Data Processing Agreement
Note for enterprise clients: This page summarises our data processing commitments. Enterprise clients requiring a fully executed Data Processing Agreement (DPA) as a standalone signed PDF document — including for FCA, DORA, or NHS compliance purposes — should contact legal@missionopsai.com.
1. Scope and Parties
This Data Processing Agreement ("DPA") is between MissionOpsAI Ltd (company registration number 14437210), acting as data processor ("Processor"), and the subscribing organisation ("Controller") as identified in the relevant Order Form or Terms and Conditions.
This DPA supplements and is incorporated into the Terms and Conditions between the parties. It governs the processing of personal data by MissionOpsAI Ltd on behalf of the Controller in connection with the MissionOpsAI Platform and associated services.
Both parties shall comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 in respect of all personal data processed under this DPA.
2. Details of Processing
Subject matter of processing
The provision of the Foundry AI operations management platform, including data storage, AI-assisted processing, and associated services.
Duration
For the term of the subscription agreement, plus any applicable retention periods thereafter.
Nature of processing
Storage, retrieval, organisation, structuring, use, analysis, and deletion of personal data as directed by the Controller.
Types of personal data
As determined by the Controller. May include names, email addresses, job titles, operational data, and any other personal data uploaded by the Controller to the Platform.
Categories of data subjects
As determined by the Controller. May include the Controller's employees, clients, contractors, or other individuals whose data the Controller uploads to the Platform.
3. Processor Obligations
MissionOpsAI Ltd, as Processor, shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by law.
- Ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures in accordance with UK GDPR Article 32.
- Not engage sub-processors without the prior written consent of the Controller, or general authorisation as set out in this DPA.
- Assist the Controller in responding to data subject rights requests, data protection impact assessments, and in meeting its obligations under the UK GDPR.
- At the Controller's choice, delete or return all personal data at the end of the provision of services.
- Make available all information necessary to demonstrate compliance with this DPA and cooperate with audits conducted by the Controller or an appointed third party.
4. Sub-Processors
The Controller provides general authorisation for MissionOpsAI Ltd to engage the following sub-processors. We will notify the Controller of any intended changes and the Controller may object within 14 days:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting (servers, storage, networking) | Germany / Finland (EEA) |
| Anthropic (API) | AI language model inference only. Data transits for processing; Anthropic does not store or train on API data. | US (IDTA safeguards applied) |
| OpenAI (API) | AI language model inference only. Data transits for processing; OpenAI does not store or train on API data under enterprise terms. | US (IDTA safeguards applied) |
For AI inference sub-processors: personal data is transmitted only as required to fulfil an AI-assisted request within the Platform. Neither Anthropic nor OpenAI retain, store, or use this data for model training under our enterprise API agreements.
5. Security Measures
MissionOpsAI Ltd implements the following security measures in accordance with UK GDPR Article 32:
- Encryption of personal data at rest using AES-256.
- Encryption of personal data in transit using TLS 1.3.
- Role-based access controls limiting data access to authorised personnel only.
- Regular security assessments and vulnerability management.
- Incident response procedures with documented escalation paths.
- Regular backups with tested restoration procedures.
6. Personal Data Breach Notification
In the event of a personal data breach affecting the Controller's data, MissionOpsAI Ltd will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
7. Obtaining the Full Executed DPA
Enterprise clients requiring a fully executed DPA as a standalone signed document — for purposes including FCA regulatory compliance, DORA technical requirements, NHS supplier assurance, or internal governance — should contact us at legal@missionopsai.com. We will arrange prompt execution of a formal DPA document.