RequireFlow← Back to site

Data Processing Addendum

Last updated · 30 April 2026

This Addendum forms part of our Terms of Service and applies whenever RequireFlow processes personal data on behalf of a Customer (the “Controller”). It reflects the requirements of UK GDPR Article 28.

1. Roles

You are the Controller of personal data you upload (e.g. stakeholder names and contact details). RequireFlow Ltd is the Processor.

2. Subject matter & duration

Subject matter: provision of the Service. Duration: the term of your subscription plus the 90-day deletion grace period.

3. Categories of data & data subjects

Business contact details and professional opinions of your employees and named stakeholders; workspace content uploaded by your users.

4. Processor obligations

  • Process personal data only on your documented instructions.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (encryption in transit and at rest, RLS, audit logging, least-privilege access).
  • Assist you with data subject requests, DPIAs and breach notifications.
  • Notify you without undue delay (and within 72 hours) of any personal data breach.
  • On termination, delete or return personal data and delete existing copies (subject to legal retention).

5. Sub-processors

You authorise the sub-processors listed in our Privacy Policy. We will give 30 days' notice of any new sub-processor; you may object on reasonable data-protection grounds.

6. International transfers

Where personal data is transferred outside the UK/EEA, we rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum.

7. Audit

You may request, no more than once per year, a copy of our most recent third-party security report (e.g. penetration test summary) under NDA, in lieu of an on-site audit.

8. Liability

Liability under this Addendum is subject to the limitations in the main Terms of Service.