Skip to content
RegSpace
Book a demo

Last updated: 21 April 2026

Data processing addendum (DPA)

Template under legal review. This document is a working draft and has not yet been reviewed by qualified counsel. It must not be published externally without review and should not be relied upon as legal advice.

This DPA forms part of any Master Services Agreement between you ("Controller") and RegSpace Ltd ("Processor") for the provision of the RegSpace platform (the "Service"). Terms not defined here have the meaning given in the UK GDPR and EU GDPR.

1. Scope and roles

You are the Controller of personal data submitted to or generated within the Service. RegSpace acts as Processor. For telemetry and security monitoring of the Service itself, RegSpace acts as an independent Controller on a limited basis.

2. Nature and purpose of processing

Processing is carried out to provide the Service: ingesting your policy documents, monitoring primary-source regulators, generating regulatory intelligence outputs, and supporting review and delivery workflows.

3. Types of personal data and categories of data subject

Account data relating to your personnel authorised to use the Service; any personal data incidentally contained in submitted policies or regulator outputs. We discourage submission of special-category data and will flag suspected special-category content to you for removal.

4. Duration

Processing continues for the term of the Master Services Agreement and up to 30 days after termination for export and secure deletion.

5. Processor obligations

  • Process personal data only on your documented instructions.
  • Ensure personnel authorised to process personal data are bound by confidentiality obligations.
  • Implement the technical and organisational measures described in our security page.
  • Engage only approved sub-processors (see our sub-processor list), with contractual terms no less protective than this DPA.
  • Assist you in responding to data-subject requests, DPIAs, and regulator enquiries.
  • Notify you of a personal-data breach without undue delay.

6. International transfers

Where a transfer outside the UK or EEA occurs, the parties rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, supplemented by the Transfer Impact Assessment we maintain and will provide on request.

7. Audit

We will provide you with reasonable information to demonstrate compliance with this DPA, including our SOC 2 report when available. On reasonable notice and during business hours, you may conduct an audit of our compliance no more than once per year; costs of audits beyond our standard security-pack are borne by you.

8. Return or deletion

On termination, we will, at your option, delete or return all personal data and delete existing copies, subject to legal retention obligations.

9. Liability

Liability under this DPA is subject to the limitation-of-liability provisions of the Master Services Agreement.

10. Contact

For DPA-related matters, contact privacy@regspace.ai.