Data Processing Agreement
This Data Processing Agreement ("DPA" or "Agreement") applies between you (the customer using the ReqFit service, the "Controller") and CASM Labs Limited (the "Processor" or "CASM Labs"). It is incorporated into the ReqFit Terms of Service and applies automatically when you create a ReqFit account.
CASM Labs Limited is a company incorporated in England and Wales with company number 17115248 whose registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
In the event of conflict between this DPA and the Terms of Service in respect of the processing of Personal Data, this DPA prevails.
1. Definitions
In this DPA:
"Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any other data protection or privacy laws applicable to either party in connection with this DPA.
"Approved Sub-processor" means a Sub-processor listed in Schedule 3 or otherwise approved in accordance with Clause 7.
"Customer Personal Data" means Personal Data that the Processor Processes on behalf of the Controller under the Terms of Service and this DPA. The categories of Customer Personal Data are set out in Schedule 1.
"Data Subject" has the meaning given in the UK GDPR.
"Personal Data Breach" has the meaning given in the UK GDPR.
"Processing" (and its grammatical variants) has the meaning given in the UK GDPR.
"Restricted Transfer" means a transfer of Personal Data from the United Kingdom to a country, territory, sector, or organisation not benefiting from an adequacy decision of the UK Secretary of State.
"Standard Contractual Clauses" or "SCCs" means, as applicable, (a) the UK International Data Transfer Agreement issued by the Information Commissioner under section 119A of the Data Protection Act 2018 (the "UK IDTA"), or (b) the UK Addendum to the European Commission's Standard Contractual Clauses (the "UK Addendum").
"Sub-processor" means any third party engaged by the Processor to Process Customer Personal Data on behalf of the Processor.
"Terms of Service" means the ReqFit Terms of Service to which the Controller is bound by virtue of using the ReqFit service.
"UK GDPR" has the meaning given in section 3(10) of the Data Protection Act 2018.
Terms used but not defined in this DPA have the meanings given in the UK GDPR.
2. Roles of the parties
2.1 The parties acknowledge that, in respect of the Processing of Customer Personal Data under this DPA, the Controller acts as the controller and the Processor acts as a processor.
2.2 The Controller is responsible for the lawfulness of the Processing of Customer Personal Data and for ensuring that it has a lawful basis under Applicable Data Protection Law to instruct the Processor to carry out the Processing described in this DPA.
2.3 The Controller is responsible for the accuracy, quality, and content of Customer Personal Data and the means by which the Controller acquired such data.
2.4 Where a Data Subject contacts the Processor directly regarding the Controller's Processing of Customer Personal Data, the Processor will, without undue delay, forward the request to the Controller and not respond substantively unless instructed by the Controller, save where the Processor is required to respond by law.
3. Subject matter, scope, and duration of Processing
3.1 The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects to which the Processing relates are set out in Schedule 1 (Details of Processing).
3.2 The Processor will Process Customer Personal Data only for the duration of the Controller's use of the ReqFit service and for such further period as is necessary to comply with the deletion or return obligations in Clause 11.
4. Processor obligations
4.1 The Processor will Process Customer Personal Data only on the documented instructions of the Controller, including with regard to transfers of Customer Personal Data to a third country, unless required to do otherwise by law applicable to the Processor. The Terms of Service, this DPA, and the Controller's use of the ReqFit service (including any configurations made by the Controller through the service) constitute documented instructions.
4.2 If the Processor is required by law to Process Customer Personal Data otherwise than on the Controller's instructions, the Processor will inform the Controller of that legal requirement before Processing, unless the law prohibits the giving of such notice on important grounds of public interest.
4.3 The Processor will inform the Controller without undue delay if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law. The Processor will not be obliged to act on any instruction that, in the Processor's reasonable opinion, would cause the Processor to be in breach of Applicable Data Protection Law.
4.4 The Processor will ensure that persons authorised to Process Customer Personal Data are subject to obligations of confidentiality (whether contractual or statutory) and have received appropriate training in the protection of Personal Data.
4.5 The Processor will implement and maintain the technical and organisational measures set out in Schedule 2 (Technical and Organisational Measures) to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in compliance with Article 32 of the UK GDPR.
