This Data Processing Agreement ("DPA") forms part of the Terms of Use between RegTechPRO Limited, which operates the Fenchurch Compliance service, and the Client (the "Principal Agreement"). It sets out the terms under which Fenchurch Compliance processes personal data on behalf of the Client.
This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. By subscribing to Fenchurch Compliance, the Client agrees to be bound by this DPA.
Parties
This DPA is between:
- Data Controller
- The Client subscribing to Fenchurch Compliance, as identified in the account registration (the "Controller" or "Client").
- Data Processor
- RegTechPRO Limited, company number 10707766, registered in England & Wales, which operates the Fenchurch Compliance service (the "Processor", "Fenchurch Compliance", "we", "us" or "our").
Definitions
In this DPA, unless the context requires otherwise:
- Data Protection Laws
- The UK GDPR, the Data Protection Act 2018, and any other applicable data protection legislation in force from time to time.
- Personal Data
- Any information relating to an identified or identifiable natural person, processed by Fenchurch Compliance on behalf of the Client in connection with the Services.
- Processing
- Any operation performed on Personal Data, including collection, storage, alteration, retrieval, use, disclosure or deletion.
- Data Subject
- An identified or identifiable natural person whose Personal Data is processed under this DPA.
- Services
- The self-serve compliance platform and related services that RegTechPRO Limited provides to the Client under the Fenchurch Compliance brand, pursuant to the Principal Agreement.
- Sub-processor
- Any third party engaged by Fenchurch Compliance to process Personal Data on behalf of the Client.
- Personal Data Breach
- A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
Terms not defined in this DPA have the meanings given to them in the Principal Agreement or, where applicable, the Data Protection Laws.
Scope and Purpose of Processing
Subject matter
Fenchurch Compliance processes Personal Data on behalf of the Client solely to provide the self-serve compliance platform Services described in the Principal Agreement.
Duration
Processing continues for the duration of the Principal Agreement, plus any retention period required by law or as specified in Section 12 (Data Deletion and Return).
Nature and purpose of processing
The nature and purpose of processing includes:
- Storing and organising the firm's compliance registers, records and documentation on its board;
- Maintaining People records (staff, SM&CR and certification data);
- Capturing forms, attestations and policy acknowledgements;
- Generating board-ready AI compliance reports drawn only from the firm's own data;
- Enabling dated, append-only audit trails and record-keeping for regulatory purposes.
Schedule: processing details
| Item | Detail |
|---|---|
| Categories of Data Subjects | The Client's employees, customers, complainants, beneficial owners, politically exposed persons, and other individuals whose data the Client processes for compliance purposes. |
| Types of Personal Data | Names, contact details, employment information, financial data, identification documents, complaint records, transaction data, and other compliance-related information. |
| Special category data | May include data revealing political opinions (PEPs), health data (vulnerable-customer records) and criminal-conviction data (fraud / AML records) where processed by the Client. |
| Processing operations | Collection, storage, organisation, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure and destruction. |
Processor Obligations
Fenchurch Compliance, as the Processor, shall:
Process on instructions
Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable law. In such a case, Fenchurch Compliance shall inform the Controller of that legal requirement before processing, unless the law prohibits this.
Confidentiality
Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security measures
Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Section 8 (Security Measures).
Sub-processing
Only engage Sub-processors in accordance with Section 6 (Sub-processing) and impose data-protection obligations on them by way of contract.
Data subject rights
Assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests to exercise Data Subject rights.
Assistance with compliance
Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR, taking into account the nature of processing and the information available to Fenchurch Compliance.
Deletion or return
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.
Audit and information
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Controller Obligations
The Controller warrants and undertakes that:
- It has all necessary rights, consents and lawful bases to provide Personal Data to Fenchurch Compliance for processing in accordance with this DPA;
- It will comply with all applicable Data Protection Laws in relation to its use of the Services and its processing of Personal Data;
- It will ensure that its instructions to Fenchurch Compliance comply with applicable Data Protection Laws;
- It has provided appropriate privacy notices to Data Subjects regarding the processing of their Personal Data;
- It will promptly notify Fenchurch Compliance of any changes to Data Protection Laws that may affect Fenchurch Compliance's processing obligations;
- It is responsible for independently determining whether the security measures described in this DPA meet its requirements.
