Data Processing Agreement
This Data Processing Agreement sets out the terms on which SEE Change Happen Ltd processes personal data on behalf of a Customer of The Trans Inclusion Toolkit, in accordance with Article 28 of the UK GDPR.
This Data Processing Agreement ("DPA") records the terms required by Article 28 of the UK GDPR where SEE Change Happen Ltd processes personal data on behalf of a Customer in connection with the Customer's use of The Trans Inclusion Toolkit. It is intended to be incorporated by reference into, and to form part of, the Subscription Terms (the "Main Agreement"). Until so incorporated and executed, this draft has no contractual effect.
1. Parties and Roles
1.1 This DPA is between:
- the Customer — the organisation that subscribes to The Trans Inclusion Toolkit under the Main Agreement (the "Controller"); and
- SEE Change Happen Ltd, a company registered in England and Wales under company number 13138905, whose registered address is 1 The Briars, Waterberry Drive, Waterlooville, PO7 7YH ("SEE Change Happen", the "Processor").
1.2 In relation to personal data processed by SEE Change Happen on the Customer's behalf under the Main Agreement, the Customer is the controller and SEE Change Happen is the processor, each as defined in the Data Protection Legislation. This DPA does not apply to personal data for which SEE Change Happen is itself the controller (for example, personal data collected through the public marketing website), which is governed by SEE Change Happen's Privacy Policy.
1.3 Incorporation. This DPA is intended to be incorporated by reference into the Main Agreement and to be read as one document with it. Entering into the Main Agreement is intended to constitute the Customer's and SEE Change Happen's agreement to this DPA. (The Main Agreement itself is not amended by this draft; incorporation will be given effect when the final version is settled.)
1.4 Each party warrants that it will comply with its respective obligations under the Data Protection Legislation. The Customer is responsible for establishing a lawful basis for the processing and for the lawfulness of the instructions it gives to SEE Change Happen.
2. Definitions
2.1 In this DPA:
- "Data Protection Legislation" means the UK GDPR, the Data Protection Act 2018, and all other laws relating to the processing of personal data and privacy that apply in the United Kingdom, as amended or replaced from time to time.
- "UK GDPR" means the retained EU law version of Regulation (EU) 2016/679 as it forms part of the law of England and Wales by virtue of the European Union (Withdrawal) Act 2018, and as amended.
- "controller", "processor", "data subject", "personal data", "processing", "personal data breach" and "special category data" have the meanings given to them in the Data Protection Legislation.
- "Customer Personal Data" means the personal data described in Annex A that SEE Change Happen processes on the Customer's behalf under the Main Agreement.
- "Sub-processor" means any third party engaged by SEE Change Happen to process Customer Personal Data on its behalf.
- "Authorised User" means the single named individual within the Customer's organisation to whom a subscription is licensed, as described in the Main Agreement.
2.2 Terms not defined in this DPA have the meanings given to them in the Main Agreement.
3. Scope of Processing
3.1 The subject matter, duration, nature and purpose of the processing, the categories of personal data, and the categories of data subjects are set out in Annex A.
3.2 SEE Change Happen shall process Customer Personal Data only for the purposes described in Annex A and as necessary to provide the services under the Main Agreement, and not for any other purpose.
4. Processor Obligations
4.1 Processing on documented instructions
SEE Change Happen shall process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law — in which case SEE Change Happen shall (where legally permitted) inform the Customer of that legal requirement before processing. The Main Agreement, this DPA, and the Customer's use of the platform's configuration options constitute the Customer's documented instructions. SEE Change Happen shall inform the Customer if, in its opinion, an instruction infringes the Data Protection Legislation.
4.2 Confidentiality of personnel
SEE Change Happen shall ensure that persons authorised to process Customer Personal Data are subject to an appropriate duty of confidentiality and access it only on a need-to-know basis.
4.3 Security
SEE Change Happen shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of Article 32 of the UK GDPR. The measures in place are described in Annex B.
