Legal
Data Processing Addendum (DPA)
Last updated 12 March 2025
1. Scope
This DPA applies where ReferenceLock processes personal data on behalf of a Customer (controller) and forms part of the agreement.
2. Roles
Customer is the controller; ReferenceLock is the processor. Each party complies with UK GDPR and the Data Protection Act 2018.
3. Sub-processors
A current list of sub-processors is available at /legal/dpa#subprocessors. We notify Customers of changes 30 days in advance.
4. Security
We apply appropriate technical and organisational measures including encryption in transit and at rest, least-privilege access, and audit logging.
5. International transfers
Where applicable we use UK IDTA and EU SCCs to safeguard transfers.
6. Subject requests
We assist Customers in responding to data-subject requests within reasonable timescales.