This Data Processing Agreement (the "DPA") forms part of the RateCalc.io Terms of Service (the "Agreement") between MCR Labs Ltd, a company registered in England and Wales (company number 17228923) with registered office at Sproston Place, Middlewich, Cheshire, CW10 0FY, operator of the RateCalc.io service ("Provider"), and the customer accepting the Agreement ("Customer").
It is deemed accepted by Customer on the date Customer accepts the Agreement. The version in force at any time is the version published at https://www.ratecalc.io/dpa.
1. Definitions
Capitalised terms not defined in this DPA have the meaning given in the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018"). Without limitation:
- Personal Data, Controller, Processor, Sub-processor, Data Subject, Processing and Personal Data Breach bear the meanings given in the UK GDPR.
- "Customer Personal Data" means Personal Data that Customer or its authorised users submit to, or have collected on their behalf through, the Service.
- "Service" means the RateCalc.io software-as-a-service platform.
- "UK Data Protection Law" means the UK GDPR, the DPA 2018, and any other UK law applicable from time to time to the Processing of Personal Data.
2. Roles of the parties
The parties agree that, for the purposes of this DPA:
- Customer is the Controller of Customer Personal Data;
- Provider is the Processor of Customer Personal Data.
Customer is solely responsible for establishing a lawful basis for the Processing it instructs Provider to perform.
3. Subject matter, duration, nature and purpose
- Subject matter: Provider's hosting, transmission, storage and processing of Customer Personal Data submitted to the Service in connection with creating, sending, signing, archiving and billing for rate proposals, Terms of Business, and related Customer business records.
- Duration: from acceptance of the Agreement until termination of the Agreement and completion of the deletion process under Section 12.
- Nature of processing: storage; retrieval; display in the Service; transmission to authorised recipients (e.g. by email); backup; indexing; deletion. Provider does not use Customer Personal Data to train artificial intelligence models or for any marketing purposes.
- Purpose: to provide, secure, support and improve the Service for Customer in accordance with the Agreement and Customer's documented instructions.
4. Categories of Personal Data and Data Subjects
Categories of Personal Data
- Identification and contact data of Customer's staff (name, email, role).
- Identification and contact data of Customer's clients and client representatives (name, title, business email, business phone).
- Document content (rate proposals, Terms of Business, signature audit trails).
- Free-text content Customer chooses to enter (which may include the names of candidates).
- Usage and access metadata (login times, IP address, user agent).
- Billing contact data for Customer's account.
Categories of Data Subjects
- Customer's personnel (registered users).
- Representatives of Customer's clients.
- Any other individual whose Personal Data Customer chooses to enter into the Service (e.g. candidates referenced in a proposal).
5. Customer instructions
Provider will Process Customer Personal Data only on documented instructions from Customer. The Agreement, this DPA, and the in-product configuration choices Customer makes (for example, who is invited to the agency and what is sent to whom) together constitute Customer's documented instructions. Provider will inform Customer if, in its opinion, an instruction infringes UK Data Protection Law, and may suspend the relevant Processing pending resolution.
6. Provider obligations
Provider will:
- Process Customer Personal Data only in accordance with Customer's instructions, except where required to do otherwise by UK or applicable law, in which case Provider will inform Customer of that legal requirement first, unless prohibited from doing so;
- ensure that persons authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations;
- implement and maintain appropriate technical and organisational measures meeting the requirements of Article 32 UK GDPR (see Section 7);
- only engage Sub-processors in accordance with Section 8;
- taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligations to respond to Data Subject requests (Section 10);
- assist Customer in ensuring compliance with Articles 32 to 36 UK GDPR, taking into account the nature of Processing and the information available to Provider;
- at Customer's choice, delete or return all Customer Personal Data after the end of the provision of Services and delete existing copies, unless retention is required by UK law (see Section 12);
- make available to Customer all information necessary to demonstrate compliance with this DPA and Article 28 UK GDPR, and allow for and contribute to audits in accordance with Section 11.
7. Security measures
Provider has implemented and will maintain technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures currently include:
- Encryption in transit: TLS 1.2 or higher for all data in transit between Customer, Provider and Sub-processors.
- Encryption at rest: AES-256 encryption of data at rest within Provider's database Sub-processor.
- Access control: per-tenant data isolation enforced at the database level via row-level security; least-privilege access for Provider personnel; administrative access restricted to a named allowlist; passwords stored as salted hashes.
- Authentication: email-and-password authentication; multi-factor authentication available to administrators.