Sub-processing
General authorisation
The Controller provides general authorisation for Fenchurch Compliance to engage Sub-processors to assist in providing the Services, subject to the requirements of this Section.
Current sub-processors
Fenchurch Compliance uses a small, fixed set of Sub-processors:
| Sub-processor | Purpose | Data processed | Location / transfer |
|---|---|---|---|
| Cloudflare, Inc. | Hosting, compute, database (D1), file storage (R2) and CDN / WAF. | All platform data, at rest and in transit. | Data at rest in Cloudflare's Western Europe (WEUR) region (UK / EU). ISO 27001, SOC 2 and PCI DSS certified infrastructure. |
| Stripe Payments Europe, Ltd | Payment processing and subscription billing. | Subscriber name, email and billing details; card data handled directly by Stripe (PCI DSS Level 1). | EU entity (Ireland); global infrastructure under appropriate safeguards. |
| Postmark (ActiveCampaign, LLC) | Transactional email — one-time login codes and notifications. | Recipient email address and email content. | United States; transfers under appropriate safeguards (SCCs / UK IDTA Addendum). |
| Anthropic PBC | AI processing for AI-generated compliance reports and assistant. | The firm's own compliance data submitted for report generation. | United States, under appropriate safeguards. API data is not used to train models. |
New sub-processors
Fenchurch Compliance shall:
- Notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days before the change, giving the Controller the opportunity to object;
- Where the Controller raises a reasonable objection within 14 days of notification, work with the Controller in good faith to address the concerns — and, if no resolution can be reached, the Controller may terminate the affected Services;
- Impose data-protection obligations on Sub-processors, by way of contract, that are no less protective than those in this DPA;
- Remain fully liable to the Controller for the performance of each Sub-processor's obligations.
Data Subject Rights
Assistance
Taking into account the nature of the processing, Fenchurch Compliance shall assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of access (subject access requests);
- Right to rectification;
- Right to erasure ("right to be forgotten");
- Right to restriction of processing;
- Right to data portability;
- Right to object.
Notification
If Fenchurch Compliance receives a request from a Data Subject in relation to their Personal Data, it shall promptly notify the Controller and shall not respond to the request directly unless authorised to do so by the Controller or required by applicable law.
Self-service tools
Each firm's board provides data export and deletion functionality that the Controller can use to respond to Data Subject requests. Where additional assistance is required, the Controller should contact Fenchurch Compliance at [email protected].
Security Measures
Technical and organisational measures
Fenchurch Compliance implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include:
| Category | Measures |
|---|---|
| Encryption | TLS 1.2+ for data in transit; encryption at rest on the underlying infrastructure. |
| Authentication | Passwordless one-time email codes (OTP) — there are no passwords to steal; session tokens are stored server-side only as a hash; rate-limiting on code requests and verification. |
| Tenant isolation | Every record is scoped to the firm's board; the server enforces that a session can only read or write its own board's data (secure multi-tenant architecture). |
| Infrastructure security | Hosted on Cloudflare's Western Europe (WEUR) region; WAF and DDoS protection; certified infrastructure (ISO 27001, SOC 2 Type II, PCI DSS). |
| Append-only records | Compliance records are kept as dated, append-only submissions — nothing is silently overwritten, so prior versions remain recoverable. |
| Backup & recovery | Point-in-time database recovery (Cloudflare D1 Time Travel, approximately 30 days). |
| AI safety | The AI reads only the firm's own data and does not invent figures; data sent to the AI API is not used to train models. |
| Personnel | Staff are bound by confidentiality and access data on a least-privilege basis. |
Ongoing security
Fenchurch Compliance shall regularly test, assess and evaluate the effectiveness of these measures and implement improvements as appropriate, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing.
Personal Data Breaches
Notification
Fenchurch Compliance shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's data, and in any event within 48 hours where feasible.
Information to be provided
The notification shall include, to the extent known:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
- The name and contact details of the point of contact for further information;
- A description of the likely consequences of the breach;
- A description of the measures taken or proposed to address the breach, including measures to mitigate any possible adverse effects.
