Data Processing Agreement
Last updated: May 2026
Important notice
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms of Service or other written agreement (the "Principal Agreement") between the customer ("Controller", "Customer", "you") and Burrell Digital LTD, a company registered in England & Wales ("Processor", "Burrell Digital", "we") governing use of Context Guard (the "Service"). It applies whenever the Processor processes Personal Data on behalf of the Controller in connection with the Service.
This DPA is published as a standard template intended for business customers. By using the Service the Controller is deemed to have accepted this DPA. A counter-signed copy is available on request from legal@ctx-guard.com. This document is provided for transparency; it is not legal advice. The Controller is responsible for satisfying itself, with its own legal advisers, that this DPA meets its compliance needs.
1. Definitions
Capitalised terms used and not defined in this DPA have the meanings given to them in the Principal Agreement or in the applicable Data Protection Laws. In this DPA:
- "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Principal Agreement, including (as applicable): the UK GDPR; the Data Protection Act 2018; Regulation (EU) 2016/679 (the "EU GDPR"); the Privacy and Electronic Communications Regulations 2003; and any successor or replacement legislation.
- "Personal Data", "Controller", "Processor", "Sub-processor", "Data Subject", "processing" and "Personal Data Breach" have the meanings given in the Data Protection Laws.
- "Customer Personal Data" means Personal Data processed by the Processor on behalf of the Controller in the course of providing the Service.
- "Restricted Transfer" means a transfer of Customer Personal Data to a country or international organisation that is not the subject of an adequacy decision under the applicable Data Protection Laws.
- "Standard Contractual Clauses" or "SCCs" means (i) the EU SCCs approved by Commission Implementing Decision (EU) 2021/914, and (ii) where required for transfers from the UK, the UK International Data Transfer Addendum issued by the Information Commissioner.
- "Sub-processor" means any third party engaged by the Processor to process Customer Personal Data.
2. Roles & Scope
The parties acknowledge that, in respect of Customer Personal Data, the Controller acts as controller (or, where it is itself processing on behalf of a third party, as processor) and the Processor acts as processor (or, as applicable, sub-processor). The Processor will process Customer Personal Data only as necessary to provide the Service in accordance with the Principal Agreement, this DPA, and the Controller's documented written instructions, except where required to do otherwise by applicable law (in which case the Processor will, where legally permitted, inform the Controller of that legal requirement before processing).
Each party will comply with its own obligations under the Data Protection Laws. Nothing in this DPA relieves the Controller of any of its responsibilities, including for the lawfulness of the processing it instructs and for ensuring that valid lawful bases, notices, and (where required) consents are in place in respect of Data Subjects.
3. Subject Matter & Duration
Subject matter: the processing of Customer Personal Data by the Processor for the purpose of providing the Service to the Controller.
Duration: this DPA takes effect on the earlier of (i) the date the Controller first uses the Service or (ii) the effective date of the Principal Agreement, and continues for so long as the Processor processes Customer Personal Data, or until terminated in accordance with the Principal Agreement. The clauses of this DPA which by their nature should survive termination (including those relating to confidentiality, security, return/deletion, audits in respect of past processing, and governing law) will so survive.
4. Nature & Purpose of Processing
The Processor will process Customer Personal Data contained within AI traffic (including prompts, model completions, request and response metadata, tool-call payloads, and configuration) that is routed through the Context Guard reverse-proxy API or SDK, and within account, billing and operational records associated with the Controller's use of the Service.
The purposes of processing are limited to:
- Providing the Service, including prompt-injection detection, jailbreak and abuse detection, sensitive-data identification and redaction, output-policy enforcement, routing and rate limiting, in each case as configured by the Controller.
- Generating logs, metrics, dashboards and incident records made available to the Controller through the Service.
- Securing, maintaining, monitoring, debugging and improving the integrity, availability and reliability of the Service.
- Complying with the Processor's legal obligations and exercising or defending legal claims.
The Processor will not sell Customer Personal Data, will not use it to train generally-available machine-learning models, and will not use it for advertising or other purposes unrelated to the Service.
