ProcureLens.
Sign inStart free
Legal

Policies & agreements

UK GDPR and the Data Protection Act 2018 are the floor for how we operate, not the ceiling. These documents are written to be readable by a procurement professional — not by a lawyer alone — and are kept current as the product evolves.

Last updated: 16 June 2026

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between the Customer ("Controller") and ProcureLens UK Limited ("Processor") for the provision of the Service. It governs the Processor's processing of Personal Data on behalf of the Controller and is designed to satisfy the requirements of Article 28 of the UK GDPR.

1. Subject matter and duration

The Processor processes Personal Data to provide the Service for the duration of the subscription term and the post-termination retention period set out in the Terms.

2. Nature and purpose of processing

Hosting, storing, organising, retrieving, displaying and securely transmitting Personal Data uploaded or generated by Authorised Users in the workspace, together with related administration, security and support activities.

3. Categories of data subject

Controller's personnel and contractors (Authorised Users); contacts at supplier organisations referenced in the workspace; individuals whose information is incidentally included in public-source supplier records.

4. Categories of Personal Data

Identifiers (name, work email, role), workspace content authored by Authorised Users, supplier contact details, evaluation comments, usage and security telemetry. No special category data is intended to be processed.

5. Processor obligations

  • Process Personal Data only on the documented instructions of the Controller (including those expressed through the Service's configuration).
  • Ensure personnel authorised to process Personal Data are bound by confidentiality.
  • Implement and maintain appropriate technical and organisational measures as set out in Annex A.
  • Engage Sub-processors only under the conditions in clause 7.
  • Assist the Controller, taking into account the nature of processing, to fulfil obligations to respond to data-subject requests and to demonstrate compliance.
  • Notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach.
  • At the Controller's choice, delete or return Personal Data at the end of the contract, subject to legal retention.

6. Security measures (Annex A — summary)

  • Encryption in transit (TLS 1.2+) and at rest.
  • Role-based access control with least-privilege defaults.
  • Row-level security applied to multi-tenant data so a workspace cannot read another workspace's data.
  • Centralised secret management; secrets segregated from application code.
  • Audited administrative access with multi-factor authentication.
  • Backups with point-in-time recovery; tested restore procedure.
  • Vulnerability scanning; documented incident response runbook aligned to the 72-hour UK GDPR breach notification window.
  • Responsible disclosure programme.

7. Sub-processors

The Controller authorises the Processor to engage the Sub-processors listed below. The Processor remains liable for each Sub-processor's performance. We will give at least 30 days' notice of intended changes; the Controller may object on reasonable data-protection grounds.

CategoryPurposeLocation
Cloud hosting & databaseApplication hosting, database, file storageUnited Kingdom / EEA
AuthenticationUser authentication, session management, SSOUnited Kingdom / EEA
Transactional emailSign-in links, invitations, security notificationsEEA
Payment processorSubscription billing (PCI-DSS compliant)United Kingdom / EEA
Error monitoringAggregated error and performance telemetryEEA

8. International transfers

Customer workspace data is stored in the UK and/or EEA. Any transfer to a country without an adequacy decision is governed by the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, with supplementary measures where required by a transfer-risk assessment.

9. Audit

The Controller may, on reasonable prior notice and no more than once per year (or more often if required by a regulator or after a Personal Data Breach), request information reasonably necessary to demonstrate compliance with this DPA. The Processor will respond within 30 days. On-site audits are by mutual agreement and at the Controller's cost.

10. Order of precedence

In case of conflict, this DPA prevails over the Terms with respect to the processing of Personal Data.

11. Contact

Data protection enquiries: privacy@procurelens.co.uk.