4.6 The Processor will assist the Controller, by appropriate technical and organisational measures and so far as reasonably possible, with the fulfilment of the Controller's obligations to respond to requests from Data Subjects exercising their rights under Articles 15 to 22 of the UK GDPR.
4.7 The Processor will assist the Controller in complying with the Controller's obligations under Articles 32 to 36 of the UK GDPR, taking into account the nature of the Processing and the information available to the Processor.
5. Security
5.1 The Processor will implement the technical and organisational measures set out in Schedule 2 to ensure a level of security appropriate to the risks presented by the Processing, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
5.2 The Processor may update the measures in Schedule 2 from time to time provided that any update does not materially reduce the overall level of security.
5.3 The Processor's current information security position includes:
- ICO registration: ZC111039 (Data Protection Fee paid; tier 1 micro organisation).
- Independent assurance: the Processor is pursuing Cyber Essentials self-assessed certification under the UK National Cyber Security Centre scheme administered by IASME.
- Cloud platform: production services are hosted on Google Cloud Platform, which itself holds ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II, and SOC 3 certifications. Inherited platform certifications are not a substitute for the Processor's own controls but are part of the Processor's overall posture.
6. Personal Data Breach
6.1 The Processor will notify the Controller without undue delay, and in any event within forty-eight (48) hours of becoming aware, of a Personal Data Breach affecting Customer Personal Data.
6.2 The notification will, to the extent then known to the Processor:
- describe the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects and Personal Data records affected;
- communicate the name and contact details of the Processor's point of contact for further information;
- describe the likely consequences of the Personal Data Breach; and
- describe the measures taken or proposed to address the Personal Data Breach and to mitigate its possible adverse effects.
6.3 Where the information in Clause 6.2 cannot all be provided at the same time, the Processor may provide it in phases without further undue delay.
6.4 The Processor will cooperate with the Controller and take reasonable commercial steps as directed by the Controller to assist in the investigation, mitigation, and remediation of any Personal Data Breach.
6.5 The Processor's notification of, or response to, a Personal Data Breach under this Clause 6 is not an acknowledgement of any fault or liability with respect to the Personal Data Breach.
7. Sub-processors
7.1 The Controller provides the Processor with general written authorisation to engage the Sub-processors listed in Schedule 3 to Process Customer Personal Data.
7.2 The Processor will:
- enter into a written contract with each Sub-processor that imposes obligations on the Sub-processor that are no less protective of Customer Personal Data than those imposed on the Processor under this DPA; and
- remain fully liable to the Controller for the performance of each Sub-processor's data protection obligations.
7.3 The Processor will notify the Controller in advance of the addition or replacement of any Sub-processor, giving the Controller not less than thirty (30) days' notice (the "Notice Period") to object on reasonable data protection grounds. Notification will be by email to the contact address provided by the Controller, and by publication on the Processor's website at https://reqfit.com/gdpr (or such other URL as the Processor may notify).
7.4 If the Controller objects on reasonable data protection grounds within the Notice Period, the parties will discuss the objection in good faith. If the parties are unable to resolve the objection within thirty (30) days of receipt of the Controller's objection, the Controller may terminate its use of the ReqFit service and this DPA on written notice without liability to the Processor (other than fees accrued up to the date of termination).
8. International transfers
8.1 The Processor will not transfer Customer Personal Data outside the United Kingdom except in accordance with this Clause 8.
8.2 The Processor's static production data resides within Google Cloud Platform's europe-west2 (London) region for both account administration data (Firestore) and customer-submitted review content (Cloud Storage). The Controller acknowledges and agrees that primary AI inference (via Google Cloud Vertex AI) is dynamic and may be executed in regions outside the United Kingdom or European Economic Area to maintain service availability and performance capacity. The Processor covenants that any such international inference processing is strictly transient, processed in-memory, and that no Customer Personal Data is retained at rest or utilised for model training by the underlying AI infrastructure provider in those jurisdictions.
8.3 Where the Processor makes a Restricted Transfer, it will do so on the basis of one or more of:
- an adequacy decision of the UK Secretary of State in respect of the destination country, including (where applicable) the UK Extension to the EU-US Data Privacy Framework;
- the UK IDTA, executed between the Processor (as data exporter) and the relevant recipient (as data importer);
- the UK Addendum, where the EU Standard Contractual Clauses are in place between the Processor and the recipient and the UK Addendum is executed to make those EU SCCs effective for transfers from the United Kingdom; or
- any other transfer mechanism recognised under Applicable Data Protection Law.
