Data Processing Agreement

Last updated: 2026-05-07

Draft — not yet legally reviewed. This document is a structured placeholder pending review by a UK solicitor. It is not yet in force.

1. Roles

The Operator is the data controller. DeliveryHub (operated by Simona Evgenieva, UK sole trader) is the data processor for personal data the operator enters about its drivers.

2. Subject matter and duration

Processing is for the duration of the operator’s subscription plus a 30-day deletion window for non-financial data. Financial records are retained for 6 years per HMRC self-billing rules.

3. Categories of data subjects and data

Drivers (full name, address, UTR, VAT number, vehicle registration, financial entries, signatures, vehicle-check photos) and operator admin users (name, email, login metadata).

4. Sub-processors

List to be finalised. Includes Supabase (Postgres + Auth), Cloudflare R2, Stripe, Resend, Sentry, Vercel. Operators will be notified by email at least 14 days before any new sub-processor is engaged, with a right to object.

5. Security measures

Row-level security on all customer-scoped tables, TLS in transit, encrypted storage, server-mediated access to object storage, and an immutable audit log of money-affecting mutations.

6. International transfers

UK/EU primary. SCCs / IDTA detail to be added.

7. Audit rights

The operator may request sub-processor SOC 2 reports where available. On-site audits are available on reasonable notice and at the operator’s cost.

8. Return and deletion

On termination, the operator may export their data for 30 days, after which non-financial personal data is deleted. Financial records are retained as above.

9. Liability

Limits and indemnities to be drafted. Particular attention is required given the trading entity is a sole trader.