Assistance
Fenchurch Compliance shall co-operate with the Controller and take reasonable steps to assist in the investigation, mitigation and remediation of the breach. It shall not inform any third party of a breach without the Controller's prior consent, unless required by applicable law.
International Data Transfers
Data location
Primary Personal Data processed under this DPA is stored and processed within the United Kingdom / European Economic Area, in Cloudflare's Western Europe (WEUR) region.
Transfer safeguards
Fenchurch Compliance shall not transfer Personal Data to a country outside the UK or EEA unless:
- The transfer is to a country that has been determined to provide an adequate level of protection by the UK Government or the European Commission;
- Appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or Addendum, the EU Standard Contractual Clauses, or Binding Corporate Rules;
- A derogation under Article 49 of the UK GDPR applies.
Sub-processor transfers
Certain Sub-processors process limited Personal Data outside the UK / EEA — for example, transactional email (Postmark) and AI report generation (Anthropic) are operated from the United States. Where this occurs, appropriate transfer mechanisms (Standard Contractual Clauses and the UK IDTA Addendum) are in place with those Sub-processors before any transfer occurs.
Audit Rights
Information requests
Upon reasonable request, Fenchurch Compliance shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the UK GDPR.
Audit procedures
Fenchurch Compliance shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:
- The Controller shall provide at least 30 days' prior written notice of any audit, unless a shorter period is required by a regulatory authority;
- Audits shall be conducted during normal business hours and shall not unreasonably interfere with Fenchurch Compliance's operations;
- The Controller and any auditor shall comply with Fenchurch Compliance's reasonable security and confidentiality requirements;
- Audits shall be limited to once per year, unless required more frequently by a regulatory authority or following a Personal Data Breach;
- The Controller shall bear its own costs in conducting audits.
Third-party certifications
Where available, Fenchurch Compliance may satisfy audit requests by providing the Controller with copies of relevant third-party certifications, audit reports or compliance documentation for its underlying infrastructure.
Data Deletion and Return
Upon termination
Upon termination or expiry of the Principal Agreement, Fenchurch Compliance shall, at the Controller's election:
- Provide the Controller with a copy of all Personal Data in a commonly used, machine-readable format; and / or
- Delete all Personal Data from its systems.
Retention period
The Controller shall have 30 days from termination (the "Grace Period") to export their data using the board's export tools or by requesting a data export from Fenchurch Compliance.
After the Grace Period, Fenchurch Compliance shall delete the Controller's Personal Data within 30 days, except where retention is required by applicable law.
Certification
Upon request, Fenchurch Compliance shall provide written certification of the deletion of Personal Data.
Liability
Liability cap
The total liability of each party under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement.
Indemnification
Each party shall indemnify the other against all claims, damages, losses, costs and expenses (including reasonable legal fees) arising from any breach of this DPA by the indemnifying party, except to the extent that the other party contributed to such breach.
Regulatory fines
Neither party excludes liability for regulatory fines or penalties imposed on it by a supervisory authority for its own breach of Data Protection Laws. Each party shall be responsible for any fines issued to it by a supervisory authority.
Term and Termination
Duration
This DPA comes into effect upon the Client's acceptance of the Principal Agreement and continues in force until the Principal Agreement terminates or expires, or until all Personal Data has been deleted or returned in accordance with Section 12.
Survival
The provisions of this DPA that by their nature should survive termination (including confidentiality, liability and data-deletion obligations) shall survive any termination or expiry of this DPA.
General Provisions
Conflicts
In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the processing of Personal Data.
Amendments
Fenchurch Compliance may update this DPA from time to time to reflect changes in Data Protection Laws or our processing practices. Material changes will be notified to the Controller at least 30 days before taking effect. Continued use of the Services after such changes constitutes acceptance of the updated DPA.
Severability
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
Governing law
This DPA shall be governed by and construed in accordance with the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.
Entire agreement
This DPA, together with the Principal Agreement, constitutes the entire agreement between the parties regarding the subject matter hereof and supersedes all prior agreements, representations and understandings.
Questions about this DPA?
For queries regarding data processing, Sub-processors, or this agreement, please contact us.
Data protection contact
RegTechPRO Limited — operating the Fenchurch Compliance service
Registered in England & Wales · Company No. 10707766
ICO registration: ZC177446
Email: [email protected]