1. Definitions

The defined terms in the UK GDPR — personal data, processing, data subject, controller, processor, supervisory authority and personal data breach — have the same meaning here.

In addition:

  • "Customer Data" means any data, documents, content or other materials uploaded to, processed by, or generated on the Appliance by or on behalf of the Controller, including any personal data contained in them.

  • "Quotation" means the written quotation we issue to the Controller specifying the Services.

  • "Services" means the design, build, configuration, supply, installation and (where applicable) ongoing support and maintenance of a private on-premises AI system supplied by us under the Quotation, our Customer Terms of Sale and Service, or any other agreement between us.

  • "Trial-Preparation Phase" means any period during which Customer Data is held by us at our premises in advance of delivery of the Appliance to the Controller.

2. Subject matter, duration, nature and purpose of processing

UK GDPR Article 28(3) requires every DPA to record the following:

ItemDescriptionSubject matterProcessing of Customer Data, including documents and metadata, to enable the design, configuration, indexing, testing and ongoing operation of a private on-premises AI system for the Controller.DurationFrom acceptance of the DPA until the end of the Services (including any agreed transition period), at which point we return or delete the Customer Data.Nature of processingStorage, ingestion, classification, indexing, retrieval, configuration, testing and (where instructed) deletion of Customer Data; and provision of remote and on-site support services.PurposeDelivery of the Services to the Controller.Categories of data subjectsEmployees, contractors, clients, suppliers and other individuals referenced in the Controller's documents.Categories of personal dataDetermined by what the Controller chooses to load. Typically includes names, business contact details, employment details and the contents of business correspondence. May include special-category personal data (Article 9) or criminal-offence data (Article 10) depending on the Controller's industry.

3. Our obligations as Processor

We will:

  1. process personal data only on the documented instructions of the Controller (the Quotation, our Customer Terms of Sale and Service, this DPA, and any subsequent written instructions), unless required to do otherwise by law;

  2. ensure that any personnel authorised to process the data are bound by written confidentiality obligations;

  3. implement and maintain the technical and organisational measures set out in Schedule 1 below;

  4. not engage any sub-processor to process Customer Data without the Controller's prior written authorisation, except as expressly provided in section 4;

  5. assist the Controller in responding to requests from data subjects exercising their rights under the UK GDPR, taking into account the nature of the processing;

  6. assist the Controller in meeting its obligations under Articles 32–36 of the UK GDPR (security of processing, breach notification, data protection impact assessments, prior consultation);

  7. notify the Controller of any personal data breach affecting Customer Data without undue delay, and in any event within 72 hours of becoming aware of it;

  8. at the Controller's choice, delete or return all Customer Data at the end of the Services, and provide written confirmation of deletion or return on request;

  9. make available all information reasonably necessary to demonstrate compliance with this DPA, and submit to audits by the Controller or its authorised auditor on reasonable notice; and

  10. immediately inform the Controller if, in our opinion, an instruction from the Controller would infringe the UK GDPR or other applicable law.

4. Sub-processors

As at the date of this DPA, we do not engage any sub-processor to process Customer Data on the Controller's behalf. All Customer Data is processed exclusively by Onsite Intelligence personnel using Onsite-Intelligence-controlled equipment.

If we wish to engage a new sub-processor in future to process Customer Data, we will give the Controller at least 30 days' prior written notice before doing so. The Controller may object on reasonable data-protection-related grounds; if we cannot reach agreement, either party may terminate the affected Services on 14 days' notice. We remain fully liable to the Controller for the acts and omissions of any sub-processor as if they were our own.

For transparency: the suppliers we use for our own internal business administration — Microsoft Corporation (Microsoft 365 for our email and document collaboration), GoDaddy Operating Company LLC (our domain and email infrastructure), and Squarespace, Inc. (our public-facing website) — do not process Customer Data and are accordingly not sub-processors for the purposes of this DPA. They are listed in our Information Security & Data Protection Plan for transparency.

5. International transfers

We do not transfer Customer Data outside the United Kingdom in the course of providing the Services. Customer Data is processed at our premises in Macclesfield, Cheshire during any Trial-Preparation Phase, and on the Appliance located at the Controller's premises during normal operation.

If circumstances ever require an international transfer, we will not proceed without the Controller's prior written authorisation and an appropriate transfer mechanism (such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses).

6. Liability

The parties' liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in our Customer Terms of Sale and Service or other written agreement under which the Services are supplied — except where such limitation or exclusion is prohibited by the UK GDPR, the Data Protection Act 2018, or other applicable law.

