Handsom logo

Data Processing Agreement

Last updated: 4 March 2026 · Version 1.0

This Data Processing Agreement ("DPA") is entered into between:

| | | | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | Controller | You, the Handsom customer ("Controller"), as identified in your Handsom account registration. | | Processor | HANDSOM LTD (company number NI733489), trading as Handsom, of 18 The Baths Ormeau Avenue, Belfast, United Kingdom, BT2 8HS ("Processor", "Handsom"). |

This DPA forms part of and is incorporated into the Handsom Terms of Service ("Terms") available at app.handsom.ai/terms-of-service. Capitalised terms not defined here have the meanings given in the Terms.

1. Definitions

In this DPA:

  • Data Protection Legislation means the UK GDPR, the Data Protection Act 2018, the EU GDPR (to the extent applicable), and any legislation implementing, amending, or replacing them.
  • Controller has the meaning given in Data Protection Legislation: the person who determines the purposes and means of processing.
  • Processor has the meaning given in Data Protection Legislation: the person who processes personal data on behalf of the controller.
  • Data Subject means the identified or identifiable natural person to whom the personal data relates.
  • Personal Data has the meaning given in Data Protection Legislation.
  • Processing has the meaning given in Data Protection Legislation and includes any operation performed on personal data.
  • Security Incident means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  • Sub-processor means any third party engaged by Handsom to process Personal Data on behalf of the Controller in connection with the Handsom platform.

2. Subject Matter, Nature, and Purpose of Processing

2.1 Handsom processes Personal Data on behalf of the Controller solely to provide the platform services described in the Terms, including:

  • Hosting and executing workflows and User Applications built by the Controller
  • Storing User Content and Generated Code in the Controller's customer environment
  • Operating third-party integrations configured by the Controller (such as database, email, and payment services)
  • Providing platform infrastructure, monitoring, and support

2.2 The nature of processing includes storage, retrieval, transmission, execution, and deletion of Personal Data, as required to operate the platform.

2.3 The duration of processing is the period of the Controller's active account, plus 90 days after account closure (to allow data export), after which Personal Data is securely deleted.

3. Categories of Data Subjects and Personal Data

The Personal Data processed under this DPA may relate to the following categories of Data Subject and data, as determined by the Controller in building and operating their User Applications:

| Categories of Data Subject | Categories of Personal Data | | ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | | End users of the Controller's User Applications | Name, email address, profile data, authentication credentials, usage data, and any other data submitted by users of the Controller's application | | Controller's customers or contacts | Business contact details, transaction records, communications | | Any other natural persons whose data the Controller stores in their Handsom database | As determined by the Controller in building their application |

3.1 The Controller is responsible for ensuring that it has a lawful basis under Data Protection Legislation for each category of processing, and for providing appropriate notices to Data Subjects.

4. Processor Obligations

Handsom shall, in relation to any Personal Data processed in connection with the platform:

  • Process Personal Data only on documented instructions from the Controller, including as set out in these Terms and this DPA, unless required to do so by applicable law;
  • Ensure that persons authorised to process Personal Data are subject to appropriate obligations of confidentiality;
  • Implement and maintain appropriate technical and organisational security measures in accordance with clause 7 of this DPA;
  • Not engage Sub-processors without the Controller's prior written or general authorisation, as set out in clause 6;
  • Assist the Controller, where technically possible, in responding to Data Subject requests to exercise their rights under Data Protection Legislation;
  • Assist the Controller in ensuring compliance with the Controller's security, breach notification, impact assessment, and prior consultation obligations under Data Protection Legislation;
  • On termination of the Terms, delete or return all Personal Data to the Controller (at the Controller's election), unless applicable law requires continued retention;
  • Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, on reasonable notice and at the Controller's expense.

5. Controller Obligations

The Controller represents, warrants, and undertakes that:

  • It has a lawful basis under Data Protection Legislation for all Personal Data it processes through the platform, and for instructing Handsom to process such data;
  • It has provided all required notices to Data Subjects and obtained all required consents;
  • It will not instruct Handsom to process Personal Data in a manner that would cause Handsom to violate Data Protection Legislation;
  • It is responsible for the accuracy, quality, and legality of the Personal Data it submits to the platform;
  • It will implement appropriate technical and organisational measures to protect Personal Data it accesses through the platform, including protecting login credentials.

6. Sub-processors

6.1 The Controller grants Handsom general authorisation to engage Sub-processors as listed in Schedule 1 to this DPA, and as updated from time to time in accordance with this clause.

6.2 Handsom will give the Controller at least 30 days' prior written notice before adding or replacing any Sub-processor. If the Controller objects to a new or replacement Sub-processor, the Controller may terminate the Terms on written notice within 30 days of Handsom's notification, without penalty, if the objection cannot be resolved.

6.3 Handsom will impose on all Sub-processors data protection obligations equivalent to those in this DPA. Handsom remains responsible to the Controller for the performance of Sub-processors' obligations under this DPA.