4.4 Sub-processing
The Customer gives SEE Change Happen general written authorisation to engage the Sub-processors listed in Annex C. SEE Change Happen shall:
- give the Customer at least 30 days' advance written notice of any intended addition or replacement of a Sub-processor, during which the Customer may object on reasonable data-protection grounds. SEE Change Happen publishes its current list of Sub-processors at /security/ and gives notice of changes to the email address associated with the Customer's account; publication of the updated list together with that notice satisfies this requirement. [owner-set value: 30 days — solicitor to confirm]
- impose on each Sub-processor, by written contract, data protection obligations that are substantially the same as those set out in this DPA (in particular the security measures in Annex B); and
- remain fully liable to the Customer for the performance of each Sub-processor's obligations.
4.5 Assistance with data subject rights
Taking into account the nature of the processing, SEE Change Happen shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to respond to requests to exercise data subject rights under the Data Protection Legislation. Where a data subject request is made directly to SEE Change Happen in relation to Customer Personal Data, SEE Change Happen shall promptly forward it to the Customer and shall not respond to it itself except on the Customer's documented instructions.
4.6 Personal data breach
SEE Change Happen shall notify the Customer without undue delay and in any event within 48 hours of becoming aware of a personal data breach affecting Customer Personal Data, and shall provide the Customer with sufficient information to enable the Customer to meet its own obligations to report the breach to the Information Commissioner's Office within its own 72-hour reporting window and, where required, to affected data subjects. [owner-set value: 48 hours — solicitor to confirm]
4.7 Data protection impact assessments
SEE Change Happen shall provide reasonable assistance to the Customer with any data protection impact assessment and any prior consultation with the Information Commissioner's Office that the Customer is required to carry out under the Data Protection Legislation, taking into account the nature of the processing and the information available to SEE Change Happen.
4.8 Return or deletion
At the Customer's choice, SEE Change Happen shall delete or return all Customer Personal Data to the Customer after the end of the provision of the services, and delete existing copies, unless the law requires storage of the personal data. This reflects the retention arrangements described in the Privacy Policy, under which Strategic Pathway data (including Policy Vault documents) is deleted 90 days after the Authorised User's last activity, and saved assessments and tool outputs are retained for 90 days after a subscription is cancelled and may then be permanently deleted. The Customer may request immediate deletion at any time using the "Request Deletion" option in the dashboard account settings or by contacting SEE Change Happen.
4.9 Information and audit
SEE Change Happen shall make available to the Customer all information necessary to demonstrate compliance with the obligations in Article 28 of the UK GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audits shall be conducted on reasonable prior written notice, no more than once in any twelve-month period (save where required by a supervisory authority or following a personal data breach), during normal business hours, and in a manner that does not disrupt SEE Change Happen's operations or the confidentiality of other customers' data.
4.10 No use for AI model training
SEE Change Happen shall not use Customer Personal Data to train artificial-intelligence models. Where Customer Personal Data (including messages sent to the Quinn assistant and text from uploaded policies) is transmitted to the AI Sub-processors listed in Annex C, it is processed under agreements that prohibit the use of that data to train their models.
5. International Transfers
5.1 Some Sub-processors process Customer Personal Data outside the United Kingdom. Where they do, SEE Change Happen relies on the transfer safeguards recorded for each Sub-processor in Annex C, as stated in the Privacy Policy. In summary:
- HubSpot processes some data in the United States under the European Commission's Standard Contractual Clauses and the UK International Data Transfer Agreement.
- Stripe processes payment data in the United States and other jurisdictions under Standard Contractual Clauses and certification under the EU–US Data Privacy Framework.
- Cloudflare processes data on its global network under Cloudflare's Data Processing Addendum, which incorporates the European Commission's Standard Contractual Clauses and the UK Addendum (International Data Transfer Agreement).