8.4 The Processor's standard sub-processor agreements with the Sub-processors listed in Schedule 3 include the relevant transfer mechanism where the Sub-processor processes Customer Personal Data outside the United Kingdom. Further detail is in Schedule 4 (International Transfers).
8.5 The Controller authorises the Processor to enter into the SCCs (or any successor transfer mechanism) with Sub-processors on the Controller's behalf where necessary to give effect to this DPA.
9. Data subject rights
9.1 The Processor will, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law.
9.2 The Processor will, on the Controller's reasonable request and at the Controller's cost (save where the request results from the Processor's breach of this DPA, in which case at the Processor's cost):
- provide the Controller with access to Customer Personal Data;
- rectify Customer Personal Data identified by the Controller as inaccurate;
- restrict the Processing of Customer Personal Data identified by the Controller; or
- delete or port Customer Personal Data identified by the Controller.
9.3 The Processor provides the Controller with self-service tools through the ReqFit service to enable the Controller to respond to many Data Subject requests directly. These tools include, without limitation, account-level data export, account-level deletion, individual review deletion, and account user management.
10. Audit and information rights
10.1 The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and this DPA.
10.2 The Processor's approach to providing information and audit assurance reflects its operational structure as a micro-organisation. The parties agree that the audit and inspection rights laid down in Article 28(3)(h) of the UK GDPR shall be satisfied in the first instance by the Processor providing the following materials on the Controller's reasonable written request, not more than once per twelve (12) month period (save where requested following a material Personal Data Breach):
- a copy of its then-current Cyber Essentials certificate (once awarded);
- a copy of its internal information security policies, including its password policy, user account management policy, and data backup policy;
- a written description of the technical and organisational measures in place to protect Customer Personal Data; and
- responses, within twenty (20) business days, to a reasonable written security questionnaire tailored to the scope of the ReqFit services.
10.3 Where the materials provided under Clause 10.2 are demonstrably insufficient to satisfy the Controller's regulatory compliance obligations, or where a competent supervisory authority mandates an inspection, the Processor shall permit the Controller (or its appointed independent third-party auditor, subject to appropriate confidentiality undertakings) to conduct an audit. Any such audit shall be:
- subject to at least thirty (30) business days' prior written notice;
- conducted during normal UK business hours without disrupting standard operations;
- restricted entirely to systems and documentation relevant to the Processing of Customer Personal Data;
- limited to not more than once per twelve (12) month period (save where required by the supervisory authority); and
- executed entirely at the Controller's sole expense, including reimbursement of the Processor's documented reasonable staff costs incurred during the audit process.
10.4 The Controller will treat all materials provided under this Clause 10 as the Confidential Information of the Processor.
11. Deletion or return of Customer Personal Data
11.1 On termination of the Controller's use of the ReqFit service (for any reason), the Processor will, at the Controller's choice and within ninety (90) days of termination, either:
- return all Customer Personal Data to the Controller; or
- delete all Customer Personal Data,
save where Applicable Data Protection Law or another legal obligation requires storage of the Customer Personal Data for a longer period, in which case the Processor will continue to protect that data in accordance with this DPA for so long as it is retained.
11.2 The Processor's standard operating retention positions are:
- Proposal documents uploaded by the Controller: deleted automatically once the review report is delivered. Not retained between reviews.
- Requirements lists extracted from RFP documents: retained against the Controller's account to enable consistent re-runs of reviews against the same baseline. Deleted on account deletion.
- Review reports: retained in the Controller's account for ninety (90) days from generation. The Controller can delete a review at any time within that window. After ninety (90) days, reports are deleted automatically. Reports downloaded by the Controller remain on the Controller's own systems.
- Account data (account-holder name, email, account configuration): retained for the duration of the account. Deleted on account deletion.
- Service logs (IP address, browser, pages visited): retained in line with Google Cloud Logging default retention (typically thirty (30) days for application logs and up to four hundred (400) days for administrative activity logs), and in any event not exceeding twelve (12) months.
