Skip to content
Record of Intent

Data Processing Agreement

Last updated: 28 May 2026 · Version: 1.0

This Data Processing Agreement ("DPA") forms part of the agreement between Reignites Ltd ("we", "us", "Reignites", the Processor) and the customer using the Record of Intent service ("you", the Controller) for the processing of personal data on your behalf.

This DPA reflects the requirements of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. Both parties are committed to processing personal data lawfully, fairly, and transparently.

If your use of Record of Intent does not involve us processing any personal data on your behalf, this DPA does not apply to that use.

1. Definitions

"Personal data", "process", "controller", "processor", "sub-processor", "data subject", "personal data breach", "supervisory authority", and related terms have the meanings given in the UK GDPR.

"Customer Personal Data" means personal data you make available to us, or that is processed by us on your behalf, in connection with your use of the Record of Intent service.

"Standard Contractual Clauses" means the clauses approved by the European Commission for the transfer of personal data to processors established in third countries, and the corresponding UK International Data Transfer Addendum.

2. Subject matter and duration

We process Customer Personal Data only as necessary to provide the Record of Intent service to you. This DPA applies for the duration of your contract with us and for any period afterwards during which we hold Customer Personal Data.

3. Nature and purpose of processing

We process Customer Personal Data to operate the Record of Intent service: storing and retrieving records you create, generating tamper-evident hashes and independent timestamps, sending you and the people you nominate transactional emails (such as confirmation links, deliverable sign-off requests, and verification notices), generating evidence packs, and securing your account.

We do not process Customer Personal Data for our own marketing, profiling, or analytics about your customers or counterparties.

Record of Intent does not independently verify the legal identity, authority, or capacity of any party unless explicitly stated. Records created through the service may support evidential or audit purposes, but admissibility and evidential weight depend on jurisdiction and circumstances.

4. Type of personal data and categories of data subjects

The Customer Personal Data we process on your behalf typically includes:

  • The names, email addresses, and roles of the people who use the service through your account (your team members).
  • The names, email addresses, and roles of the people you record agreements with (your clients, counterparties, and any third party named in the content of a record).
  • The content of the records you create (which may include personal data about any of the above).

The categories of data subjects are: your team members, your clients and counterparties, and any third party named in the content of a record.

5. Our obligations as processor

We will:

  • Process Customer Personal Data only on your documented instructions, unless required to do so by law (in which case we will inform you of the requirement before processing, unless the law forbids us from doing so).
  • Ensure that people authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see §8).
  • Assist you in responding to requests from data subjects exercising their UK GDPR rights, to the extent reasonably possible.
  • Assist you in ensuring compliance with your obligations regarding security of processing, personal data breach notification, and data protection impact assessments.
  • Notify you of any personal data breach affecting Customer Personal Data without undue delay after becoming aware (see §9).
  • At your choice, delete or return all Customer Personal Data at the end of the provision of services, unless retention is required by law.
  • Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits (see §10).

6. Sub-processors

You authorise us to engage the following sub-processors at the start of this DPA:

  • Resend (transactional email).
  • Umami Cloud (cookieless analytics, where applicable).
  • Cloudflare (hosting, content delivery, security, edge functions).
  • Sentry (error monitoring, where activated).
  • Supabase (database, when the paid product launches).

We will notify you in writing at least 30 days before adding or replacing a sub-processor. You may object on reasonable data-protection grounds within that 30-day period, in which case we will discuss the objection in good faith and, if not resolved, allow you to terminate the service for the affected scope.

We remain fully liable to you for the performance of any sub-processor we engage.

7. International transfers

Some sub-processors process Customer Personal Data outside the United Kingdom (see §6 above and our privacy policy for the current list of locations). For each non-adequate jurisdiction, we have in place the Standard Contractual Clauses (with the UK International Data Transfer Addendum) or other appropriate safeguards permitted under UK GDPR Chapter V.

8. Security measures

We maintain appropriate technical and organisational measures including:

  • Encryption of Customer Personal Data in transit (TLS) and at rest (provider defaults).
  • Role-based access control inside the service; least-privilege access for our team.
  • Records are designed to be append-only and tamper-evident after creation. Any superseding activity is logged and auditable.
  • Authentication using industry-standard password hashing and session management.
  • Daily backups of production data, with documented restore procedures.
  • Regular security review of dependencies and infrastructure.

9. Personal data breach notification

We will notify you of any personal data breach affecting Customer Personal Data without undue delay after becoming aware, with a target window of 24 hours. The notification will include the information you reasonably need to meet your own UK GDPR Article 33 obligation to notify the ICO within 72 hours, including (so far as we know): the nature of the breach, the categories and approximate number of affected data subjects, the likely consequences, and the measures we have taken or propose to take in response.

You remain responsible for your own onward notification to the ICO and to affected data subjects.

10. Cooperation and audit

We will provide you with the information you reasonably need to demonstrate our compliance with this DPA. You may audit our compliance once per calendar year, with at least 30 days' written notice, during normal business hours, conducted by your internal team or by a mutually-agreed independent auditor bound by confidentiality terms equivalent to those in this DPA.

You bear your own audit costs unless the audit identifies material non-compliance by us, in which case we will reimburse your reasonable audit costs.

11. Return or deletion of data at end of service

On termination of the service, and on your written instruction within 90 days of termination, we will either return Customer Personal Data to you in a structured, commonly used format, or delete it from our systems, unless retention is required by law. After that 90-day window, we will delete remaining Customer Personal Data unless you have instructed otherwise.

12. Liability

Our aggregate liability arising out of or in connection with this DPA, whether in contract, tort (including negligence), or otherwise, is capped at the greater of:

  • the total fees you have paid us in the trailing 12 months, or
  • £1,000.

The cap above does NOT apply to liability for:

  • death or personal injury caused by negligence;
  • fraud or fraudulent misrepresentation;
  • gross negligence;
  • wilful misconduct; or
  • any liability owed directly to data subjects under UK GDPR Article 82 (joint and several liability with the controller), where the cap is unenforceable as a matter of statute.

These carve-outs are explicit because under the Unfair Contract Terms Act 1977 a cap that purports to exclude statutory or fraud liability may be unenforceable; carving these out preserves the cap's enforceability on everything else.

13. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the English courts.

14. Contact

For any question about this DPA, or to action any of the rights or obligations described above, write to [email protected] (Reignites Ltd parent-entity matters) or [email protected] (Record of Intent product matters). Both addresses reach our Data Protection Officer.