- Network security: Provider's production environment is hosted on infrastructure that is not directly addressable from the public internet outside the Service's published HTTPS endpoints.
- Vulnerability management: automated dependency monitoring; security patches applied promptly after release.
- Logging and monitoring: application-level audit logs and error monitoring; access logs retained for a minimum of 30 days.
- Backup and resilience: daily encrypted backups; backups retained in accordance with the Sub-processor's policy.
- Personnel: Provider's personnel with access to Customer Personal Data are bound by written confidentiality undertakings.
- Incident response: documented internal incident response process covering detection, containment, eradication, recovery, and notification.
Provider may update these measures from time to time, provided that the level of protection is not materially reduced.
8. Sub-processors
Customer grants Provider general authorisation to engage Sub-processors, subject to the following.
Current Sub-processors as at the date of this DPA:
| Sub-processor | Role | Location of Processing | DPA |
|---|
| Supabase, Inc. | Hosted database, authentication, file storage | EU (Frankfurt, eu-central-1) | supabase.com/legal/dpa |
| Vercel, Inc. | Application hosting and edge compute | US, with edge nodes in multiple regions | vercel.com/legal/dpa |
| Stripe Payments Europe, Ltd | Payment processing and subscription billing | Ireland (EEA) | stripe.com/legal/dpa |
| Resend, Inc. | Transactional email delivery | EU (eu-west-1) | resend.com/legal/dpa |
Changes: Provider will give Customer at least 30 days' written notice (which may be by email or by updating the published list above) before adding or replacing a Sub-processor. Customer may object to the change in good faith within 14 days of notice. If Customer's objection cannot be reasonably resolved, Customer may terminate the Agreement on written notice, with a pro-rata refund of any fees paid in advance for the unused balance of the then-current subscription term.
Flow-down: Provider will impose data protection terms on each Sub-processor that are substantially equivalent to those in this DPA, and remains liable to Customer for each Sub-processor's performance.
9. International data transfers
Where Provider transfers Customer Personal Data outside the United Kingdom, Provider will ensure that an appropriate transfer mechanism under UK Data Protection Law is in place, being one or more of:
- transfer to a country in respect of which the UK has issued an adequacy decision;
- the UK International Data Transfer Agreement (the "UK IDTA") or the UK Addendum to the EU Standard Contractual Clauses; or
- another lawful transfer mechanism recognised under UK Data Protection Law.
The UK IDTA is incorporated by reference where required. Provider will provide Customer with reasonable information about transfer mechanisms on request.
10. Data subject rights
If Provider receives a request from a Data Subject in respect of Customer Personal Data, Provider will direct the Data Subject to Customer and inform Customer without undue delay. Taking into account the nature of the Processing, Provider will assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III UK GDPR.
11. Personal Data Breach
Provider will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent then known, describe:
- the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
- the likely consequences of the breach;
- the measures taken or proposed to address the breach and mitigate its possible adverse effects;
- the name and contact details of a Provider point of contact.
Provider will cooperate with Customer and provide reasonable assistance to enable Customer to investigate, mitigate and remediate the breach and meet any notification obligation Customer may have to a supervisory authority or affected Data Subjects.
12. Deletion and return
On termination or expiry of the Agreement, Customer may export its Customer Personal Data through the Service's export functionality. Provider will delete (or, at Customer's written request, return) all Customer Personal Data within 30 days of termination, except:
- backup copies, which will be deleted in line with Provider's backup retention cycle (currently a maximum of 30 days); and
- Customer billing data, which Provider may retain for up to 7 years in order to comply with UK statutory record-keeping obligations.
13. Audits
Customer may audit Provider's compliance with this DPA no more than once in any 12-month period (more often if required by a supervisory authority or following a Personal Data Breach), subject to at least 30 days' written notice and reasonable confidentiality undertakings. Provider may satisfy this obligation by providing the most recent independent third-party audit report or self-assessment, where available. If an on-site audit is reasonably required, it will be conducted at Customer's cost during normal business hours and in a manner that does not unreasonably disrupt the Service.
14. Liability
Liability of each party under this DPA is subject to the limitations and exclusions set out in the Agreement. Nothing in this DPA limits any liability that cannot be limited under UK Data Protection Law.
15. Order of precedence
In the event of any conflict between this DPA and the Agreement in respect of the Processing of Customer Personal Data, this DPA prevails.
16. Governing law and jurisdiction
This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.
17. Contact
Questions about this DPA can be sent to hello@ratecalc.io.