LEGAL & PRIVACY

Data Processing Agreement

Last updated: 21 April 2026v1

Data Processing Agreement

Note: This is a template Data Processing Agreement. To execute a signed DPA with Gatewaychecker Ltd, download this document, complete the customer details in the bracketed fields, and return the signed copy to legal@gatewaychecker.co.uk. We will countersign and return a fully executed copy within 5 business days.

Parties

Data Controller:
[Customer organisation name]
[Registered address]
[Company registration number]
("the Controller")

Data Processor:
Gatewaychecker Ltd
United Kingdom
("the Processor")

Together, "the Parties".

Recitals

A. The Controller wishes to use the Gatewaychecker platform (gatewaychecker.co.uk) to process personal data in connection with BSA Gateway 2 pre-submission review services.

B. The Processor agrees to process personal data on behalf of the Controller in accordance with the terms of this Agreement and in compliance with applicable data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

C. This Agreement supplements and forms part of the Processor's Terms of Service. In the event of a conflict between this Agreement and the Terms of Service on matters of data protection, this Agreement prevails.

1. Definitions

In this Agreement:

"Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and any subordinate legislation or regulatory guidance issued by the ICO.

"Personal Data" has the meaning given in Article 4(1) UK GDPR.

"Processing" has the meaning given in Article 4(2) UK GDPR.

"Data Subject" has the meaning given in Article 4(1) UK GDPR.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Subject Matter and Duration

Subject matter: The Processor will process Personal Data for the purpose of providing the Gatewaychecker BSA Gateway 2 pre-submission review service to the Controller.

Duration: This Agreement remains in effect for the duration of the subscription agreement between the Parties. On termination of the subscription, the Processor's obligations under clause 11 (Deletion and Return) apply.

3. Nature and Purpose of Processing

The Processor will process Personal Data for the following purposes:

  • Providing user authentication and account management for the Controller's staff.
  • Accepting, extracting, and storing document text uploaded by the Controller for Gateway 2 analysis.
  • Submitting extracted document text to AI inference services for analysis against BSA Gateway 2 criteria.
  • Generating, storing, and displaying risk findings, evidence citations, and remediation recommendations.
  • Sending transactional emails (authentication, notifications) to the Controller's staff.
  • Maintaining usage logs for security, rate limiting, and service improvement purposes.
  • Processing subscription payments via third-party payment processors.

4. Type of Personal Data

The Processor may process the following categories of Personal Data on behalf of the Controller:

Category Examples
Contact details Email addresses of users and collaborators
Professional information Job titles, professional qualifications (where appearing in documents)
Document content Names of duty holders, principal designers, fire engineers, structural engineers, and other named individuals appearing in Gateway 2 submission documents
Building information Building addresses, project references
Usage data IP addresses, timestamps, feature usage logs
Billing information Billing name, billing email, billing address

The Processor does not process special category personal data (Article 9 UK GDPR) or criminal conviction data (Article 10 UK GDPR) unless such data incidentally appears within documents uploaded by the Controller.

5. Categories of Data Subjects

The personal data processed under this Agreement may relate to the following categories of data subjects:

  • The Controller's employees and contractors who use the Gatewaychecker platform.
  • Collaborators invited by the Controller to access submission workspaces.
  • Duty holders, principal designers, fire engineers, structural engineers, and other individuals named in the Controller's Gateway 2 submission documents.
  • Individuals whose contact details appear in the Controller's submission documents.

6. Obligations of the Processor

In accordance with Article 28(3) UK GDPR, the Processor agrees to:

(a) Process on documented instructions only
Process Personal Data only on the documented instructions of the Controller, except where required to do so by applicable law, in which case the Processor will inform the Controller of that legal requirement before processing (unless prohibited from doing so by law). The Controller's use of the Gatewaychecker service constitutes documented instructions for the purposes of this clause.

(b) Ensure confidentiality
Ensure that all persons authorised to process Personal Data on behalf of the Processor are bound by appropriate confidentiality obligations, whether by contract or statutory duty, and that access to Personal Data is limited to those persons who need access to provide the service.

(c) Implement appropriate security measures
Implement technical and organisational measures appropriate to the risk of processing, in accordance with Article 32 UK GDPR. The Processor's current security measures are described in the Security Overview. The Processor will maintain security measures no less protective than those described therein.

(d) Engage sub-processors only with prior authorisation
Not engage any new sub-processor or make material changes to an existing sub-processor relationship that involves the processing of Personal Data without providing the Controller with at least 30 days' prior written notice. The current list of sub-processors is maintained at /sub-processors. The Processor will enter into written data processing agreements with all sub-processors containing obligations no less protective than those set out in this Agreement.

(e) Assist with data subject rights
Taking into account the nature of the processing, assist the Controller (by appropriate technical and organisational measures, insofar as possible) in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). Data subject rights requests should be submitted to privacy@gatewaychecker.co.uk.

(f) Assist with security and compliance obligations
Assist the Controller in ensuring compliance with:

  • Article 32 (security of processing) — by maintaining and providing information about the security measures described at /security;
  • Article 33 (notification of a personal data breach to the supervisory authority) — by notifying the Controller of any Security Incident without undue delay and within 72 hours of becoming aware of it;
  • Article 34 (communication of a personal data breach to the data subject) — by providing the Controller with sufficient information to comply with its notification obligations;
  • Article 35 (data protection impact assessment) — by providing reasonable assistance and information where requested;
  • Article 36 (prior consultation) — by providing reasonable assistance where requested.

