Data Processing Agreement
Standard DPA terms under UK GDPR for customers acting as data controllers.
Effective 2026-05-15.
1. Purpose
This DPA forms part of the agreement between Aleejy AI (United Kingdom) ("Processor") and the customer ("Controller") and governs the processing of personal data inside the Service.
2. Scope
The Processor will only process personal data on documented instructions from the Controller — primarily the act of running the Service for the Controller, providing support and applying its lawful retention rules.
3. Categories of data
Identification data of the Controller's users and the operational records the Controller enters — including site identifiers, contractor details, incident details and any documents the Controller uploads.
4. Sub-processors
The Processor uses Vercel (hosting), Supabase (database/auth/storage), and Resend (email) and will notify the Controller at least 14 days before adding a new sub-processor. The Controller has the right to object on reasonable grounds.
5. Security measures
Row-Level Security in the database, encrypted in transit and at rest, role-based access, append-only audit log, least-privilege service-account model, and an incident response process targeting 72-hour breach notification.
6. Sub-processor location
Hosting is in the UK / EU (eu-west-1 / Vercel UK edge). International transfers are handled under the UK extension to the EU-US Data Privacy Framework where applicable.
7. Term
This DPA remains in force for the term of the main agreement. On termination the Processor will return or delete personal data within three months in line with the data deletion policy.
8. Audits
The Controller can request a summary of security controls and sub-processor list at any time by emailing info@jonnyai.co.uk. Formal third-party audits are out of scope at this tier; white-label customers can request a specific audit clause.