7. Security

7.1 Handsom will implement and maintain technical and organisational measures appropriate to the risks presented by the processing, including the risks of accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to Personal Data. These include:

  • Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest
  • Access controls ensuring that only authorised personnel can access Personal Data
  • Segregation of customer environments to prevent unauthorised cross-customer access
  • Monitoring and logging of access to production systems
  • Secure credential handling: API keys and secrets are encrypted at rest and are not exposed to AI agents
  • Regular security reviews and penetration testing (frequency: annually)

7.2 These measures reflect the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

8. Security Incidents

8.1 Handsom will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Security Incident affecting Personal Data processed under this DPA.

8.2 The notification will include, to the extent available at the time: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate volume of Personal Data affected; (d) the likely consequences of the incident; and (e) the measures taken or proposed to address the incident.

8.3 Handsom will cooperate with the Controller and take reasonable steps to assist in investigating, mitigating, and remediating the Security Incident.

8.4 The Controller is responsible for notifying the relevant supervisory authority (such as the ICO) and affected Data Subjects as required by Data Protection Legislation.

9. International Transfers

9.1 Handsom will not transfer Personal Data outside the UK or EEA except where appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs), Standard Contractual Clauses (SCCs), or where an adequacy decision applies.

9.2 The Sub-processors listed in Schedule 1 include providers based in the United States. Handsom has entered into appropriate transfer mechanisms with each such Sub-processor. Details are available on request at [email protected].

10. Data Subject Rights

10.1 Handsom will promptly notify the Controller of any request received directly from a Data Subject in relation to the processing under this DPA. Handsom will not respond to such requests without the Controller's prior written authorisation, except to inform the Data Subject that it has forwarded their request.

10.2 Handsom will assist the Controller in fulfilling its obligation to respond to Data Subject rights requests within the timescales required by Data Protection Legislation, including by providing access to relevant data, enabling deletion, and supporting the export of Personal Data in a portable format.

11. Liability

11.1 Each party's liability under this DPA is subject to the limitations set out in the Terms. Where both parties are responsible for damage caused by processing in breach of Data Protection Legislation, each party is liable only for the damage attributable to its own breach.

11.2 Handsom is not liable for any damage caused by processing carried out in accordance with the Controller's instructions, where Handsom has demonstrated that it was not at fault.

12. Term and Termination

12.1 This DPA remains in force for the duration of the Terms and terminates automatically on termination of the Terms.

12.2 On termination, Handsom will, at the Controller's election made within 90 days of termination: (a) securely delete all Personal Data processed under this DPA; or (b) return all Personal Data to the Controller in a portable format. After the 90-day window, Personal Data will be securely deleted.

13. General

13.1 This DPA forms part of the Terms and is governed by the same governing law (the law of Northern Ireland).

13.2 In the event of any conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA shall prevail.

13.3 If Data Protection Legislation changes in a way that affects this DPA, Handsom may update this DPA on 30 days' notice.

Schedule 1 — Approved Sub-processors

The following Sub-processors are approved as at the date of this DPA:

| Sub-processor | Location | Service provided | Transfer mechanism | | ------------------------- | ------------------- | ------------------------------------------------------ | ------------------ | | Railway | USA (AWS us-east-1) | Server hosting; PostgreSQL database | UK IDTA / SCCs | | Vercel | USA / Global CDN | Client hosting; CDN | UK IDTA / SCCs | | Amazon Web Services (AWS) | USA / EU | S3 file storage; SQS messaging; EventBridge scheduling | UK IDTA / SCCs | | Stripe, Inc. | USA | Payment processing | UK IDTA / SCCs | | Resend | USA | Transactional email | UK IDTA / SCCs | | Sentry | USA | Error monitoring | UK IDTA / SCCs |

Schedule 2 — Technical and Organisational Security Measures

The following measures are implemented by Handsom as at the date of this DPA:

  • Encryption: All data in transit uses TLS 1.2 or higher. Data at rest (database, file storage, credentials) is encrypted using AES-256 or equivalent.
  • Access control: Access to production systems is restricted to authorised personnel only, with role-based access controls. Administrative access requires multi-factor authentication.
  • Credential isolation: API keys and secrets provided by Controllers are stored encrypted and handled exclusively at the platform infrastructure layer. They are not exposed to AI agents, other customers, or customer-facing interfaces.
  • Environment isolation: Each customer environment is independently deployed with isolated database and infrastructure. There is no shared database between customers.
  • Logging and monitoring: All access to production systems is logged. Security events are monitored via automated alerting. Error monitoring is provided by Sentry.
  • Vulnerability management: Dependencies are regularly audited for known vulnerabilities. Security patches are applied promptly.
  • Incident response: A documented incident response procedure is in place. Security Incidents are escalated to senior leadership and customers are notified within 72 hours in accordance with clause 8.
  • Data deletion: On account termination, Personal Data is securely deleted after the 90-day export window using industry-standard deletion procedures.
  • Sub-processor due diligence: All Sub-processors are assessed for security posture before engagement and are required to maintain equivalent security standards.

Signed for and on behalf of HANDSOM LTD (Handsom):

Name: _ Title: _ Date: _

Accepted by Controller on account registration (electronic acceptance).