Legal · Compliance

GDPR & DPA

DataHub Pro is built for UK and EU customers handling client data under GDPR. This page summarises our compliance posture and how to obtain a signed Data Processing Addendum.

Last updated: 4 May 2026 Jurisdiction: UK GDPR & EU GDPR Status: Active

✓

UK/EU data residency

All customer data is stored on infrastructure in the UK or EEA — no transfers to the US by default.

✓

No model training

Your data is never used to train AI models. Inference is real-time and discarded after.

✓

Encryption

TLS 1.2+ in transit. AES-256 at rest. Encrypted backups.

✓

Tenant isolation

Each organisation's data is logically isolated. Agency tier keeps each client separated inside your workspace.

Roles under GDPR

For data you upload to the platform (your customer data, internal records, etc.), you are the data controller and DataHub Pro is the data processor. We process that data only on your documented instructions, as set out in our DPA.

For your own account and billing data, DataHub Pro is the controller — see the Privacy Policy.

Data Processing Addendum (DPA)

Our standard DPA incorporates the UK ICO's International Data Transfer Addendum and the EU Standard Contractual Clauses (SCCs) where applicable. It covers:

Subject-matter, duration, and purpose of processing.
Categories of data subjects and personal data.
Sub-processor list and onward-transfer safeguards.
Technical and organisational security measures (TOMs).
Audit rights and breach notification commitments.
Assistance with data subject requests and DPIAs.

To request a signed DPA — email hello@datahubpro.co.uk with the subject "DPA request" and your organisation's legal entity name and address. We typically return a counter-signed copy within 2 business days.

Sub-processors

We use a small number of sub-processors to deliver core functionality. The current list, with locations and roles, is available on request via hello@datahubpro.co.uk. We commit to giving 30 days' notice before adding a new sub-processor that processes customer data, so you can object if you choose to.

International transfers

Where any sub-processor sits outside the UK/EEA (currently only AI inference, where the provider operates UK and EU regions), we rely on appropriate safeguards including the UK IDTA and EU SCCs. Our preference and default routing keeps data within UK/EU regions wherever the underlying service supports it.

Data subject requests

If a data subject contacts us directly, we will refer them to you (the controller) unless instructed otherwise. We assist you in responding to access, rectification, erasure, restriction, and portability requests — typically through self-serve tools in the product, with engineering support where needed.

Breach notification

In the event of a personal-data breach affecting your data, we will notify you without undue delay and in any event within 72 hours of becoming aware of it, with the information you need to fulfil your own notification obligations under Article 33 GDPR.

Security and certifications

We follow industry-standard practices including least-privilege access, encrypted backups, dependency scanning, and security review prior to material changes. We are working towards ISO 27001 certification; in the interim, our SOC 2 Type II readiness assessment summary is available under NDA on request.

Contact

For DPA requests, sub-processor lists, security questionnaires, or any other GDPR matter:

hello@datahubpro.co.uk