(g) Delete or return Personal Data on termination
At the Controller's choice, delete or return all Personal Data to the Controller on termination of the service, and delete existing copies except to the extent retention is required by applicable law. See clause 11 for the procedure.

(h) Make available compliance information and allow audits
Make available to the Controller all information reasonably necessary to demonstrate compliance with this Agreement and Article 28 UK GDPR, and allow for and contribute to audits and inspections conducted by the Controller or a third-party auditor mandated by the Controller, subject to reasonable advance notice (not less than 30 days), confidentiality obligations, and the conditions set out in clause 12.

7. Sub-processors

The Controller provides general authorisation for the Processor to engage the sub-processors listed at trust.gatewaychecker.co.uk/sub-processors.

The Processor will notify the Controller of any intended changes to sub-processors with at least 30 days' notice. If the Controller objects to a new sub-processor on reasonable data protection grounds, the Controller may notify the Processor in writing. The Processor will use reasonable endeavours to address the Controller's concerns. If the Processor is unable to accommodate the objection, the Controller may terminate the subscription without penalty.

The Processor will enter into written agreements with all sub-processors imposing equivalent data protection obligations to those in this Agreement. The Processor remains liable to the Controller for any failure by a sub-processor to fulfil its data protection obligations.

8. Data Subject Rights Assistance

Where the Processor receives a request directly from a data subject exercising their rights under Chapter III UK GDPR, the Processor will promptly notify the Controller (without responding to the data subject directly) and provide all information needed by the Controller to respond.

The Processor will not respond to data subject requests on the Controller's behalf except where the Controller instructs it to do so in writing.

9. Security Measures

The Processor maintains the technical and organisational security measures described at trust.gatewaychecker.co.uk/security, including:

  • AES-256 encryption of all data at rest (AWS KMS, eu-west-1)
  • TLS 1.2+ encryption of all data in transit
  • Row-Level Security (RLS) on all database tables
  • Passwordless (magic link) authentication
  • Bcrypt-hashed API keys
  • Application-layer AES-256-GCM encryption for OAuth tokens
  • Rate limiting on the analysis endpoint
  • Input sanitisation on all user-submitted data
  • GitHub Dependabot for dependency vulnerability scanning

The Processor will review and update its security measures periodically and in response to changes in risk. The Processor will notify the Controller of any material reductions in security measures.

10. Security Incident Notification

In the event of a Security Incident, the Processor will:

  1. Notify the Controller without undue delay and no later than 72 hours after becoming aware of the incident.
  2. Provide, as soon as available: (a) the nature of the Security Incident; (b) the categories and approximate number of data subjects affected; (c) the categories and approximate volume of Personal Data records affected; (d) the likely consequences of the Security Incident; (e) the measures taken or proposed to address the Security Incident.
  3. Cooperate fully with the Controller in its investigation, notification, and remediation activities.

Security incident notifications should be sent to: [Controller security contact email to be completed]

11. Deletion and Return of Personal Data

On termination of the subscription agreement (for any reason), the Processor will:

  1. Cease all processing of Personal Data (other than storage for the transition period).
  2. Retain the Controller's Personal Data for 30 days following termination, during which time the Controller may request an export in JSON or CSV format by contacting legal@gatewaychecker.co.uk.
  3. After 30 days, securely delete all Personal Data (except billing records, which are retained for 7 years in compliance with UK VAT legislation).
  4. On request, provide the Controller with written confirmation of deletion.

12. Audit Rights

The Controller may audit the Processor's compliance with this Agreement, subject to the following conditions:

  • Advance written notice of at least 30 days.
  • Audits may be conducted no more than once per calendar year (except in the event of a confirmed Security Incident).
  • The Controller bears the cost of any audit.
  • Audits must be conducted in a manner that does not unreasonably disrupt the Processor's operations.
  • The auditor must sign a confidentiality agreement with the Processor before commencing the audit.

The Processor may satisfy audit requests by providing the Controller with third-party audit reports (such as SOC 2 Type II reports, once obtained) in lieu of direct inspection.

13. International Transfers

The Processor processes Personal Data primarily within the EU (AWS eu-west-1, Ireland). Transfers outside the EU/UK are limited to:

  • Anthropic (via OpenRouter) — United States: Document text is transmitted transiently for AI inference only. This transfer is covered by a DPA with OpenRouter incorporating appropriate safeguards under Article 46 UK GDPR (Standard Contractual Clauses or equivalent).
  • Stripe — United States: Billing information is transferred under Stripe's GDPR DPA, incorporating Standard Contractual Clauses.

The Processor will not transfer Personal Data to any additional country outside the UK/EU without the Controller's prior written consent and the implementation of appropriate safeguards.

14. Governing Law

This Agreement is governed by and construed in accordance with the laws of England and Wales. Any disputes arising under this Agreement are subject to the exclusive jurisdiction of the courts of England and Wales.

15. Signatures

This Agreement is entered into on the date of the last signature below.

On behalf of the Data Controller:

Field
Authorised signatory _________________________
Full name _________________________
Job title _________________________
Date _________________________

On behalf of Gatewaychecker Ltd (Data Processor):

Field
Authorised signatory _________________________
Full name _________________________
Job title _________________________
Date _________________________

To execute this DPA, complete the Controller details and return the signed document to legal@gatewaychecker.co.uk. Gatewaychecker will countersign and return a fully executed copy within 5 business days.

Questions about this document?

Contact legal@gatewaychecker.co.uk