Legal
This Data Processing Addendum (“DPA”) forms part of the agreement between BEAQUA LTD and you. It sets out our obligations as a data processor when you use Beaqua to process personal data.
Introduction
Under the UK GDPR and Data Protection Act 2018, when you use Beaqua to extract data from documents containing personal information, you (the “Customer”) act as a data controller and BEAQUA LTD (the “Processor”) acts as a data processor. This DPA establishes our respective roles and obligations. References to “data subjects” mean the individuals whose personal data is contained in your uploaded documents.
Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK GDPR.
- Processing: Any operation performed on personal data, including extraction, analysis, storage, use, and deletion.
- Data Subject: An individual whose personal data is contained in documents you upload to Beaqua.
- Subprocessor: A third party engaged by us to process personal data on your behalf (e.g., cloud hosting provider, email service).
Scope and nature of processing
Subject matter: Document extraction and analysis.
Nature of processing: We store your uploaded documents, perform automated extraction of specified fields, generate confidence scores, store extracted results, and return those results to you in your requested format.
Purpose: Processing is performed solely to provide the Service as specified in your subscription and as instructed by you.
Categories of personal data: We process whatever personal data is contained in your documents. This may include: names and contact details, identification numbers, financial information, health data, employment details, or any other categories your documents contain.
Duration: We process personal data for the duration of your subscription and for 60 days following termination, unless you request earlier deletion.
Processor obligations
We commit to the following:
1. Process only on instruction
We process personal data only as instructed by you. We do not process data for our own purposes (except to the extent necessary to provide the Service and comply with legal obligations). If we receive a request from a data subject or authority that we believe requires your instruction, we will notify you and seek your guidance before acting.
2. Confidentiality
Our staff who handle personal data are bound by confidentiality obligations. We limit access to personal data to employees and contractors who need access to provide the Service, support you, or comply with legal obligations. All such individuals are subject to written confidentiality agreements.
3. Security
We implement appropriate technical and organisational security measures, including:
- Encryption of personal data in transit (TLS 1.2 or higher) and at rest.
- Role-based access controls to limit staff access.
- Regular security audits and vulnerability assessments.
- Incident response procedures.
- Physical security of data centres (via AWS and other subprocessors).
We maintain security documentation and are happy to provide security details under NDA. We undergo independent SOC 2 Type II audits; we can share the audit report on request.
4. Sub-processors
We engage the following subprocessors to process personal data on your behalf:
- AWS (Amazon Web Services) — cloud hosting, storage, backup. Region: EU-Frankfurt by default; UK-only available on Enterprise. https://aws.amazon.com
- Cloudflare — content delivery network, DDoS protection. https://www.cloudflare.com
- Resend — email delivery. https://resend.com
- Stripe — payment processing (for billing, not personal data from your documents). https://stripe.com
- Sentry — error logging and monitoring (logs contain metadata only, not document content). https://sentry.io
A complete, current list is maintained at /security.
Authorisation: You authorise us to engage these subprocessors. If we intend to add a new subprocessor or replace an existing one, we will notify you at least 30 days in advance. You may object to a new subprocessor on reasonable grounds relating to data protection; if you do, we will discuss alternative arrangements or, if no resolution is reached, you may terminate your subscription.
5. International transfers
Personal data is stored in the EU (AWS Frankfurt) by default. For Enterprise customers, UK-only residency is available on request.
To the extent personal data is transferred outside the UK or EEA (e.g., for AI model inference or support services), we rely on:
- UK IDTA (International Data Transfer Agreement) — for transfers to countries without adequacy decisions.
- EU Standard Contractual Clauses — for transfers within scope of EU GDPR.
We have assessed transfer mechanisms and remain compliant with Article 44 onwards, UK GDPR. You can request copies of transfer documentation at contact@m31g.com.
6. Personal data breach notification
If we become aware of a personal data breach (unauthorised or unlawful processing, accidental loss, alteration, or destruction), we will notify you without undue delay and, where feasible, within 48 hours of discovery. Our notification will include:
- A description of the breach.
- Likely consequences for data subjects.
- Measures we have taken or propose to take to mitigate harm.
- Your point of contact for further information.
You are responsible for notifying data subjects and the Information Commissioner’s Office (ICO) where required by Article 33-34 UK GDPR.
7. Your rights and assistance
We assist you in fulfilling data subject rights under UK GDPR, including:
- Access requests: We will provide you with a copy of personal data we hold on your behalf within 30 days (or 60 days for complex requests).
- Deletion requests: We will delete or anonymise personal data when you request it. Deletion is normally completed within 30 days.
- Rectification: We will correct inaccurate personal data on your instruction.
- Restriction: We will restrict processing of personal data during disputes or investigations, on your instruction.
- Portability: We will export personal data in a portable format (JSON, CSV) on your request.
To exercise data subject rights, data subjects should contact you. You will forward requests to us; we will respond to you, and you will respond to the data subject.
8. Audits and inspections
You have the right to audit our processing activities. We will:
- Provide annual SOC 2 Type II audit reports (available under NDA).
- Grant you reasonable access to relevant documentation, systems, and personnel for compliance verification.
- Co-operate with regulatory inquiries from the ICO or other authorities.
Audits must be scheduled at least 14 days in advance and conducted during normal business hours. We may charge a reasonable fee if audits are frequent or unusually burdensome.
Return or deletion of personal data
Upon termination of your subscription (or earlier, at your request), we will, at your election:
- Return all personal data in your uploaded documents in a portable format, or
- Securely delete all personal data and provide written confirmation.
Deletion is normally completed within 60 days. We may retain personal data beyond that period if required by law (e.g., billing records for 6 years).
Liability
Our liability under this DPA is limited to the liability cap in the main Terms of Service (12 months of fees or the monthly fee for new customers). This includes liability for data protection violations caused by us or our subprocessors.
Governing law
This DPA is governed by the laws of England and Wales and forms part of the main Terms of Service agreement.
Contact
For questions about this DPA, data protection obligations, or to exercise rights under UK GDPR, contact:
BEAQUA LTD
Email: contact@m31g.com
Security incidents: security@m31g.com
Questions about this document? Email contact@m31g.com.
BEAQUA LTD · 12 Orchard Way, Kings Sutton, Banbury, England, OX17 3PZ · Registered in England & Wales.