Legal
Data Processing Agreement
Last updated: 12 June 2026
This is a template. The terms below reflect the standard Data Processing Agreement we execute with customers. To put a signed DPA in place for your organisation — or to discuss amendments — contact us and we will countersign and return an executed copy.
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Customer") and Disqovr Ltd, a company registered in England and Wales ("Disqovr"), for the provision of the Disqovr vendor evaluation platform (the "Services"). It reflects the parties' obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and — where applicable — the EU General Data Protection Regulation (EU GDPR) (together, "Data Protection Law").
1. Roles of the parties
For personal data the Customer submits to the Services, the Customer is the controller (or a processor acting on behalf of another controller) and Disqovr is the processor. Disqovr processes such personal data only on the Customer's documented instructions, as set out in this DPA and the agreement, unless required to do otherwise by applicable law (in which case Disqovr will inform the Customer before processing, unless prohibited from doing so).
2. Subject matter and duration
The subject matter of processing is the provision of the Disqovr platform: structured vendor evaluation, stakeholder surveys, RFI collection, scoring, and related collaboration features. Processing continues for the duration of the Customer's subscription and for the deletion/return period described in Section 9 following termination.
3. Nature and purpose of processing
Disqovr processes personal data to host, store, transmit, display, and back up Customer workspace content; to authenticate users and enforce access controls; to send service emails (invitations, notifications, one-time codes); to process subscription payments; and — where the Customer's workspace has AI features enabled — to generate evaluation insights from Customer content. Processing is performed by automated means.
4. Categories of data and data subjects
Personal data processed under this DPA may include:
- Data subjects: Customer employees and workspace members; stakeholders and survey respondents invited by the Customer; vendor contacts and vendor portal users; approvers.
- Identity and contact data: Names, business email addresses, job titles, and organisation names.
- Workspace content: Project details, vendor records, evaluation scores, survey and RFI responses, comments, attachments, and decision records — to the extent these contain personal data.
- Usage and technical data: Authentication events, IP addresses, audit log entries, and device/browser metadata.
- Billing data: Billing contact details and subscription records. Full payment card details are processed by Stripe and never stored by Disqovr.
The Services are not designed for special category data, and the Customer agrees not to submit such data without prior written agreement.
5. Security measures
Disqovr implements appropriate technical and organisational measures, including:
- Encryption: all data encrypted in transit with TLS, and at rest (AES-256) on managed Supabase PostgreSQL infrastructure.
- Multi-factor authentication: TOTP-based MFA available to all users; once enrolled, it is enforced on every session before authenticated areas can be accessed.
- Role-based access control: workspace roles (admin/member) and project-level membership govern access to data; sensitive operations require the admin role.
- Tenant isolation: every record is scoped to a workspace, with database row-level security policies and an automated cross-tenant isolation audit running in our CI pipeline.
- Audit logging: an append-only workspace audit trail records who did what and when, viewable by workspace admins.
- Application security: strict security headers (CSP, HSTS, frame denial), parameterised database queries via an ORM, automated dependency vulnerability scanning, and error monitoring (Sentry).
- Portal access controls: external vendor and stakeholder portals authenticate via single-use, time-limited one-time codes rather than shared links with embedded credentials.
Further detail is published on our Security page.
6. Sub-processors
The Customer provides general authorisation for Disqovr to engage the sub-processors listed below. Disqovr will give at least 30 days' notice of any intended addition or replacement, during which the Customer may object on reasonable data protection grounds. Disqovr imposes data protection obligations on each sub-processor equivalent to those in this DPA and remains liable for their performance.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | EU / UK (project-pinned region) |
| Vercel | Application hosting and content delivery | Global edge network; serverless compute in EU/US |
| Stripe | Payment processing and subscription billing | EU / US |
| Resend | Transactional email delivery | EU / US |
| Anthropic | AI processing (evaluation insights, requirement drafting). AI features are gated per workspace and disabled by default for trial accounts; customer content sent to the API is not used to train models. | US |
| Cloudflare (Turnstile) | Bot protection on public forms | Global (CDN) |
| Sentry | Application error monitoring | EU or US (configurable ingest region) |
7. International transfers
Where personal data is transferred outside the UK or EEA (for example, to sub-processors operating in the United States), Disqovr ensures an appropriate transfer mechanism is in place: the UK International Data Transfer Agreement or Addendum, the EU Standard Contractual Clauses (SCCs), and/or an adequacy decision (including, where applicable, the UK Extension to the EU–US Data Privacy Framework). Transfer details for each sub-processor are available on request.
8. Personal data breach notification
Disqovr will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer personal data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it — and will be supplemented as further information becomes available. Disqovr will reasonably assist the Customer in meeting its own breach notification obligations to supervisory authorities and data subjects.
9. Deletion and return of data
During the subscription term, workspace admins can export workspace data at any time using the built-in one-click export (Settings → Workspace). On termination or expiry of the Services, Disqovr will, at the Customer's choice, return or delete all Customer personal data within 90 days, unless retention is required by applicable law. Backup copies are deleted in line with the backup rotation cycle.
10. Assistance and audit rights
Taking into account the nature of processing, Disqovr will assist the Customer with data subject requests, security, breach notification, data protection impact assessments, and consultations with supervisory authorities. Disqovr will make available all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits — including inspections — conducted by the Customer or its mandated auditor, on reasonable notice, no more than once per year (except following a personal data breach), and subject to confidentiality undertakings.
11. Confidentiality and personnel
Disqovr ensures that persons authorised to process Customer personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and access personal data only to the extent necessary to provide the Services.
12. Execution
This page is the current template of our DPA and is provided for transparency. It is not executed until signed by both parties. To execute this DPA, request amendments, or ask questions, use our contact form or email privacy@disqovr.com.
Related documents: Privacy Policy · Terms of Service · Security · Contact us