AssuranceLoopAssuranceLoop
Get started

Data Processing Agreement

Effective date: 23 May 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between InnovPath Professional Services ("AssuranceLoop", "Processor") and the customer ("Customer", "Controller") and applies to the processing of personal data carried out by AssuranceLoop on behalf of the Customer in connection with the Service.

Capitalised terms not defined in this DPA have the meanings given in the Terms of Service or, where applicable, in the UK or EU General Data Protection Regulation (the "GDPR").

1. Subject matter, duration, nature & purpose

  • Subject matter: processing of Customer Personal Data necessary to provide the Service.
  • Duration: for the term of the Customer's subscription, plus the post-termination export and deletion periods set out below.
  • Nature & purpose: hosting, storage, transmission, computation, backup and access control required to operate the AI governance platform.
  • Categories of data subjects: Authorised Users of the Customer's workspace and any individuals referenced in Customer Data.
  • Types of personal data: identifiers (name, email), workspace membership and roles, authentication metadata, and any personal data the Customer chooses to upload as part of AI system inventories, assessments and evidence.

2. Roles & instructions

The Customer is the Controller and AssuranceLoop is the Processor in respect of Customer Personal Data. AssuranceLoop will process Customer Personal Data only on documented instructions from the Customer, including the instructions embodied in the configuration and use of the Service. AssuranceLoop will inform the Customer if, in its opinion, an instruction infringes the GDPR.

3. Confidentiality

AssuranceLoop ensures that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and are granted access on a need-to-know basis.

4. Security measures (Article 32)

Taking into account the state of the art, AssuranceLoop implements appropriate technical and organisational measures including:

  • Encryption of personal data in transit (TLS 1.2+) and at rest.
  • Workspace isolation enforced at the database level via row-level security policies.
  • Role-based access control inside the Service (Owner, Admin, Reviewer).
  • Private storage buckets for evidence files with short-lived signed URLs.
  • Logical separation of customer data; no co-mingling between tenants.
  • Logging and monitoring of administrative and authentication events.
  • Principle of least privilege, multi-factor authentication and regular access reviews for staff with production access.
  • Documented vulnerability management and patching processes.
  • Backup and disaster recovery with regular restore testing.

5. Subprocessors

The Customer grants general written authorisation for AssuranceLoop to engage subprocessors. AssuranceLoop will:

  • Maintain a list of subprocessors and make it available on request.
  • Impose data protection obligations on each subprocessor that are no less protective than those in this DPA.
  • Inform the Customer of intended additions or replacements of subprocessors with reasonable advance notice, giving the Customer the opportunity to object on reasonable data-protection grounds.
  • Remain liable for the acts and omissions of its subprocessors as if performed by AssuranceLoop.

Current subprocessors include: Lovable Cloud (Supabase) for hosting and database (EU region); a transactional email provider; an error monitoring service.

6. International transfers

Where Customer Personal Data is transferred outside the UK or EEA, the parties incorporate by reference: (a) the UK International Data Transfer Agreement issued by the ICO; and (b) Modules 2 and 3 of the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), as applicable. AssuranceLoop will support transfer impact assessments on request.

7. Data subject requests

Taking into account the nature of the processing, AssuranceLoop provides functionality in the Service that enables the Customer to respond to data subject requests (access, rectification, erasure, portability) directly. Where additional assistance is reasonably required, AssuranceLoop will provide it without undue delay.

8. Personal data breach notification

AssuranceLoop will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Customer Personal Data. The notice will describe, to the extent known: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address it.

9. Audit rights

AssuranceLoop will make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR. The Customer may exercise audit rights by reviewing AssuranceLoop's most recent security assessment and certifications. Where a more detailed audit is reasonably required, the parties will agree timing, scope and reasonable costs in advance.

10. Return & deletion

On termination of the Service, the Customer may export Customer Data using the in-product exports for thirty (30) days. After this period, AssuranceLoop will delete or anonymise Customer Personal Data within a further thirty (30) days, except to the extent retention is required by law. AssuranceLoop will certify deletion on request.

Annex — Description of processing

The categories of data subjects, types of personal data, nature and purpose of processing, and security measures are as described in clauses 1 and 4 above. This DPA, together with the Terms of Service and Privacy Notice, constitutes the complete description required by Article 28(3) GDPR.