- OpenAI processes data in the United States under OpenAI's Data Processing Addendum, which incorporates the Standard Contractual Clauses and the UK Addendum.
- Pinecone processes data in the United States under Pinecone's Data Processing Addendum, which incorporates the Standard Contractual Clauses and the UK Addendum.
5.2 No claim of an adequacy decision is made in respect of any transfer beyond the safeguards stated above. Each transfer safeguard is that recorded in the relevant Sub-processor's own published Data Processing Addendum, as referenced in the Privacy Policy.
6. Liability, Precedence, Term and Governing Law
6.1 Liability. Each party's liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Main Agreement. Nothing in this DPA limits either party's liability where it cannot lawfully be limited.
6.2 Precedence. This DPA forms part of the Main Agreement. In the event of a conflict between this DPA and the other terms of the Main Agreement on a matter of data protection, this DPA prevails. On all other matters, the Main Agreement prevails.
6.3 Term. This DPA takes effect on the date the Main Agreement takes effect and continues for as long as SEE Change Happen processes Customer Personal Data on the Customer's behalf. Clauses that by their nature are intended to survive termination (including clause 4.8) shall survive.
6.4 Governing law and jurisdiction. This DPA is governed by and construed in accordance with the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales, consistent with the Main Agreement.
Annex A — Details of the Processing
Subject matter. The provision of The Trans Inclusion Toolkit platform and its features to the Customer's Authorised User(s) under the Main Agreement.
Duration. For the term of the Customer's subscription and thereafter for the retention periods described in the Privacy Policy, until Customer Personal Data is deleted or returned under clause 4.8.
Nature of the processing. Collection, hosting, storage, retrieval, organisation, analysis (including AI-assisted analysis), transmission to Sub-processors, and deletion of personal data, carried out by automated means as necessary to operate the platform.
Purpose of the processing. To enable the Authorised User to access the toolkit's resources and tools; to deliver the Trans Inclusion Impact Diagnostic and its calculated scores; to operate the Strategic Pathway and its tools (including Policy Roast, the EqIA/DPIA Wizard, the Defensibility Builder, Response Scripts, Scenario Stress-Tests, Complaints Triage and Board Briefing); to provide the Quinn AI inclusion assistant; and to manage the Customer's subscription, access tier and billing.
Categories of personal data:
- Account and registration identifiers — the Authorised User's first name, last name and personal email address. The personal email address is also the sign-in identifier (see Annex B).
- Subscription and billing data — name, email address and billing address; subscription tier, billing cycle, start and renewal dates and payment status; Stripe Customer ID; and a limited card reference (last four digits, card brand and expiry month). Full card details are entered on Stripe's hosted checkout and are not accessible to SEE Change Happen.
- Diagnostic data — responses to the 55-question organisational self-assessment and the calculated overall score, domain scores and tier. As stated in the Privacy Policy, these are organisational self-assessments and do not collect special category data about gender identity, beliefs or other protected characteristics.
- Strategic Pathway data — organisation profile, pathway progress and selections, policy documents uploaded to the Policy Vault, health-check scores, usage telemetry, and feedback or snagging reports (including screenshots where provided).
- Quinn conversation data — the messages the Authorised User types, the responses generated, and any feedback ratings. Users are instructed not to enter personal data about identifiable individuals or confidential organisational information into Quinn.
Special category data. None is intended to be processed. The diagnostic is an organisational self-assessment and, as stated in the Privacy Policy, does not collect special category data under Article 9 of the UK GDPR.
Categories of data subjects. The Customer's Authorised User(s) — the single named individual licensed under each subscription. Where the Authorised User includes personal data about other individuals in free-text inputs or uploaded documents, those individuals are also data subjects, although the platform instructs users not to include personal data about identifiable individuals.
Annex B — Technical and Organisational Security Measures
SEE Change Happen maintains the following technical and organisational measures, as described in the Privacy Policy and the Main Agreement:
- Encryption in transit — all connections use HTTPS (TLS) encryption.