5. Categories of Data & Data Subjects
- Categories of Personal Data: any Personal Data the Controller (or its end users) chooses to submit to or transmit through the Service. Depending on the Controller's configuration, this may include identifiers (such as user IDs, IP addresses, session tokens), contact data, content data contained in prompts and completions, technical and usage metadata, and any other data the Controller routes through the Service.
- Special category / sensitive data: the Service is not designed or intended for the processing of special-category Personal Data, criminal-offence data, children's data, or data subject to specific sectoral regimes (e.g., payment card data within scope of PCI-DSS, or protected health information). The Controller is responsible for not submitting such data unless it has separately agreed appropriate safeguards in writing with the Processor.
- Data subjects: may include the Controller's personnel, contractors, customers, end users, prospects, and any other individuals whose Personal Data the Controller chooses to route through the Service.
- Frequency: continuous, for the duration of the Controller's use of the Service.
6. Controller's Responsibilities & Instructions
The Controller's use of the Service, together with the Principal Agreement and this DPA, constitutes its complete and final documented written instructions to the Processor regarding the processing of Customer Personal Data. Any additional or alternative instructions must be agreed in writing and may be subject to additional fees.
The Controller is responsible for, and warrants that:
- It has and will maintain a valid lawful basis under the Data Protection Laws for routing Customer Personal Data through the Service and for each downstream LLM, model provider, or tool that it elects to use with the Service.
- It has provided all required notices and (where applicable) obtained all required consents from Data Subjects.
- Its instructions to the Processor, including its configuration of the Service, comply with the Data Protection Laws.
- It will not submit any Customer Personal Data that it is not lawfully entitled to process.
The Processor will inform the Controller if, in its opinion, an instruction infringes the Data Protection Laws, but is not obliged to monitor the lawfulness of the Controller's processing generally.
7. Processor Obligations
The Processor will:
- Process Customer Personal Data only on the Controller's documented instructions, including with regard to Restricted Transfers, except where required by applicable law.
- Implement and maintain the technical and organisational measures described in Section 9.
- Ensure that personnel authorised to process Customer Personal Data are subject to a duty of confidentiality (see Section 8) and have received appropriate training.
- Taking into account the nature of the processing and the information available to it, provide reasonable assistance to the Controller in fulfilling its obligations under Articles 32 to 36 of the UK GDPR / EU GDPR (security, breach notification, data protection impact assessments and prior consultation), as further described in Sections 11, 13 and 14.
- Promptly notify the Controller if it can no longer meet its obligations under this DPA.
- On termination of the Service, return or delete Customer Personal Data in accordance with Section 15.
8. Confidentiality
The Processor will treat all Customer Personal Data as confidential and will ensure that any person it authorises to process Customer Personal Data (including employees, contractors and agents) is bound by a written or statutory duty of confidentiality of comparable scope, that survives termination of their engagement. Access to Customer Personal Data is limited to personnel who need it to perform their duties under the Principal Agreement.
9. Security Measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks to Data Subjects, the Processor implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including, as applicable:
- Encryption. TLS 1.2+ for data in transit and AES-256 (or equivalent) for Customer Personal Data at rest in databases and managed object storage.
- Access control. Role-based access control with least-privilege defaults, mandatory multi-factor authentication for administrative access, periodic access reviews, and prompt revocation on role change or departure.
- Network & platform security. Hardened cloud configurations, restricted ingress, secrets management, key rotation, and isolation between Customer environments where feasible.
- Software security. Secure development practices, dependency vulnerability scanning, code review, and timely application of security patches.
- Logging & monitoring. Audit logging of administrative actions and data access, centralised log retention, anomaly monitoring and an incident-response runbook.
- Resilience. Backups, redundancy and recovery procedures designed to restore availability of Customer Personal Data following a physical or technical incident.
- Personnel. Background-screening (where lawful), security training, and acceptable-use policies.
