Data Processing Agreement
Last updated: 15 June 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Use between Crocker Digital Ltd ("AssessKit", "we", "us") and the customer ("you"). It applies where AssessKit processes personal data on your behalf in connection with the AssessKit service, and it reflects the requirements of Article 28 of the UK GDPR. It is a high-level summary and is not legal advice.
1. Roles of the parties
When you use AssessKit to record fire risk assessments, you decide what personal data to enter about your clients and the premises you assess. For that data you are the controller and AssessKit is your processor. AssessKit is the controller of your own account data (your name, email address and billing details); that processing is described in our Privacy Policy.
2. Subject matter and duration
AssessKit processes personal data to provide the service for as long as your subscription is active, plus any grace or retention period described in the Terms of Use.
3. Nature and purpose of processing
Processing consists of storing, organising, displaying, transmitting and generating reports from the data you enter, so that you can create and manage fire risk assessments, action plans and client records.
4. Personal data and data subjects
The personal data you may enter includes client and contact names, email addresses, phone numbers and postal addresses; the names of responsible persons at the premises you assess; and photographs taken during assessments. The data subjects are your clients and the individuals you identify in your assessments. You must not enter special-category data unless you have a lawful basis to do so, in line with our Acceptable Use Policy.
5. Your instructions
AssessKit processes personal data only on your documented instructions, including those given through your use of the service, unless required to do otherwise by law. We will inform you if we believe an instruction infringes data protection law.
6. Confidentiality
AssessKit ensures that the personnel authorised to process personal data are bound by appropriate confidentiality obligations.
7. Security
AssessKit applies appropriate technical and organisational measures, including encryption of data in transit and at rest; tenant isolation enforced at the database level (row-level security keyed to your organisation); role-based access controls; and removal of EXIF and GPS metadata from uploaded photographs on ingest.
8. Sub-processors
You authorise AssessKit to engage the sub-processors listed on our Sub-processors page. The current sub-processors and their contracting entities are also listed in Schedule 3 below. Each sub-processor is bound by data-protection terms consistent with this DPA. We update that page before adding or replacing a sub-processor, and we remain responsible for our sub-processors.
9. International transfers
Where a sub-processor processes personal data outside the UK, the transfer is covered by an appropriate safeguard — the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision.
10. Assistance with data subject rights
Taking into account the nature of processing, AssessKit assists you in responding to requests from data subjects to exercise their rights. The self-serve CSV export and PDF report download let you retrieve the data you hold in AssessKit.
11. Personal data breach
AssessKit notifies you without undue delay after becoming aware of a personal data breach affecting your data, with the information you reasonably need to meet your own notification obligations.
12. Deletion and return
Soft-delete is the default: deleted records are hidden but retained so that assessment history is preserved. On a verified erasure request, AssessKit carries out a hard delete and cascades through the related clients, sites, assessments, findings, actions and uploaded evidence. On termination, your data is retained through a 90-day grace period (during which CSV and PDF export remain available) and is then hard-deleted. Audit logs are retained for 12 months and the transactional email log for 90 days.
13. Audit
AssessKit makes available to you the information reasonably necessary to demonstrate compliance with Article 28 of the UK GDPR and this DPA.
14. General
This DPA is governed by the law of England and Wales and forms part of the Terms of Use. If there is a conflict between this DPA and the Terms of Use on the processing of personal data, this DPA prevails. We may update this DPA as the service develops; material changes will be noted on this page with an updated date.
Schedule 3 — Approved sub-processors
The sub-processors below are authorised under section 8. The same list, with what each provider does and where data is held, is maintained on our Sub-processors page.
| Sub-processor | Contracting entity | Purpose | Location / region |
|---|---|---|---|
| Supabase | Supabase, Inc. | Database, authentication and file storage | United Kingdom (London — region eu-west-2) |
| Stripe | Stripe Payments Europe, Limited | Payment processing and subscription billing | Ireland (Dublin) / United States |
| Resend | Resend, Inc. | Transactional email delivery | United States |
| Netlify | Netlify, Inc. | Application hosting, CDN and scheduled functions | United States |
| Upstash | Upstash, Inc. | Redis-backed rate limiting | United States |
| Sentry | Functional Software, Inc. (Sentry) | Error monitoring and diagnostics | United States |
| Cloudflare | Cloudflare, Inc. | Turnstile bot-protection on the signup form | United States / global network |
| GoatCounter | GoatCounter (Martin Tournoij) | Privacy-friendly, cookie-free analytics | European Union |
| Microsoft 365 | Microsoft Ireland Operations Limited | Support mailbox (support@assesskit.co.uk) | European Union / United Kingdom (EU Data Boundary) |
Contact
Crocker Digital Ltd, Company No. 17008789. support@assesskit.co.uk.