- Passwordless authentication — the Authorised User signs in with their personal email address and a 6-digit one-time code sent to that address. No passwords are set or stored.
- Per-user licensing and device limits — each Practitioner and Professional subscription is licensed to a single named user. Access is limited to up to two devices per licence, and the user can retire a device to release its slot.
- Encrypted credentials — service API keys and credentials used by the platform are stored using AES-256-CBC encryption.
- Access controls — access to personal data is restricted to authorised personnel on a need-to-know basis.
- Payment security — subscription payments are processed by Stripe (PCI DSS Level 1 certified). Card data is entered on Stripe's hosted checkout page and never passes through SEE Change Happen's servers.
- Sub-processor security — form and CRM data is processed by HubSpot, which maintains SOC 2 Type II certification. Data sent to the AI Sub-processors (OpenAI and Pinecone) is transmitted over encrypted API connections.
- No AI model training — personal data sent to OpenAI is not used to train OpenAI's models; it is processed under a data processing agreement that prohibits training on customer content.
- Regular review — security practices are reviewed periodically and updated as necessary.
Annex C — Authorised Sub-processors
The Customer authorises the engagement of the following Sub-processors. Purposes, locations and transfer safeguards are recorded exactly as stated in the Privacy Policy.
| Sub-processor | Purpose | Processing location | Transfer safeguard (as stated) |
|---|---|---|---|
| Stripe | Payment processing for paid subscriptions (PCI DSS Level 1) | United States and other jurisdictions | Standard Contractual Clauses and certification under the EU–US Data Privacy Framework |
| HubSpot | CRM, form processing and email communications | United States (some data) | European Commission Standard Contractual Clauses and the UK International Data Transfer Agreement |
| Cloudflare | Hosting, content delivery and security (bot management and Turnstile form protection) | Cloudflare's global network | Cloudflare's Data Processing Addendum, incorporating the European Commission Standard Contractual Clauses and the UK Addendum (International Data Transfer Agreement) |
| Amazon Web Services | File and media storage (S3), backups, and content delivery (CloudFront) | United Kingdom — London (eu-west-2) region | No restricted transfer — processing remains in the UK |
| OpenAI | Powers the Quinn AI assistant and Strategic Pathway AI analysis; API inputs and outputs are not used to train OpenAI's models | United States | OpenAI's Data Processing Addendum, incorporating the Standard Contractual Clauses and the UK Addendum |
| Pinecone | Vector database used by Quinn to search the knowledge base (query embeddings only; no personal data stored) | United States | Pinecone's Data Processing Addendum, incorporating the Standard Contractual Clauses and the UK Addendum |
Source: Privacy Policy §6 (Third-Party Services), §7 (Data Sharing) and §11 (International Data Transfers).
Solicitor Sign-off Checklist
The document is content-complete. The following points remain for the owner's solicitor to confirm before it is published and relied on. They do not reopen the substantive processing terms above.
- Sub-processor change notice — 30 days (clause 4.4). The owner has set 30 days' advance written notice of any addition or replacement of a Sub-processor, with a right to object on reasonable data-protection grounds, satisfied by publication of the current list at /security/ plus notice to the account email. Confirm the period is appropriate. [owner-set value: 30 days — solicitor to confirm]
- Breach notification — 48 hours (clause 4.6). The owner has set notification to the Customer within 48 hours of becoming aware, chosen so the Customer can meet its own 72-hour ICO reporting window. Confirm the period is appropriate. [owner-set value: 48 hours — solicitor to confirm]
- Incorporation by reference (clause 1.3). Confirm the step that incorporates this DPA into, and gives it effect as part of, the Subscription Terms (the Main Agreement), and settle any consequential wording in those terms.
- General legal review. A final review of the document as a whole, including the clauses that follow standard Article 28 convention (in particular the audit rights in clause 4.9 and the DPIA assistance in clause 4.7), against the owner's current processing arrangements.