- Vendor management. Due diligence and contractual safeguards for Sub-processors as set out in Section 10.
Security measures evolve over time. The Processor may update these measures provided that the updated measures do not materially reduce the overall level of protection of Customer Personal Data. A current summary is available on request.
10. Sub-processors
The Controller grants the Processor a general written authorisation to engage Sub-processors to process Customer Personal Data, subject to this Section 10. The Processor will:
- Carry out reasonable due diligence on each Sub-processor's ability to provide the level of protection required by this DPA.
- Impose data-protection obligations on each Sub-processor that are, in substance, no less protective than those in this DPA, including obligations to implement appropriate technical and organisational measures.
- Remain liable to the Controller for the performance of each Sub-processor's obligations to the same extent as if the Processor were performing the services directly, subject to the limitations of liability in the Principal Agreement.
Current Sub-processors:
- Supabase - managed Postgres, authentication and storage.
- Vercel - application hosting and edge delivery.
- Stripe - payment processing for paid subscriptions (limited to billing data).
Where the Controller routes traffic from the Service to third-party LLM or model providers (for example, OpenAI, Anthropic, Google or Microsoft Azure) of the Controller's choosing, those providers act as independent processors or controllers in respect of the data sent to them under the Controller's direct relationship with them, and are not Sub-processors of the Processor under this DPA, save where the Processor expressly engages them on the Controller's behalf.
Notice and objection. The Processor will give the Controller at least thirty (30) days' prior notice of any new or replacement Sub-processor (which may be given by updating this page or by email to the Controller's notification address). The Controller may, within that notice period, object on reasonable, good-faith data-protection grounds by emailing legal@ctx-guard.com. The parties will work in good faith to resolve the objection. If no resolution is reached within a reasonable period, the Controller's sole and exclusive remedy is to terminate the affected portion of the Service for convenience and receive a pro-rata refund of pre-paid fees for the unused portion of the term.
11. International Transfers
The Processor processes Customer Personal Data primarily in the United Kingdom and the European Economic Area, but Sub-processors may process Customer Personal Data in other jurisdictions. Where a Restricted Transfer occurs, the Processor will rely on a valid transfer mechanism under the Data Protection Laws, including (in order of preference):
- An applicable adequacy decision under the UK GDPR or EU GDPR (including the EU–UK adequacy decision and the UK Extension to the EU–US Data Privacy Framework, where in force and applicable to the receiving party);
- The Standard Contractual Clauses, supplemented by the UK International Data Transfer Addendum or, in the alternative, the UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner where required, which the parties agree to enter into and execute by reference where necessary, with the Controller as data exporter and the Processor (or relevant Sub-processor) as data importer; or
- Any other lawful transfer mechanism recognised under the Data Protection Laws, supported by such supplementary measures as are appropriate following a documented transfer risk assessment.
The Controller appoints the Processor to enter into the SCCs and equivalent transfer mechanisms with Sub-processors on the Controller's behalf.
12. Data Subject Requests
The Service provides functionality enabling the Controller to access, export, rectify, restrict, erase or delete Customer Personal Data within its account. Taking into account the nature of the processing, the Processor will provide reasonable assistance, by appropriate technical and organisational measures, to enable the Controller to fulfil its obligations to respond to requests from Data Subjects exercising their rights under the Data Protection Laws.
If the Processor receives a request directly from a Data Subject relating to Customer Personal Data, it will, unless legally prohibited, promptly forward the request to the Controller and will not respond to the request itself except on the Controller's instruction. The Controller is responsible for substantively responding to Data Subject requests.
13. Personal Data Breach Notification
The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent then known and as further information becomes available:
- Describe the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and records concerned;
- Identify a point of contact from whom further information can be obtained;
- Describe the likely consequences of the Personal Data Breach; and
- Describe the measures taken or proposed to be taken to address the Personal Data Breach and to mitigate its possible adverse effects.
The Processor's notification of, or response to, a Personal Data Breach is not an acknowledgement of fault or liability. The Controller is responsible for any notifications to supervisory authorities or Data Subjects that may be required under the Data Protection Laws.
