This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "Customer", or "you") and RedactBox Ltd ("Processor", "RedactBox", "we", "us", or "our") and governs the processing of personal data in connection with the RedactBox email redaction services.

This DPA complies with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring appropriate safeguards for personal data processed through our services.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

• "Controller" means the entity that determines the purposes and means of processing personal data, typically the Customer using RedactBox services.
• "Processor" means RedactBox Ltd, which processes personal data on behalf of the Controller.
• "Personal Data" has the meaning given in Article 4(1) of the UK GDPR.
• "Processing" has the meaning given in Article 4(2) of the UK GDPR.
• "Data Subject" has the meaning given in Article 4(1) of the UK GDPR.
• "Sub-processor" means any third party engaged by RedactBox to process personal data on behalf of the Controller.
• "Email Data" refers to email messages, attachments, and associated metadata uploaded to the RedactBox platform.

2. Processing Details

2.1 Subject Matter

RedactBox processes personal data contained within email files (.mbox format) for the purpose of providing email redaction and document processing services.

2.2 Categories of Data Subjects

• Email senders and recipients
• Individuals mentioned in email content
• Contacts and third parties referenced in communications
• RedactBox users and administrators

2.3 Categories of Personal Data

• Contact information (names, email addresses, phone numbers)
• Communication content and metadata
• Technical data (IP addresses, timestamps, headers)
• Professional and business information
• Any other personal data contained within uploaded email files

2.4 Purpose of Processing

• Email content analysis and parsing
• Application of redaction to sensitive information
• Generation of redacted documents and exports
• Project management and progress tracking
• Service provision and technical support

3. Processing Instructions

RedactBox will process personal data only in accordance with:

• The Controller's documented instructions as implemented through the RedactBox platform
• The terms of this DPA and the associated Terms of Service
• Applicable data protection laws and regulations

RedactBox will inform the Controller if, in its opinion, any instruction violates UK GDPR or other applicable data protection laws.

4. Security Measures

RedactBox implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• UK-based secure cloud infrastructure with access controls
• Regular security assessments and monitoring
• Staff training on data protection and confidentiality
• Multi-factor authentication for account access
• Secure data deletion procedures

These measures are regularly reviewed and updated to maintain their effectiveness and compliance with evolving security standards.

5. Sub-processors

The Controller consents to RedactBox engaging the following categories of sub-processors:

• Infrastructure Providers: Google Cloud UK (hosting and data processing)
• Payment Processors: Stripe (billing and subscription management)
• Support Services: HelpCrunch (customer support and communications)
• Analytics Services: Google Analytics (usage analytics)

All sub-processors are subject to data processing agreements that provide substantially the same level of protection as this DPA. RedactBox will notify Controllers of any changes to sub-processors through service updates.

6. Data Subject Rights

RedactBox will assist the Controller in fulfilling data subject rights requests by:

• Providing access to personal data processing functions within the platform
• Enabling data export and portability through existing export features
• Supporting data deletion through the platform's deletion capabilities
• Implementing rectification requests through the editing functions
• Providing technical information about processing activities when requested

Controllers remain responsible for responding to data subject requests and determining the appropriate course of action in compliance with applicable laws.

7. Data Breach Notification

In the event of a personal data breach, RedactBox will:

• Notify the Controller without undue delay and, where feasible, within 72 hours
• Provide details of the nature of the breach and affected data
• Describe the likely consequences and mitigation measures taken
• Provide contact information for further inquiries
• Assist in any required notifications to supervisory authorities or data subjects

Controllers remain responsible for determining whether notification to supervisory authorities or data subjects is required under applicable law.

8. Data Location and International Transfers

All personal data processing occurs within the United Kingdom using Google Cloud UK infrastructure. RedactBox does not transfer personal data outside the UK/EU for processing purposes.

Should any international transfers become necessary, RedactBox will implement appropriate safeguards in accordance with UK GDPR requirements and obtain Controller consent where required.

9. Data Retention and Deletion

RedactBox will:

• Delete personal data immediately upon Controller's instruction through the platform
• Return or delete personal data upon termination of services, as directed by the Controller
• Provide confirmation of data deletion when requested
• Retain personal data only as long as necessary to provide the services

Controllers maintain full control over data retention periods through the platform's project management and deletion features.

10. Audits and Compliance

RedactBox will:

• Make available to the Controller information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits conducted by the Controller or authorized representatives
• Provide compliance documentation and certifications when available
• Cooperate with reasonable audit requests, subject to confidentiality obligations

Audit requests should be submitted through our support system with reasonable advance notice and may be subject to mutually agreed terms regarding timing, scope, and confidentiality.

11. Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. Each party will be liable for its own acts and omissions, but not for the acts and omissions of the other party.

Controllers acknowledge their responsibility for ensuring lawful processing instructions and compliance with applicable data protection laws in their use of the services.

12. Term and Termination

This DPA remains in effect for as long as RedactBox processes personal data on behalf of the Controller. Upon termination:

• RedactBox will cease processing personal data for the terminated services
• Personal data will be returned or deleted as instructed by the Controller
• RedactBox will provide written confirmation of data deletion if requested
• Relevant provisions regarding confidentiality and liability will survive termination

13. Governing Law and Disputes

This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales. The parties agree to attempt resolution of disputes through good faith negotiations before initiating legal proceedings.

14. Contact Information

For any questions regarding this DPA or data processing practices, please contact RedactBox through our support system at redactbox.co.uk.