11.3 Account deletion is available to the Controller through the ReqFit service at any time. Account deletion removes all Customer Personal Data held by the Processor in respect of that account, including any stored requirements lists and any review reports then within the ninety (90) day retention window. Reports already downloaded by the Controller are not affected and remain on the Controller's own systems.
12. Liability
12.1 This Clause 12 sets out the entire financial liability of the parties under or in connection with this DPA.
12.2 Subject to Clause 12.3, each party's total aggregate liability arising out of or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall be subject to the limitations and caps on liability set out in the Terms of Service. Where the Terms of Service contain no such cap, total liability under this DPA shall not exceed the total fees paid or payable by the Controller to the Processor under the Terms of Service in the twelve (12) month period immediately preceding the event giving rise to the claim.
12.3 Nothing in this DPA limits or excludes either party's liability for:
- death or personal injury caused by its negligence;
- fraud or fraudulent misrepresentation;
- any breach of its confidentiality obligations under this DPA; or
- any liability that cannot lawfully be limited or excluded under Applicable Data Protection Law.
12.4 The parties agree that no separate indemnities are granted under this DPA, and any claims for data protection breaches shall be pursued purely as standard contractual damages subject to the limitations set out in Clause 12.2.
12.5 The liability provisions in the Terms of Service apply to claims under or relating to this DPA, save that this Clause 12 prevails to the extent of any conflict in respect of liability for breach of data protection obligations.
13. Term and termination
13.1 This DPA commences on the date the Controller first uses the ReqFit service and terminates automatically on the cessation of the Controller's use of the ReqFit service, save for those provisions which by their nature survive termination (including Clauses 11 (Deletion or return), 12 (Liability), and 14 (General)).
13.2 The Controller may terminate its use of the ReqFit service and this DPA immediately on written notice in the circumstances set out in Clause 7.4 (Sub-processor objection unresolved).
14. General
14.1 Notices. Notices under this DPA must be in writing and sent to:
For the Processor: security@reqfit.com, with a copy to the registered office address shown at the top of this DPA.
For the Controller: the email address on the Controller's ReqFit account.
14.2 Entire agreement. This DPA, together with the Terms of Service, constitutes the entire agreement between the parties in relation to its subject matter and supersedes all prior agreements, representations, and understandings.
14.3 Variation. No variation of this DPA is effective unless made in accordance with the variation provisions of the Terms of Service.
14.4 Severance. If any provision of this DPA is held by a court of competent jurisdiction to be invalid or unenforceable, the remaining provisions remain in full force and effect.
14.5 No waiver. A failure or delay by either party to exercise any right under this DPA does not constitute a waiver of that right.
14.6 Third party rights. A person who is not a party to this DPA has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this DPA.
14.7 Governing law. This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) is governed by and construed in accordance with the laws of England and Wales.
14.8 Jurisdiction. The courts of England and Wales have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA.
Schedule 1 — Details of Processing
| Item | Detail |
|---|---|
| Subject matter of Processing | Provision of the ReqFit proposal review service to the Controller. The service ingests one or more request-for-proposal (RFP) documents and one or more proposal documents supplied by the Controller, analyses them against the requirements set out in the RFP, and produces a structured review report identifying gaps, risks, and rewrite opportunities. |
| Duration of Processing | The term of the Controller's use of the ReqFit service, plus any further period reasonably necessary for the Processor to comply with its obligations under Clause 11 of this DPA (return or deletion of Customer Personal Data). |
| Nature of the Processing | Receipt, storage, automated analysis (including via large-language-model inference on Google Cloud Vertex AI), extraction of structured data (requirements lists), generation of a structured report (in PDF and DOCX formats), provision of that report to the Controller through the ReqFit service, and routine operational Processing (authentication, billing reconciliation, support, security monitoring). |
| Purpose of the Processing | To enable the Controller to assess the strength, completeness, and competitiveness of its in-flight proposals against the requirements set out in the corresponding RFPs, and to enable the Processor to operate, support, and maintain the ReqFit service. |
