Data Processing Agreement

This agreement applies to institutional clients for whom DDRC processes personal data (e.g. staff accounts, audit findings) as a processor.

DDRC processes client data only on documented instructions, for the purposes of delivering the contracted services.

Data is encrypted in transit (TLS) and sensitive fields at rest. Audit findings and client communications are encrypted. Access is role-restricted and audited.

A current list of sub-processors (hosting, email, payments) is available on request; clients are notified of material changes.

NOTE: email, payments, and hosting integrations are not yet wired in this build; this section will list the live providers once configured.

DDRC assists clients in fulfilling data-subject requests, including erasure by anonymisation.