7. Term and termination

This DPA takes effect on signature and continues for so long as we process Customer Data on behalf of the Controller. On termination of the Services for any reason, this DPA continues to apply until we have returned or deleted all Customer Data in accordance with section 3.8.

8. Governing law and jurisdiction

This DPA is governed by the law of England and Wales. Any dispute will first be referred to mediation; if not resolved within 30 days, the courts of England and Wales have exclusive jurisdiction.

Schedule 1 — Technical and organisational measures

We implement and maintain the following technical and organisational measures to protect Customer Data, in fulfilment of Article 32 of the UK GDPR. The measures listed describe what we currently do; planned improvements are recorded in our Security Hardening Roadmap, available on request.

  • Local-only architecture — Customer Data is processed and stored only on the Appliance located at the Controller's premises during normal operation. No Customer Data is transmitted to any third-party AI service, cloud provider, or any system outside the Controller's network during normal operation.

  • Trial-preparation handling — During any Trial-Preparation Phase, Customer Data is held only on a network-isolated workstation at our premises. Documents are deleted on delivery of the Appliance, and a written deletion confirmation is issued within 5 working days. The Trial-Preparation Phase is time-bounded and does not exceed 14 days without the Controller's written agreement.

  • Encryption in transit — The Appliance web user interface uses HTTPS (TLS 1.2 or higher). Database and inference services bind to the local loopback interface only. Enforced SMB3 encryption for file-share traffic and PostgreSQL TLS are scheduled for production deployments — see our Security Hardening Roadmap for target dates.

  • Encryption at rest — Full-disk encryption (LUKS, AES-256-XTS) and encrypted backup archives are scheduled for implementation before any production (paid) deployment. Trial appliances are protected by physical and logical access controls in the interim; this trade-off is disclosed to every trial customer in writing.

  • Physical access controls — We operate from registered premises in Macclesfield, Cheshire. Premises are locked when unattended; access to systems holding Customer Data is restricted to the director; the premises are not customer-facing or publicly accessible.

  • Logical access controls — Least-privilege operating-system accounts; application-level role separation (admin / user) with destructive operations gated to admin role; bcrypt password hashes; signed-cookie sessions with an 8-hour lifetime. Two-factor authentication, account lockout, and self-service password reset are scheduled — see our Security Hardening Roadmap.

  • Activity logging — Append-only audit log on the Appliance recording document state changes, login attempts, administrative actions and backup operations. Retained for the duration of the Services and not pruned.

  • Data minimisation — We process only the documents the Controller chooses to load into the Appliance. We do not crawl, ingest from email, or pull from cloud storage without explicit instruction. Off-Appliance Customer Data we hold is limited to engagement contact details and the completed onboarding questionnaire.

  • Deletion at end of Services — Documented deletion procedure covering database rows, file-system content, embeddings, user accounts and backup archives. A written deletion certificate is issued to the Controller. Cryptographic-erase procedure aligned with NIST SP 800-88 Rev. 2 is scheduled to land alongside full-disk encryption.

  • Personnel — Onsite Intelligence Ltd is currently a sole-director company. The director is the only individual with access to Customer Data. A DBS basic check is available on request. Any future personnel with access to Customer Data will be subject to a pre-engagement DBS basic check and a written confidentiality clause; this Schedule will be re-issued at that point.

  • Software supply chain — All AI inference runs on the Appliance using open-weight models (Apache 2.0 / MIT licences). No call is made to OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, Google Vertex, or any other third-party AI inference service in the course of processing Customer Data.

  • Incident response — Documented incident response procedure covering detection, containment, assessment, ICO notification within 72 hours where applicable, Controller notification, remediation and post-incident review.

  • Annual review — These measures and our full Information Security & Data Protection Plan are reviewed at least annually, with out-of-cycle updates issued whenever a roadmap item is implemented or an incident requires a change.

Our Information Security & Data Protection Plan and Security Hardening Roadmap are available to customers and prospective customers on request, under the Mutual NDA signed at the start of the engagement. Both documents describe what we currently do honestly and set out planned improvements with target dates — we do not claim controls we have not yet implemented.

Schedule 2 — Authorised sub-processors

As at the date of this DPA, we do not engage any sub-processor to process Customer Data on the Controller's behalf.

We will update this Schedule and notify Controllers in advance of any proposed change, in accordance with section 4.

Questions about this document?

If you have any questions about how we handle personal data, or you would like a draft of the signing version of this document for your records or your solicitor's review, please contact:

Austin Parkinson, Director
Onsite Intelligence Ltd
6 Grisedale Way, Macclesfield, Cheshire, SK11 7XT
austin.parkinson@onsiteintelligence.co.uk · onsiteintelligence.co.uk

ICO registration: ZC133805