Skip to main content

GovRedact · Legal

Data Processing Agreement

Last updated 2026-06-15

This Data Processing Agreement (“DPA”) forms part of the agreement between the customer authority (the “Controller”, “you”) and Cloudy Group Ltd trading as CloudyIT, company number 04997628 (the “Processor”, “we”), for the GovRedact platform. It records the parties' obligations under Article 28 of the UK GDPR when we process personal data on your behalf.

1. Roles

For Customer Data processed through GovRedact, you are the Controller and we are the Processor. Each party will comply with its obligations under UK Data Protection Law (the UK GDPR and the Data Protection Act 2018).

2. Subject matter and details of processing

  • Subject matter: processing necessary to provide GovRedact — intake, storage, AI-assisted redaction, review, disclosure and audit of information requests.
  • Duration: for the term of the agreement and any agreed retention/deletion period afterwards.
  • Nature and purpose: hosting, processing and redacting documents to help you respond to SAR, FOI and related requests.
  • Types of personal data: as contained in the records you upload, which may include names, contact details, identifiers and, where present in case material, special category data and data relating to criminal matters.
  • Categories of data subjects: requesters, residents, employees, third parties and any individuals referenced in case documents.

3. Our obligations as Processor

  • process Customer Data only on your documented instructions, including this DPA and your use of the platform, unless required to do otherwise by law (in which case we will inform you unless legally prohibited);
  • ensure persons authorised to process the data are bound by confidentiality;
  • implement appropriate technical and organisational measures (see our Security statement);
  • respect the conditions for engaging sub-processors set out below;
  • taking into account the nature of the processing, assist you by appropriate measures in responding to data subject rights requests;
  • assist you with your obligations on security, breach notification, data protection impact assessments and prior consultation;
  • on the end of the services, delete or return Customer Data as set out below; and
  • make available information necessary to demonstrate compliance and allow for and contribute to audits.

4. Security

We maintain technical and organisational measures appropriate to the risk, including encryption in transit and at rest, role-based access control, malware scanning of uploads, tenant isolation, and immutable audit logging. Details are in our Security statement, which forms part of this DPA.

5. Sub-processors

You provide general authorisation for us to engage the sub-processors below to deliver GovRedact. We impose data protection terms on each that are no less protective than this DPA, and we remain responsible for their performance. We will give notice of intended changes and you may object on reasonable data protection grounds.

Sub-processorPurposeLocation
Microsoft (Azure)Hosting, storage, database, messaging and transactional emailUnited Kingdom (UK South / UK West)
AnthropicAI-assisted redaction proposalsProcessing may occur outside the UK under appropriate safeguards
StripePayment processingUK / EEA / US under appropriate safeguards

6. International transfers

Customer Data is hosted in the UK. Where a sub-processor processes data outside the UK, we ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.

7. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data, and provide information reasonably available to help you meet your own notification obligations.

8. Data subject requests

Where we receive a request from a data subject relating to Customer Data, we will direct them to you and will not respond directly except on your instruction or as required by law. GovRedact provides tooling to help you locate and act on relevant data.

9. Return and deletion

On termination, or on your written request, we will delete or return Customer Data and delete existing copies, unless retention is required by law. Backups are deleted on their normal cycle.

10. Audit

We will make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality and security requirements.

11. Liability and precedence

This DPA is governed by the same law as, and is subject to the liability provisions of, the Terms of Service. If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.

12. Acceptance

An authorised administrator of your organisation accepts this DPA on your behalf when prompted in the platform, or under a signed order form. The date of acceptance is recorded against your organisation.