Skip to main content

Legal

Data Processing Addendum (DPA)

Last updated 12 March 2025

1. Scope

This DPA applies where ReferenceLock processes personal data on behalf of a Customer (controller) and forms part of the agreement.

2. Roles

Customer is the controller; ReferenceLock is the processor. Each party complies with UK GDPR and the Data Protection Act 2018.

3. Sub-processors

A current list of sub-processors is available at /legal/dpa#subprocessors. We notify Customers of changes 30 days in advance.

4. Security

We apply appropriate technical and organisational measures including encryption in transit and at rest, least-privilege access, and audit logging.

5. International transfers

Where applicable we use UK IDTA and EU SCCs to safeguard transfers.

6. Subject requests

We assist Customers in responding to data-subject requests within reasonable timescales.