Skip to main content
AI Governance Hub
Log inGet started

Legal Review in Progress

This Data Processing Agreement is currently under legal review and will be finalized before public launch. Last updated: 15 February 2026

Data Processing Agreement

GDPR Article 28 Compliance | Last updated: 15 February 2026

Introduction

This Data Processing Agreement ("DPA") forms part of the contract between you ("Customer", "Data Controller") and AI Governance Hub, operated by ITNextGen Limited ("Processor", "we", "us"), for the use of the AI Governance Hub platform ("Services").

This DPA reflects the parties' agreement on the processing of Personal Data in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

In this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person processed using the Services
  • "Data Controller" means the Customer who determines the purposes and means of processing Personal Data
  • "Data Processor" means AI Governance Hub (ITNextGen Limited), who processes Personal Data on behalf of the Data Controller
  • "Sub-processor" means any third-party processor engaged by the Processor
  • "Data Subject" means the individual to whom Personal Data relates

2. Scope and Duration of Processing

2.1 Subject Matter

The Processor will process Personal Data as necessary to provide the Services, including storing, retrieving, and displaying Customer data via the AI Governance Hub platform.

2.2 Duration

Processing will continue for the duration of the subscription period and for 30 days thereafter to allow data export. After 30 days, all Personal Data will be securely deleted.

2.3 Nature and Purpose of Processing

The Processor will process Personal Data to:

  • Provide access to the AI Governance Hub platform
  • Store and retrieve Customer data (AI system details, risk assessments, documents)
  • Generate compliance reports and PDFs
  • Provide customer support
  • Detect and prevent fraud or security incidents

2.4 Types of Personal Data

The Processor may process the following categories of Personal Data:

  • Account Data: Email addresses, organization names, user roles
  • AI System Data: AI system descriptions, vendor names, deployment dates, risk levels
  • Risk Assessment Data: Questionnaire responses, risk scores, mitigation notes
  • AIIA Content: Impact assessment text, consultation records
  • Documents: Uploaded files and metadata (policies, assessments, contracts)
  • Usage Data: Log data, analytics, error reports

2.5 Categories of Data Subjects

  • Customer employees and users of the Services
  • Individuals referenced in Customer data (e.g., AI system owners, data subjects of AI systems)

3. Processor Obligations

3.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Data Controller, unless required to do so by UK law. The initial instructions are set out in this DPA and the Terms of Service.

3.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+)
  • Row-Level Security (RLS) policies to prevent unauthorized data access
  • Multi-factor authentication (MFA) for administrative access
  • Regular security audits and penetration testing
  • Automated backups with encryption
  • Access controls and audit logging
  • Incident response procedures

3.4 Sub-processors

The Data Controller consents to the Processor engaging the following Sub-processors:

Sub-processorServiceLocation
Supabase Inc.Database and authenticationUK/EU data centers
Stripe Inc.Payment processingGlobal (GDPR-compliant)
Vercel Inc.Hosting and CDNGlobal (UK/EU-preferred)
Resend Inc.Transactional emailGlobal (GDPR-compliant)
PostHog Inc.Analytics (privacy-preserving)EU data centers

The Processor will notify the Data Controller of any intended changes to Sub-processors with 30 days' notice, allowing the Data Controller to object.

3.5 Data Subject Rights

The Processor shall, to the extent possible, assist the Data Controller in responding to Data Subject requests to exercise their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection).

3.6 Data Breach Notification

The Processor shall notify the Data Controller without undue delay (and in any case within 72 hours) after becoming aware of a Personal Data breach. Notification will include:

  • Nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

Breach Contact: security@aigovernancehub.uk

3.7 Data Protection Impact Assessments (DPIAs)

The Processor shall provide reasonable assistance to the Data Controller in conducting DPIAs where required by UK GDPR.

3.8 Audits and Inspections

The Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this DPA and allow for audits. Audits may be conducted:

  • By providing SOC 2 / ISO 27001 certificates (when available)
  • Via questionnaire (annual)
  • On-site or remote audit (upon reasonable notice, at Data Controller's expense, max once per year)

4. Data Controller Obligations

The Data Controller warrants that:

  • It has a lawful basis for processing Personal Data under UK GDPR
  • It has provided appropriate privacy notices to Data Subjects
  • It will not instruct the Processor to process Personal Data in a way that violates UK GDPR or other laws

5. International Data Transfers

Personal Data is primarily stored in UK/EU data centers. Where Sub-processors may transfer data outside the UK/EU, the Processor ensures appropriate safeguards are in place:

  • UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
  • Adequacy decisions (e.g., EU-US Data Privacy Framework for certain processors)

6. Data Deletion and Return

Upon termination of Services or at the Data Controller's written request, the Processor shall:

  • Provide the Data Controller with 30 days to export their data (CSV, PDF, JSON formats available)
  • Delete or return all Personal Data after the 30-day period
  • Delete all existing copies unless UK law requires storage (e.g., financial records for 7 years for HMRC)

7. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. The Processor shall indemnify the Data Controller against fines or penalties imposed on the Data Controller due to the Processor's non-compliance with UK GDPR, provided:

  • The Data Controller has complied with its obligations under this DPA
  • The breach was caused by the Processor's failure to follow documented instructions or negligence

8. Changes to This DPA

The Processor may update this DPA to reflect changes in UK GDPR requirements or Sub-processor arrangements. Material changes will be communicated 30 days in advance.

9. Governing Law

This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.

10. Contact Information

Data Processor:
AI Governance Hub (ITNextGen Limited)
71-75 Shelton Street, Covent Garden
London, WC2H 9JQ
United Kingdom

Data Protection Contact: privacy@aigovernancehub.uk

Acceptance

By using the AI Governance Hub Services, the Data Controller accepts the terms of this Data Processing Agreement.