Standard DPA: This Data Processing Agreement ("DPA") forms part of the Terms of Service between PICMS and the Customer. It governs the processing of personal data in accordance with UK GDPR requirements.
1. Parties
Data Controller ("Customer")
The organisation that has subscribed to PICMS services and determines the purposes and means of processing personal data.
Data Processor ("PICMS")
PICMS Ltd, registered in England and Wales (Company No. 17262734), providing compliance management services and processing personal data on behalf of the Customer.
2. Definitions
"Personal Data"
Any information relating to an identified or identifiable natural person as defined in UK GDPR Article 4(1).
"Processing"
Any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, use, disclosure, or deletion.
"Data Subject"
An identified or identifiable natural person whose personal data is processed.
"Sub-processor"
Any third party engaged by PICMS to process personal data on behalf of the Customer.
"UK GDPR"
The UK General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018.
3. Subject Matter and Duration
3.1 Subject Matter
This DPA governs the processing of personal data by PICMS when providing compliance management services to the Customer, including:
- Storage and management of compliance documentation
- Processing of employee training records
- Management of audit and incident records
- Risk assessment and management data
- User account administration
3.2 Duration
This DPA shall remain in effect for the duration of the Customer's subscription to PICMS services and for as long as PICMS processes personal data on behalf of the Customer.
4. Nature and Purpose of Processing
PICMS processes personal data for the following purposes:
- Providing access to the PICMS compliance management platform
- Storing and organising compliance documentation
- Generating compliance reports and analytics
- Managing user accounts and access permissions
- Providing customer support services
- Sending service-related communications
5. Categories of Data Subjects
Personal data processed under this DPA may relate to:
- Customer employees and contractors
- Customer's clients (where included in compliance records)
- Third-party contacts (suppliers, auditors, regulators)
- Individuals mentioned in incident reports or risk assessments
6. Types of Personal Data
Categories of personal data processed may include:
- Identity Data: Names, job titles, employee IDs
- Contact Data: Email addresses, phone numbers, business addresses
- Professional Data: Qualifications, training records, certifications
- Compliance Data: Audit findings, incident reports, risk assessments
- Technical Data: IP addresses, login timestamps, usage logs
7. Processor Obligations
PICMS shall:
7.1 Processing Instructions
- Process personal data only on documented instructions from the Customer
- Inform the Customer if any instruction infringes UK GDPR
- Not process data for any purpose other than providing the agreed services
7.2 Confidentiality
- Ensure all personnel processing data are bound by confidentiality obligations
- Limit access to personal data to authorised personnel only
- Implement appropriate access controls and authentication measures
7.3 Security Measures
- Implement appropriate technical and organisational security measures
- Maintain 256-bit SSL/TLS encryption for data in transit
- Apply AES-256 encryption for data at rest
- Conduct regular security assessments and penetration testing
- Maintain ISO 27001 aligned security practices
7.4 Sub-processing
- Not engage sub-processors without prior written authorisation
- Maintain a list of approved sub-processors
- Ensure sub-processors are bound by equivalent data protection obligations
- Remain liable for sub-processor compliance
7.5 Data Subject Rights
- Assist the Customer in responding to data subject requests
- Implement technical measures to facilitate rights exercise
- Provide data export functionality in machine-readable formats
- Support data portability and deletion requests
7.6 Data Breach Notification
- Notify the Customer of any personal data breach without undue delay
- Provide notification within 24 hours of becoming aware of a breach
- Assist with breach investigation and remediation
- Document all breaches and corrective actions taken
8. Controller Obligations
The Customer shall:
- Ensure lawful basis exists for all personal data provided to PICMS
- Provide clear processing instructions to PICMS
- Notify data subjects of data processing where required
- Respond to data subject requests within statutory timeframes
- Conduct Data Protection Impact Assessments where required
9. International Transfers
Personal data is primarily processed within the UK (AWS EU-West-2, London). If international transfers are necessary:
- PICMS will implement Standard Contractual Clauses (SCCs)
- Transfer Impact Assessments will be conducted
- Supplementary measures will be applied where required
- Customer will be notified of any new transfer destinations
10. Approved Sub-processors
The Customer authorises the use of the following sub-processors. The current canonical list (with locations and DPA terms) is also published at /trust#subprocessors and in the Privacy Policy §5; this DPA Annex must be read in line with that list:
| Sub-processor |
Purpose |
Location |
| Amazon Web Services (AWS) |
Cloud hosting (RDS, S3, ECS, ALB), transactional email (AWS SES) |
eu-west-2 (London), United Kingdom |
| Auth0 (Okta) |
Authentication, identity, MFA |
United States — UK addendum to EU SCCs |
| Anthropic (Claude API) |
AI analysis & content drafting (only when a user triggers an AI feature). API content not used for model training under default API terms. |
United States — UK addendum to EU SCCs |
| OpenAI (Embeddings API) |
Semantic search of customer documents (~1,000-character chunks). API content not used for model training under default API terms. |
United States — UK addendum to EU SCCs |
| Resend |
Transactional email (RAMS sends, invitations, weekly digest) |
United States — UK addendum to EU SCCs |
| Stripe |
Payment processing — PCI DSS Level 1; card data never touches PICMS servers |
United Kingdom / United States |
| Telegram (Bot API, optional) |
Digest/alerts — only when a User voluntarily links their Telegram account |
Telegram global infrastructure |
PICMS will notify the Customer at least 30 days before engaging any new sub-processor, allowing the Customer to object. Objections may be raised to privacy@picms.com.
11. Audit Rights
The Customer has the right to:
- Request evidence of PICMS compliance with this DPA
- Review security certifications and audit reports
- Conduct audits with reasonable notice (at Customer's expense)
- Request information about processing activities
Security documentation is available on request.
12. Data Retention and Deletion
12.1 During Subscription
PICMS will retain personal data for the duration of the Customer's subscription as necessary to provide the services.
12.2 Upon Termination
- Customer may export data within 30 days of termination
- PICMS will delete all personal data within 30 days of the export period
- Backup data will be purged within 90 days
- Certification of deletion available upon request
12.3 Exceptions
Data may be retained longer where required by law or for legitimate legal purposes (e.g., regulatory compliance records).
13. Liability
Each party's liability under this DPA shall be subject to the limitations set forth in the main Terms of Service, except that neither party excludes liability for:
- Death or personal injury caused by negligence
- Fraud or fraudulent misrepresentation
- Any liability that cannot be excluded by law
14. Amendments
This DPA may be amended:
- By mutual written agreement of the parties
- To reflect changes in applicable data protection laws
- To add or remove sub-processors (with 30 days notice)
Annex A: Technical and Organisational Measures
| Measure |
Implementation |
| Encryption in Transit |
TLS 1.2/1.3 with 256-bit encryption |
| Encryption at Rest |
AES-256 encryption for all stored data |
| Access Control |
Role-based access control (RBAC), MFA available |
| Network Security |
Firewalls, VPC isolation, DDoS protection |
| Monitoring |
24/7 security monitoring, intrusion detection |
| Backups |
Daily encrypted backups, tested recovery procedures |
| Physical Security |
Hosted in AWS enterprise data centres (UK region, eu-west-2) |
| Incident Response |
Documented incident response procedures |