Note on relationship. For most Borrowsignal usage, the customer and Borrowsignal are each independent controllers of personal data, not controller-processor. The customer becomes controller of the UK director / company data we deliver, and processes it for their own marketing and underwriting purposes; we remain controller of the data we collect about the customer's account and of the data within our pipeline before delivery. The Article 28 DPA below applies only where Borrowsignal genuinely acts as a processor on the customer's behalf — for example, when an Enterprise customer asks us to host or filter their own first-party data. For the controller-to-controller relationship that covers Lead delivery, the obligations on each party are described in our Privacy Policy and Terms of Service.
1. Definitions
- Controller, Processor, Data Subject, Personal Data, Processing have the meanings in the UK GDPR.
- "Customer" means the Borrowsignal subscriber acting as Controller under this DPA.
- "Borrowsignal" means the Borrowsignal entity acting as Processor under this DPA.
- "Customer Personal Data" means any Personal Data the Customer instructs Borrowsignal to Process as a Processor.
- "Sub-processor" means a third party engaged by Borrowsignal to Process Customer Personal Data on Borrowsignal's behalf.
- "UK GDPR" means the UK General Data Protection Regulation as amended by the Data (Use and Access) Act 2025.
2. Subject-matter and duration
Subject-matter: provision of the Borrowsignal Service to the Customer. Duration: for the term of the Customer's subscription plus any post-termination return/deletion period in clause 11.
3. Nature and purpose of Processing
Borrowsignal will Process Customer Personal Data only to provide and maintain the Service in accordance with the Customer's documented instructions (these Terms, the Customer's filter configuration, and any reasonable written direction from the Customer).
4. Types of Personal Data and categories of Data Subject
- Customer account data: name, business email, login metadata of Customer users.
- Customer first-party data (if any imported): as designated by the Customer in writing.
- Categories of Data Subject: Customer's employees with dashboard access; Data Subjects whose information the Customer has chosen to import.
5. Customer obligations
The Customer warrants that it has a lawful basis under the UK GDPR for the Processing it instructs Borrowsignal to perform, has provided any required notices to Data Subjects, and has obtained any required consents.
6. Borrowsignal obligations
- Process Customer Personal Data only on the Customer's documented instructions.
- Ensure persons authorised to Process Customer Personal Data are bound by confidentiality.
- Implement and maintain the technical and organisational measures set out in Annex A.
- Not engage a new Sub-processor without the Customer's prior approval (clause 7).
- Assist the Customer in responding to Data Subject requests within reasonable timeframes.
- Assist the Customer with data protection impact assessments and prior consultations with the ICO where required.
- Notify the Customer of any Personal Data breach affecting Customer Personal Data within 72 hours of becoming aware.
- Make available to the Customer all information necessary to demonstrate compliance with this DPA, and allow audits as set out in clause 10.
- Immediately inform the Customer if, in Borrowsignal's opinion, an instruction infringes the UK GDPR.
7. Sub-processors
The Customer authorises Borrowsignal to engage the Sub-processors listed in Annex B for the purposes described there. Borrowsignal will inform the Customer of any intended additions or replacements of Sub-processors at least 30 days in advance. The Customer may object on reasonable data-protection grounds; if Borrowsignal cannot satisfy the objection, the Customer may terminate the affected portion of the Service with a pro-rated refund.
Borrowsignal will impose data-protection obligations no less protective than this DPA on each Sub-processor and remains liable for its Sub-processors' performance.
8. International transfers
If Borrowsignal or a Sub-processor transfers Customer Personal Data outside the UK, the transfer will be carried out using a valid transfer mechanism: the UK extension to the EU-US Data Privacy Framework where the recipient is certified; the UK International Data Transfer Agreement (IDTA) or Addendum to the EU SCCs in other cases; or another mechanism permitted under the UK GDPR.
Default region: London (lhr). Customer Personal Data is hosted in the UK / EEA unless the Customer explicitly opts into another region.
9. Security
Borrowsignal will implement and maintain the security measures set out in Annex A, and will keep them up to date with industry standards.
10. Audit
Borrowsignal will respond promptly to reasonable written audit requests by the Customer or its independent auditor. To minimise disruption, Borrowsignal may first satisfy an audit by providing recent third-party assessments, security questionnaires (SIG-Lite or similar), and architectural documentation. On-site audits are limited to once per year, on 30 days' notice, at the Customer's cost, and subject to a mutually-agreed scope and confidentiality undertaking.
11. Return and deletion
On termination of the subscription, Borrowsignal will, at the Customer's choice, return or delete all Customer Personal Data within 30 days, except where retention is required by law (e.g. UK accounting records). Audit logs containing minimal Personal Data are retained for 7 years per legal requirement.
12. Liability
Each party's liability under this DPA is subject to the limitation of liability in the Terms of Service.
13. Governing law
This DPA is governed by the laws of England and Wales.
Annex A — Technical and Organisational Measures
- Encryption in transit: TLS 1.2+ for all customer-facing endpoints; HSTS on web domains.
- Encryption at rest: AES-256 on database storage; secrets stored in managed secret stores, never in code repositories.
- Access control: least-privilege role-based access; multi-factor authentication enforced on all administrative access; production database accessible only over Tailscale or equivalent zero-trust network.
- Authentication: magic-link tokens with 15-minute TTL, single-use, SHA-256 hashed at rest; server-side session store.
- Logging: security-relevant events recorded in an immutable audit log retained 7 years.
- Backups: daily encrypted database snapshots retained 30 days; tested restore procedure.
- Vulnerability management: dependency CVE scanning on every deploy; security patches applied within 14 days for high-severity, 7 days for critical.
- Incident response: documented runbook; breach notification within 72 hours per clause 6.
- Personnel: all personnel with access to Customer Personal Data are bound by confidentiality.
- Data residency: UK / EEA hosting by default; international transfers only under valid mechanism (clause 8).
Annex B — Authorised Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Dodo Payments | Subscription billing | Estonia (EU) |
| Resend | Transactional email delivery | US (EU-US DPF certified) |
| Fly.io | Application hosting | London (lhr) primary; US for control plane |
| Neon | Managed Postgres database | EU region (configurable) |
| Cloudflare | DNS, edge cache, static asset delivery | UK edge (global network) |
This list is current as of the "Last updated" date above. The live list is also available on request to [email protected].
How to execute
Enterprise customers may countersign this DPA in writing by emailing [email protected] with subject "DPA execution — <your company name>". A countersigned PDF will be returned within 5 working days.