| Types of Personal Data | (a) Account data of the Controller's authorised users: name, business email address, hashed password, organisation identifier, and account configuration. (b) Personal Data contained within RFP documents uploaded by the Controller: contact details of the issuing authority's personnel, named procurement officers, and any other Personal Data that may appear in a typical RFP. (c) Personal Data contained within proposal documents uploaded by the Controller: typically including biographical detail of named team members, named referees, contact details, and CVs or capability statements. (d) Service log data: IP address, browser identifiers, timestamps, and pages visited within the ReqFit service. |
| Categories of Data Subjects | (a) The Controller's authorised users of the ReqFit service. (b) Individuals named or otherwise identified within RFP and proposal documents uploaded by the Controller, who may include the Controller's own personnel, the Controller's contractors and referees, personnel of the issuing authority, and (less commonly) personnel of third-party organisations referenced in the documents. |
| Special category data and criminal offence data | The Processor does not require, request, or knowingly Process special category Personal Data (within the meaning of Article 9 UK GDPR) or criminal offence data (within the meaning of Article 10 UK GDPR) on behalf of the Controller. The Controller should not upload documents containing such data without notifying the Processor in advance and agreeing additional safeguards in writing. |
| Frequency of Processing | Continuous during the Controller's use of the ReqFit service; specific Processing events occur each time the Controller uploads documents for review. |
Schedule 2 — Technical and Organisational Measures
The Processor implements the technical and organisational measures set out below to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, and unauthorised access. These measures reflect the state of the art, the costs of implementation, and the nature, scope, context, and purpose of the Processing, as required by Article 32 of the UK GDPR.
The Processor reviews these measures periodically and at least annually. The Processor may amend these measures from time to time provided that no amendment materially reduces the overall level of security.
1. Pseudonymisation and encryption
| Control | Implementation |
|---|---|
| Encryption in transit | All connections to the ReqFit service use TLS 1.3 (or later) with industry-standard cipher suites. HTTP Strict Transport Security (HSTS) is enforced. |
| Encryption at rest | All Customer Personal Data held in Google Cloud Storage and Firestore is encrypted at rest using Google-managed encryption keys (AES-256). |
| Authentication credentials | Passwords are hashed using a memory-hard, salted, industry-standard algorithm. The Processor does not store plain-text passwords. |
| Document handling | Uploaded RFP and proposal documents are processed in memory and held in object storage only for the minimum period necessary to generate the review report. |
2. Ability to ensure ongoing confidentiality, integrity, availability, and resilience
| Control | Implementation |
|---|---|
| Production environment | Google Cloud Platform, europe-west2 (London) region for customer relationship data (Firestore) and customer review content (Cloud Storage). Cloud Run for application compute (stateless). |
| Architecture | Fully managed cloud services only. No customer-managed virtual machines or operating systems. Cloud Run services are internet-isolated; outbound access via Cloud NAT. |
| Boundary protection | Google Cloud Armor configured on the production load balancer, including rate-throttling policies for DDoS and DoS prevention. |
| Source control and release | All production source code held in private GitHub repositories under the CASM Labs organisation. Branch protection enabled on default branches; merges require pull requests with passing CI status checks. Production deployments require a manual GitHub Action to create a CalVer release tag and promote that release. |
| Credential management | Dynamic credentials (Workload Identity Federation) preferred for inter-service authentication. Static secrets, where necessary, held in GitHub Actions Secrets scoped per environment (production, development), encrypted at rest, never committed to source code. |
| Dependency management | pnpm package manager with Dependabot enabled. Vulnerability alerts reviewed weekly. Critical and high-severity issues always resolved within the Cyber Essentials 14-day expectation. |
3. Ability to restore availability and access to Personal Data in a timely manner
| Control | Implementation |
|---|---|
| Firestore | Daily scheduled backups with 7-day retention, in addition to inherited Google platform redundancy. |
| Cloud Storage | Google-managed encryption and platform redundancy. Object versioning is deliberately disabled on customer review content buckets, reflecting the storage-limitation principle under UK GDPR Article 5(1)(e). Review content is not retained beyond the periods set out in Clause 11.2 of this DPA. |
| Source code | Git history (indefinite) plus GitHub platform redundancy. |