14. DPIA & Prior Consultation Assistance
Taking into account the nature of the processing and the information available to it, the Processor will provide the Controller with reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities relating to the Service. Such assistance may take the form of documentation describing the Service, its security measures, and Sub-processors. The Processor may charge its reasonable costs for assistance that is materially in excess of standard documentation made generally available to customers.
15. Audits & Information Rights
The Processor will make available to the Controller information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR / EU GDPR and this DPA. This information may take the form of:
- Responses to a reasonable security and data-protection questionnaire;
- Summaries of penetration test or vulnerability scan results, redacted as necessary; and
- Where available, copies of independent third-party audit or certification reports (e.g., SOC 2, ISO 27001).
If, after exhausting the foregoing, the Controller reasonably believes that further information is needed to demonstrate compliance, the Controller may, at its own cost and expense, conduct an on-site audit of the Processor's relevant facilities and records, subject to the following: (a) reasonable prior written notice of at least thirty (30) days; (b) audits not more than once in any twelve-month period (except where required by a supervisory authority or following a confirmed Personal Data Breach affecting the Controller); (c) audits during normal business hours and in a manner that does not unreasonably interfere with the Processor's operations; (d) the auditor must be an independent, mutually-acceptable third party bound by appropriate confidentiality obligations and may not be a competitor of the Processor; (e) audits will be limited to information directly relevant to the Processor's processing of Customer Personal Data and will not extend to information of other customers, source code, or commercially sensitive information; and (f) the Controller will share audit findings with the Processor and treat them as Confidential Information.
16. Return & Deletion of Personal Data
- Active customer account data and configuration are retained for the duration of the active subscription.
- Security and operational logs are retained for up to twelve (12) months and may be retained for longer where necessary for security investigations or to comply with applicable law.
- Billing and tax records are retained for the period required by applicable law (typically six (6) years in the United Kingdom).
- On termination or expiry of the Principal Agreement, the Controller may, within thirty (30) days, request return or deletion of Customer Personal Data by emailing legal@ctx-guard.com. The Processor will, at the Controller's option, return or delete Customer Personal Data within ninety (90) days of such request, save to the extent that the Processor is required by applicable law to retain some or all of the Customer Personal Data, in which case it will continue to protect such data in accordance with this DPA for the duration of the retention period.
- Customer Personal Data held in routine, encrypted backup media will be overwritten in the ordinary course of backup rotation and will not be actively restored except for legal or security purposes.
17. Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort (including negligence), under statute, or under any other theory of liability, is subject to, and counts towards, the exclusions and limitations of liability set out in the Principal Agreement, including the section headed "Limitation of Liability" in our Terms of Service. Nothing in this DPA limits or excludes either party's liability where it cannot lawfully be limited or excluded under applicable law (including liability for fraud or fraudulent misrepresentation).
18. Order of Precedence
In the event of a conflict between this DPA and the Principal Agreement in respect of the processing of Customer Personal Data, this DPA prevails. Where a conflict arises between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.
19. Changes to this DPA
The Processor may amend this DPA from time to time by posting an updated version at this URL, provided that no amendment will materially reduce the level of protection of Customer Personal Data. The Processor will give reasonable advance notice of material changes (typically by email or in-product notice). Continued use of the Service after the effective date of an amendment constitutes acceptance of the amended DPA. The "Last updated" date at the top of this page reflects the most recent material change.
20. Governing Law & Jurisdiction
This DPA, and any non-contractual obligations arising out of or in connection with it, is governed by the laws of England & Wales. The parties submit to the exclusive jurisdiction of the courts of England & Wales, save that either party may seek injunctive or equivalent urgent relief in any court of competent jurisdiction to protect Personal Data or its intellectual property.
21. Contact
For data-protection enquiries, to request a counter-signed DPA, to object to a new Sub-processor, to raise a Data Subject request, or to report a suspected Personal Data Breach, please contact: legal@ctx-guard.com.