Data Processing Agreement
Version 1.0 — March 2026
Last updated: 30 March 2026
This Data Processing Agreement ("DPA") is entered into between:
- The organisation or individual accessing the CompareEngineering.com platform and submitting or receiving personal data through the RFQ process ("the Controller"); and
- CompareEngineering.com Ltd, a company incorporated in England and Wales with company number 17117072, whose registered office is at 66 Paul Street, London EC2A 4NA ("the Processor").
This DPA supplements and forms part of the agreement between the Parties for the supply of RFQ and comparison services ("the Main Agreement"), including the Terms of Use and Provider Terms as applicable. In the event of conflict between this DPA and the Main Agreement, this DPA shall prevail in respect of data protection matters.
1. Definitions
In this DPA, "Personal Data", "Data Controller", "Data Processor", "Data Subject", "Processing", and "Security Incident" have the meanings given in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Subject Matter, Duration, and Nature of Processing
The Processor processes Personal Data on behalf of the Controller for the purpose of operating the CompareEngineering.com platform, including: receiving and routing RFQs, matching buyers with inspection providers, facilitating quote submission and comparison, recording contract awards, and administering lead fees and commissions.
Categories of Personal Data processed include: contact names, email addresses, telephone numbers, job titles, company details, site addresses and postcodes, asset schedule data, and commercial information contained in RFQs and quotes.
Categories of Data Subjects include: customers (buyers), broker users, provider users, and their respective employees or representatives.
Processing continues for the duration of the Main Agreement and for such additional period as is necessary to comply with legal obligations and the retention periods set out in Schedule 1.
3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on the documented instructions of the Controller, except where required to do so by law
- Ensure that all persons authorised to process the Personal Data are subject to appropriate confidentiality obligations
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with UK GDPR Article 32
- Not engage any Sub-processor without prior written authorisation from the Controller (see Clause 5)
- Assist the Controller in fulfilling its obligations to respond to Data Subject Rights requests
- Assist the Controller in conducting Data Protection Impact Assessments where required
- Delete or return all Personal Data to the Controller on termination of the Main Agreement, as directed
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits
- Notify the Controller without undue delay (and within 36 hours where practicable) on becoming aware of a Security Incident
4. Obligations of the Controller
The Controller shall:
- Ensure it has a lawful basis for providing Personal Data to the Processor under UK GDPR
- Provide only the Personal Data that is necessary for the Services described in this DPA
- Comply with its own obligations as a data controller under UK GDPR and the DPA 2018
- Notify the Processor promptly of any Data Subject Rights requests that the Processor must assist with
5. Sub-processors
The Controller provides general authorisation for the Processor to engage the Sub-processors listed in Schedule 2, which represent the platform's core technical infrastructure. The Controller acknowledges that these are essential for service delivery.
The Processor shall notify the Controller in writing of any intended addition or replacement of Sub-processors, giving the Controller a reasonable opportunity to object. A reasonable opportunity is 14 days' notice.
The Processor shall ensure that each Sub-processor is bound by data protection obligations at least equivalent to those in this DPA.
6. Security Measures
The Processor shall implement and maintain the following technical and organisational security measures as a minimum:
- Encryption of Personal Data at rest (AES-256 via Supabase) and in transit (TLS 1.2+)
- Row-level security (RLS) policies in the database to ensure data is only accessible to authorised user roles
- Access controls with role-based permissions; principle of least privilege applied
- Multi-factor authentication required for all administrative access
- Regular security reviews and automatic backups with point-in-time recovery
- Incident response procedures documented and tested
- Annual review of security measures and update where required
7. Data Subject Rights
Where a Data Subject exercises their rights under UK GDPR (including rights of access, rectification, erasure, portability, restriction, and objection), the Processor shall provide the Controller with such assistance as it reasonably requires to respond within the applicable statutory timeframes.
The Processor shall promptly forward to the Controller any Data Subject Rights request it receives directly from a Data Subject.
8. Security Incidents
If the Processor becomes aware of a Security Incident, it shall notify the Controller without undue delay and in any event within 36 hours where practicable.
Notification shall include (to the extent then known): the nature of the incident; the categories and approximate number of data subjects affected; the categories and approximate number of records affected; likely consequences; and measures taken or proposed to address the incident.
The Controller is responsible for notifying the ICO within 72 hours where required under UK GDPR Article 33.
9. International Transfers
The Processor shall not transfer Personal Data outside the UK without the Controller's prior written authorisation and without ensuring that appropriate safeguards are in place in accordance with UK GDPR Chapter V (including Standard Contractual Clauses or reliance on an adequacy decision).
10. Term and Termination
This DPA shall remain in force for the duration of the Main Agreement. On expiry or termination of the Main Agreement, the Processor shall, at the Controller's election, delete or return all Personal Data (and any copies) within 30 days of receipt of written instruction. Clauses 6 and 8 survive termination.
11. Governing Law
This DPA is governed by the laws of England and Wales and the Parties submit to the jurisdiction of the courts of England and Wales.
Schedule 1 — Retention Periods
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (name, email, company) | Duration of account + 2 years | Contract performance |
| RFQ and quote data | 6 years from submission | Limitation Act 1980 |
| Contract award records | 6 years from award date | Limitation Act 1980 |
| Financial records (fees, commissions) | 6 years from transaction | Companies Act 2006 s.386 |
| Authentication logs | 12 months | Security monitoring |
| Support correspondence | 2 years from resolution | Legitimate interest |
Schedule 2 — Approved Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, storage | EU (Frankfurt) / US (with SCCs) |
| Resend Inc. | Transactional email delivery | US (with SCCs) |
| Anthropic PBC | AI schedule parsing (CSV/PDF asset extraction) | US (with SCCs) |
| Vercel Inc. | Application hosting and CDN | Global (UK adequacy / SCCs) |
Contact
CompareEngineering.com Ltd
Data Protection Lead: dpo@compareengineering.com
66 Paul St, London, EC2A 4NA
Company No. 17117072 · ICO Registration: CSN0004881