| Business documents | Google Workspace (Drive, Docs, Sheets, Slides) with version history (30 days), Drive Trash (30 days), and admin-level Vault recovery. |
| Recovery testing | The Processor's directors verify, at least once per quarter, that file recovery from Google Drive version history operates as expected. |
| Financial records | Held in Xero with platform-managed backup; also reflected in Paddle (Merchant of Record) and the Processor's business bank account. |
4. Process for regularly testing, assessing, and evaluating the effectiveness of measures
| Control | Implementation |
|---|---|
| Independent assurance | The Processor is pursuing Cyber Essentials self-assessed certification under the UK National Cyber Security Centre scheme administered by IASME. |
| Inherited platform certifications | Google Cloud Platform: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II, SOC 3. Google Workspace: equivalent set. These are inherited assurances, not a substitute for the Processor's own controls. |
| Annual review | The Processor reviews these measures, the cloud services inventory, and the asset and software registers at least annually and after any material change in architecture. |
| Logging and monitoring | Google Cloud Audit Logs (Admin Activity, System Event, and Data Access for Cloud Storage in production) reviewed via Google Cloud Operations Suite. Budget alerts configured as anomalous-activity tripwires. |
5. User access control and authentication
| Control | Implementation |
|---|---|
| Multi-factor authentication | Multi-factor authentication is enabled on every cloud service that supports it. Confirmed services include: Google Workspace (passkey 2SV for both directors), Google Cloud Platform, GitHub, Xero, Paddle, HubSpot, iubenda, Crisp, Buffer, and Loops. |
| Password policy | Minimum length 12 characters (or 14 where MFA is not technically possible). Passwords generated and stored in approved password managers (Google Password Manager, iCloud Keychain). Industry-standard "change-on-compromise" rather than time-based rotation, in line with NCSC guidance. |
| Administrative access | Administrator and standard user accounts are separated on both in-scope laptops. Day-to-day work is performed using standard accounts. |
| Human access to Customer Personal Data | Two human principals only (the Processor's two directors). Explicit deny on Cloud Storage reads for both director accounts in production. Just-in-time elevation required to read customer review content, with a documented reason and audit trail logged. |
| Service accounts | Defined and managed via Terragrunt and OpenTofu in source-controlled configuration. Each Cloud Run service runs as its own dedicated least-privilege service account. No ad-hoc service accounts created in the console. |
| Workforce | Two directors. No employees, no contractors with access to Customer Personal Data. Joiner / mover / leaver processes documented and proportionate. |
6. Device and endpoint security
| Control | Implementation |
|---|---|
| In-scope devices | Two laptops (one Windows, one macOS). Both encrypted at rest (BitLocker / FileVault), with software firewall enabled, anti-malware (Windows Defender / macOS XProtect) enabled and auto-updating, and OS auto-updates enabled. |
| Patching cadence | Critical and high-severity OS and application updates applied within 14 days. |
| In-scope software | Inventoried in the Processor's software register. All in vendor support. |
| Device loss procedure | Documented in the Processor's user account management policy: remote sign-out, password reset on all critical services, replacement device set up from cloud-resident data. |
7. Confidentiality of personnel
| Control | Implementation |
|---|---|
| Personnel under confidentiality | Both directors are bound by statutory directors' duties of confidentiality (Companies Act 2006) and by the terms of any shareholders' or operating agreement between them. No third party has access to Customer Personal Data without first being bound by equivalent written confidentiality obligations. |
| Training | Both directors are familiar with UK GDPR requirements and the Processor's information security policies. Records of policy acknowledgement are maintained. |
8. Data Processing logs and accountability
| Control | Implementation |
|---|---|
| Processing records | The Processor maintains records of Processing activities as required by Article 30 of the UK GDPR. |
| Audit trail for customer data access | Cloud Audit Logs (Admin Activity, System Event, and Data Access on production Cloud Storage) provide a provable trail of access to Customer Personal Data. |
| Application logging | Privacy-friendly application and access logs held in Google Cloud Operations Suite. The Processor does not log Customer Personal Data document content. |
Schedule 3 — Approved Sub-processors
The Processor uses the following Sub-processors in connection with the provision of the ReqFit service. The list is current as at the last updated date shown at the foot of this page. The Processor will notify the Controller of any change in accordance with Clause 7 of this DPA.
