, permission type, conditions, expiry date, audit reference.
3. Controller instructions
The Processor will only process personal data on the Controller's documented instructions, including those embedded in the API contract documented at /openapi.json. The Controller acknowledges that calling POST /api/check with valid inputs constitutes a documented instruction to process.
4. Retention
The Processor does not retain applicant personal data after the response is delivered. Audit log entries retain only request metadata (timestamp, outcome code, duration) with no identifying values. The Controller can therefore satisfy erasure requests trivially: there is nothing to erase about a checked applicant.
5. Confidentiality
The Processor ensures that persons authorised to process personal data are bound by confidentiality obligations.
6. Security measures
- TLS in transit for all API and dashboard traffic
- API keys stored as SHA-256 hashes only; plaintext shown once at creation
- No applicant PII written to logs (only timestamp + outcome + duration)
- Service-role database credentials kept server-side; never exposed to the browser
- Card data handled entirely by Stripe (PCI-DSS Level 1); never touches our servers
- Stateless compute; no persistent disk caches of applicant data
7. Sub-processors
The Controller authorises engagement of the following sub-processors:
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase Inc. | Authentication + database | EU (Frankfurt / London) |
| Stripe Payments UK Ltd | Billing + Customer Portal | UK / EEA |
| Resend Inc. | Transactional email | EU |
| Fly.io Inc. | Compute + static hosting | London (LHR) |
We will notify Controllers by email of any addition or replacement of sub-processors at least 30 days in advance, allowing reasonable objection.
8. International transfers
All processing takes place in the UK and EEA. No transfers outside the UK/EEA take place during a check. Standard Contractual Clauses are not required (UK-to-UK / UK-to-EEA transfers are adequate).
9. Data subject rights
Because the Processor does not retain applicant personal data, requests for access, rectification, erasure, or portability from data subjects can be satisfied by the Controller without Processor involvement. The Processor will assist with any request the Controller cannot satisfy alone.
10. Breach notification
The Processor will notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach.
11. Audit
The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for audits conducted by the Controller or a mandated auditor on reasonable notice.
12. Termination
On termination, the Processor will delete or return all customer personal data within 30 days. Applicant data is already not retained.