Skip to main content

Version 1.0. Last updated: 05/05/2026

Data Processing Addendum

B2B customers can use this template for procurement review.

Download the current PDF version: deadline-engine-dpa-v1.pdf.

This Data Processing Addendum forms part of the Deadline Engine Terms of Service for customers who use Deadline Engine to process personal data for their own clients or matters.

For that processor activity, the customer is the controller and Deadline Engine is the processor. Deadline Engine remains an independent controller for its own account administration, billing, security, and legal compliance records.

This template is prepared around the processor contract requirements in Article 28 of the UK GDPR and ICO guidance on controller and processor contracts.

1. Processing details

  • Subject matter: provision of the Deadline Engine legal deadline calculator, saved calculations, reminders, calendar export, account management, billing support, and audit records.
  • Duration: the subscription term and any post-termination period needed for export, deletion, backup expiry, legal claims, or statutory retention.
  • Nature and purpose: hosting, calculating, storing, exporting, emailing, securing, and supporting rule-based deadline calculations for UK legal workflows.
  • Customer obligations and rights: the customer determines the lawful basis, the data entered, the users authorised to access the service, and the accuracy of instructions given to Deadline Engine.

2. Categories of personal data

  • Customer user data: name, email address, organisation, authentication identifiers, billing status, support messages, and usage metadata.
  • Calculation inputs: case references, trigger events, trigger dates, selected practice areas, rule selections, notes, reminder dates, and any matter details entered by the customer.
  • Calculation outputs: calculated dates, citations, exported calendar descriptions, reminder history, saved calculation records, and audit log entries.
  • Payment data: Stripe customer identifiers, subscription status, invoice metadata, and payment method summary supplied by Stripe. Deadline Engine does not store full card details.

3. Categories of data subjects

  • Customer personnel who create or use Deadline Engine accounts.
  • The customer's clients, counterparties, witnesses, employees, tenants, appellants, applicants, respondents, or other individuals if the customer enters information about them.
  • Professional contacts who receive reminders or exported calendar entries from customer workflows.

4. Processor instructions

Deadline Engine will process customer personal data only on documented customer instructions, including instructions given through product configuration, API requests, account settings, support requests, or this DPA.

Deadline Engine may process personal data without further instructions where required by UK law. If legally permitted, Deadline Engine will notify the customer before doing so.

5. Confidentiality

Deadline Engine will ensure that personnel authorised to process customer personal data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

6. Security measures

  • TLS in transit for application traffic.
  • Encryption at rest provided by hosted infrastructure providers.
  • Row Level Security on user-owned database tables.
  • Service role keys restricted to server-side code and never intentionally exposed to client bundles.
  • Access controls, least-privilege operational access, and environment variable separation between local, preview, and production environments.
  • Audit logging for calculations, subscription events, and security-relevant operational events.
  • Backups, monitoring, and incident response procedures proportionate to the nature of the service.

7. Sub-processors and transfers

Deadline Engine may use sub-processors to provide the service. Deadline Engine remains responsible for sub-processor performance of data protection obligations.

Deadline Engine will provide at least 30 days advance notice of a material new sub-processor where practicable, allowing the customer to object on reasonable data protection grounds.

  • Supabase: database and authentication, eu-west-2, London.
  • Vercel: application hosting, global network.
  • Stripe: payment processing, United States, protected by Standard Contractual Clauses and the UK International Data Transfer Addendum.
  • Resend: transactional email delivery, United States, protected by Standard Contractual Clauses and the UK International Data Transfer Addendum.
  • Sentry: error monitoring, United States or European Union depending on account region, protected by Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable.
  • Plausible: aggregate analytics, European Union.
  • Namecheap: domain registrar, no customer personal data is intentionally shared.

8. Data subject rights and controller assistance

Taking into account the nature of the processing, Deadline Engine will provide reasonable assistance to help the customer respond to data subject requests, including access, rectification, erasure, restriction, portability, and objection requests.

Deadline Engine will provide reasonable assistance with security, breach notification, data protection impact assessments, and consultation with the ICO where required by UK data protection law.

9. Personal data breach notification

Deadline Engine will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data. The notice will include available information about the nature of the breach, affected data, likely consequences, and mitigation steps.

10. Return and deletion

At the end of the service, Deadline Engine will, at the customer choice where technically feasible, return or delete customer personal data unless UK law requires continued storage.

Backup copies may remain in protected backups until the normal backup expiry cycle, provided they are not restored to active systems except for disaster recovery, security, or legal compliance.

Calculation audit logs may be retained for up to 7 years where needed for legal defensibility, dispute handling, or professional record-keeping expectations.

11. Audits

Deadline Engine will provide information reasonably necessary to demonstrate compliance with this DPA and Article 28 UK GDPR. Customer audits may be carried out once per calendar year on reasonable written notice, during normal business hours, and in a way that preserves service security and other customers' confidentiality.

No audit may include direct access to production systems, other customers' data, source code, or security secrets.

12. Liability and order of precedence

Liability under this DPA is subject to the limitation of liability in the Deadline Engine Terms of Service, being the greater of £100 or the total fees paid by the customer in the 12 months before the event giving rise to the claim, except where liability cannot lawfully be limited.

If there is a conflict between this DPA and the Terms of Service about processor obligations, this DPA controls for that processor processing only. The Terms of Service continue to govern all other matters.