| Sub-processor | Entity and address | Role and Processing activity | Customer Personal Data involved | Location of Processing |
|---|---|---|---|---|
| Google Cloud Platform (Cloud Run, Cloud Storage, Firestore, Cloud NAT, Cloud Operations Suite) | Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland | Cloud infrastructure: application compute, document storage, customer relationship database, audit logging, network egress | All Customer Personal Data Processed in the ReqFit service | europe-west2 (London) for Cloud Storage and Firestore production data |
| Google Cloud Vertex AI | Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland | Generative AI inference for the proposal review pipeline. Google's terms for Vertex AI prohibit Customer Personal Data from being used to train Google's foundation models. | Customer Personal Data contained in RFP and proposal documents, during the in-memory inference window only | Region selected for performance and capacity; may be outside the United Kingdom. Transfer mechanism: see Schedule 4 |
| iubenda | iubenda s.r.l., Via San Raffaele, 1, 20121 Milan, Italy | Hosting of the Processor's customer-facing privacy policy and cookie policy; consent management for the reqfit.com website | Service log data (IP address, consent state) for visitors to reqfit.com only. Does not Process Customer Personal Data uploaded to the ReqFit service. | European Economic Area |
| Crisp | Crisp IM SARL, 2 boulevard de Launay, 44100 Nantes, France | Live chat support widget on reqfit.com and in the ReqFit service. Processes data that Data Subjects voluntarily submit through the chat (typically a name and message). | Contact data and message content submitted via chat | European Economic Area |
| Loops | Astrodon Corporation, 9450 SW Gemini Drive, PMB 22902, Beaverton, Oregon 97008-7105, USA | Transactional email (account verification, report delivery notifications) and marketing email (where the recipient has consented) | Name and email address of the Controller's authorised users | United States. Transfer mechanism: see Schedule 4 |
| Cloudflare | Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA | Content delivery, DDoS protection, and web application firewall for the reqfit.com domain | Service log data (IP address, request metadata) for visitors to reqfit.com only | Global edge network. Transfer mechanism: see Schedule 4 |
Note on Paddle (Merchant of Record)
For the avoidance of doubt, the parties acknowledge that CASM Labs utilises Paddle.com Market Limited ("Paddle") as its Merchant of Record for commercial transactions. Paddle acts as an independent Data Controller in respect of business relationship billing information, payment processing, and taxation compliance data collected during checkout. Paddle is not a Sub-processor of CASM Labs under the terms of this DPA, and its independent processing activities are governed strictly by the Paddle Privacy Policy at https://www.paddle.com/legal/privacy.
Schedule 4 — International Transfers
1. Transfers within the United Kingdom and European Economic Area
The following Sub-processors Process Customer Personal Data within the United Kingdom or the European Economic Area only, and no Restricted Transfer arises:
- Google Cloud Platform (Cloud Run, Cloud Storage, Firestore, Cloud NAT, Cloud Operations Suite), europe-west2 (London)
- iubenda, European Economic Area
- Crisp, European Economic Area
2. Transfers outside the United Kingdom
The following Sub-processors may Process Customer Personal Data outside the United Kingdom. In each case, the transfer is governed by the mechanism indicated.
| Sub-processor | Destination | Transfer mechanism |
|---|---|---|
| Google Cloud Vertex AI | Region selected for performance and capacity; may include the United States or other regions outside the UK and EEA | UK Extension to the EU-US Data Privacy Framework (where the importing entity is certified to the framework), or the UK Addendum to the EU Standard Contractual Clauses (Module 3: processor-to-processor), executed between the Processor and Google as part of Google's Cloud Data Processing Addendum |
| Loops (Astrodon Corporation) | United States | UK Extension to the EU-US Data Privacy Framework (where the importing entity is certified to the framework), or the UK Addendum to the EU Standard Contractual Clauses (Module 3: processor-to-processor) |
| Cloudflare | Global edge network (including the United States) | UK Extension to the EU-US Data Privacy Framework (where the importing entity is certified to the framework), or the UK Addendum to the EU Standard Contractual Clauses (Module 3: processor-to-processor) |
The Processor confirms that, in respect of each Restricted Transfer above, it has carried out (or will carry out before any Restricted Transfer occurs) a transfer impact assessment as required by Applicable Data Protection Law, taking into account the laws and practices of the destination country.
For enterprise customers
If you require a bilateral signed copy of this DPA as part of a formal procurement or vendor onboarding process, please contact security@reqfit.com. We will send you a Word version for execution.
Last updated: 24 May 2026. Contact: security@reqfit.com.