Data Processing Agreement
UK GDPR Article 28 processor terms
Last updated: 29 June 2026
Parties and scope
This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Controller") and Sohus Ltd, trading as FileSeal, company no. 09369062, Flat 6, 365 Camden Road, London, N7 0SH, ICO registration ZC111701 (the "Processor"), for your use of the FileSeal service (the "Service"). It governs the Processor's processing of personal data on your behalf and reflects Article 28 of the UK GDPR.
This is the agreement FileSeal offers for your processing of personal data through the Service where you are the controller; it takes effect once entered into between you and FileSeal. Where it applies and conflicts with our Terms of Service on data-protection matters, this DPA prevails.
Need a counter-signed copy?
To put this DPA in place for your firm, or for a counter-signed copy on your own paper, email legal@fileseal.uk and we will return a counter-signed version.
Roles, instructions and confidentiality
1. Definitions. "UK GDPR", "controller", "processor", "personal data", "processing", "data subject", "personal data breach" and "special category data" have the meanings in the UK GDPR and the Data Protection Act 2018. "Sub-processor" means any third party engaged by the Processor to process personal data.
2. Roles. You are the controller and the Processor is the processor of the personal data described in Annex 1. You are responsible for the lawful basis for processing and for the accuracy and lawfulness of the instructions you give.
3. Processing on instructions. The Processor shall process personal data only on your documented instructions (including this DPA and your use of the Service), unless required by law, in which case it will notify you first unless the law prohibits this. The Processor shall promptly inform you if, in its opinion, an instruction infringes the UK GDPR or other applicable data protection law.
4. Confidentiality. The Processor ensures persons authorised to process the personal data are bound by confidentiality.
Security
5. Security. The Processor implements appropriate technical and organisational measures under Article 32, as set out in Annex 3.
Sub-processors
6. Sub-processors. You give general authorisation for the Processor to engage the sub-processors listed in Annex 2. The Processor imposes data-protection terms on each sub-processor no less protective than this DPA and remains liable for their performance. The Processor will give you at least 30 days' notice of any intended addition or replacement of a sub-processor and an opportunity to object. If you reasonably object on data-protection grounds and the parties cannot resolve the objection, you may suspend or terminate the affected part of the Service.
International transfers
7. International transfers. Personal data submitted through the Service (documents and the details collected via secure links) is stored in the United Kingdom. Certain sub-processors (see Annex 2) operate in the EEA (UK-adequate) or are US-incorporated entities; for any transfer outside the UK the Processor relies on an adequacy decision or appropriate safeguards (e.g. the UK International Data Transfer Agreement / Addendum to the EU SCCs).
Data subject rights, assistance and breach notification
8. Data subject rights. Taking into account the nature of the processing, the Processor assists you by appropriate technical and organisational measures, insofar as possible, to respond to data subject requests.
9. Assistance. The Processor assists you in ensuring compliance with Articles 32–36 (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of processing and information available to the Processor.
10. Personal data breach. The Processor notifies you without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach affecting your personal data. The notification describes, to the extent available, the nature of the breach (including, where possible, the categories and approximate number of data subjects and records concerned), its likely consequences, and the measures taken or proposed to address it.
Deletion and return
11. Deletion and return. The Service is designed so that personal data submitted by data subjects is deleted automatically after collection or expiry. On termination, or on your request, the Processor, at your choice, deletes or returns all remaining personal data and deletes existing copies unless required by law to retain it.
Audits and general terms
12. Audits. The Processor makes available information necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections, conducted by you or an auditor you mandate. The Processor may satisfy this obligation by providing relevant certifications or summary audit reports (for example Cyber Essentials); on-site inspection applies only where those are insufficient to address a specific, reasonable concern, on reasonable notice (no more than once in any 12-month period except following a personal data breach) and subject to confidentiality.
13. Liability. Each party is liable to the other for loss it causes by breaching this DPA or applicable data protection law. Notwithstanding any limitation of liability in the main agreement, and except for the liabilities in the next sentence, each party's total aggregate liability arising out of or in connection with this DPA shall not exceed £1,000,000. Nothing in this DPA or the main agreement limits or excludes either party's liability for death or personal injury caused by negligence, for fraud or fraudulent misrepresentation, or for any liability that cannot be limited or excluded by law. Neither party is liable to the other for administrative fines or penalties imposed on that other party by a supervisory authority. This clause governs liability for data-protection matters in place of any conflicting cap in the main agreement, and nothing in it limits a data subject's rights under Article 82 of the UK GDPR.
14. General. This DPA is governed by the laws of England and Wales. In the event of conflict between this DPA and the main agreement on data-protection matters, this DPA prevails.
15. Notices and survival. Data-protection notices to the Processor — including a personal data breach, a sub-processor objection, or a request for assistance with data subject rights — may be sent to legal@fileseal.uk. Clauses 4 (confidentiality), 11 (deletion and return) and 12 (audits) survive termination of this DPA.
Annex 1 — Description of processing
- Subject matter: provision of the FileSeal secure data-collection and document-transfer Service.
- Duration: the term of the main agreement.
- Nature and purpose: secure request, transfer, one-time collection and automatic deletion of documents and information between you and your data subjects.
- Types of personal data: as determined by you — e.g. names, contact details, dates of birth, addresses, uploaded documents, and special category data (e.g. health data) where you choose to use the Service for it.
- Categories of data subjects: your clients, recipients and other individuals you request data from.
Annex 2 — Authorised sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel | Application hosting / compute | UK (lhr1) |
| Neon | Database | UK (eu-west-2, London) |
| Vercel Blob | Encrypted file storage | UK |
| Resend | Transactional email (notifications, links — not the documents/data) | EU (Ireland); US-incorporated entity |
| Auth0 (Okta) | Authentication for your account users | UK processing region; US-incorporated entity |
| Sentry | Error monitoring (PII scrubbed; no document content sent) | US-incorporated entity |
| Stripe | Billing of the Controller (not data-subject documents/data) | US-incorporated entity (UK/EEA processing) |
Annex 3 — Technical and organisational measures
- Encryption: AES-GCM-256, applied client-side before transmission; for zero-knowledge links the key never reaches the Processor.
- Data in transit: TLS.
- Data residency: documents and collected data stored in the UK.
- Access control: authenticated, role-based access; least privilege.
- One-time access and automatic deletion: links are single-use; data is deleted after collection or expiry.
- Audit logging: access and collection events are logged.
- Monitoring: error monitoring with personal-data scrubbing.