Schedule 2 — Data Processing Agreement
EULA Schedule | UK GDPR Article 28 · Formulize Ltd | Version … | Effective: … | Framework: UK GDPR & DPA 2018
1. Background and Parties
This Data Processing Agreement ("DPA") supplements the End-User Licence Agreement between the parties ("EULA") and governs the processing of personal data by Formulize on behalf of the Controller in connection with the Platform and Program. In the event of any conflict between this DPA and the EULA, this DPA prevails in respect of data protection matters.
The User
The User identified in the Formulize Ltd EULA.
Formulize Ltd
Company no. 15114266 · Registered in England and Wales · 71-75 Shelton Street, Covent Garden, London WC2H 9JQ · info@formulize.io
2. Definitions
| Term | Definition |
|---|---|
| Applicable Data Protection Law | The UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any other applicable data protection legislation in force in the UK. |
| Personal Data | Any information relating to an identified or identifiable natural person (UK GDPR Article 4(1)). |
| Processing | Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion (UK GDPR Article 4(2)). |
| Data Subject | The identified or identifiable natural person to whom Personal Data relates. |
| Sub-Processor | Any third party engaged by Formulize to process Personal Data on behalf of the Controller. |
| Security Incident | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. |
3. Details of Processing
3.1 Processing overview
| Element | Detail |
|---|---|
| Subject matter | Processing of personal data created, input, or generated on the Formulize Platform by the Controller or its authorised users in connection with their use of the Program, including account registration, professional qualification verification, engineering calculation activity, project management, support communications, and security event logging. |
| Duration | For the duration of the Controller's active account and for such further period as is required by law or by the EULA retention provisions. Soft-deleted account data is retained for 30 days to permit restoration, then permanently purged. Policy acceptance records are retained in anonymised form for legal compliance purposes (UK GDPR Art 17(3)(e)). |
| Nature of processing | Collection and storage of account and profile data at registration; execution of engineering calculations on input parameters submitted by the Controller; persistent storage of calculation inputs and outputs for audit and retrieval; storage and management of saved calculation forms and project containers; recording of professional qualification declarations; logging of authentication and security events; recording of support communications; delivery of transactional email notifications via authorised Sub-Processors; recording of legal document acceptance; and secure deletion or anonymisation of all Personal Data on account termination or upon request. |
| Purpose | To provide the Platform and associated services to the Controller as described in the EULA, including: authentication and account management; professional compliance verification; delivery of engineering calculation functionality; storage and retrieval of the Controller's saved work; support and issue resolution; platform security and fraud prevention; and regulatory compliance record-keeping. |
3.2 Categories of personal data processed
| Category | Data items | Purpose |
|---|---|---|
| Account & identity data | First name, last name, email address, organisation name, engineering discipline, optional profile avatar image, account creation timestamp, email opt-out preference. | Account authentication, personalisation, and communication. |
| Professional declaration data | Profession type, professional body, membership or registration number, country of practice, years qualified. For US/Canada practitioners: state or province, licence type, NCEES ID. For students: university name and degree programme. Declaration confirmation status and timestamps. | Verification that the Controller is a qualified professional as required under the EULA. Regulatory compliance. |
| Calculation activity data | Calculation type and version, numerical engineering input parameters, computed output results, success or failure status, error messages where applicable, and timestamp of each calculation run. | Delivery of the engineering calculation service; provision of a personal calculation history and audit trail for the Controller. |
| Saved form & document data | Saved calculation form data and form metadata (including element identifiers, project or reference numbers, and page numbers); personnel references entered by the Controller in calculation documentation (e.g. names of preparing, checking, and approving engineers); timestamps. | Persistent storage and retrieval of the Controller's saved engineering work product. |
| Project metadata | Project title (may contain client or site names), job number, creation and update timestamps. | Organisation and grouping of saved calculation work into named projects. |
| Support communications | Contact messages (subject and message body); admin replies and user follow-up messages. Problem or bug reports including description, calculation inputs at the time of the reported issue, and admin response. | Customer support, issue resolution, and platform quality improvement. |
| Authentication & security event data | IP address (IPv4 or IPv6) at time of login attempt, browser user agent string, login success or failure status, failure reason where applicable, two-factor authentication status, timestamp. | Account security, detection of unauthorised access, and fraud prevention. |
| Legal acceptance records | Document type and version accepted, timestamp of acceptance, IP address and browser user agent at time of acceptance. IP address and user agent are cleared on account deletion; version and timestamp are retained under UK GDPR Art 17(3)(e). | Demonstrable record of informed consent and legal document acceptance for regulatory compliance. |
| Administrative audit records | Record of administrative actions taken on user accounts, including action type, affected entity, administering user identifier, and timestamp. | Internal accountability, access control auditing, and security oversight. |
3.3 Categories of data subjects
| Category | Description |
|---|---|
| The Controller (authorised users) | The individual engineers and professionals who hold Formulize accounts under the Controller's organisation. Their account, professional declaration, calculation activity, and security data are processed to provide the Platform. |
| Third parties referenced in User Content | Individuals whose personal data the Controller chooses to include in saved forms or projects — for example, named checking or approving engineers in calculation documentation, or clients and project stakeholders referenced in project titles or job numbers. Formulize does not require or specify that User Content contains personal data about third parties; the Controller determines what, if any, such data is included. |
4. Processor Obligations
4.1 Processing on instructions only
Formulize shall process Personal Data only on documented instructions from the Controller. Formulize shall promptly notify the Controller if an instruction would infringe Applicable Data Protection Law, in which case Formulize is not obliged to follow that instruction until the Controller confirms it in writing having taken legal advice.
4.2 Confidentiality
Formulize shall ensure that persons authorised to process Personal Data are bound by appropriate obligations of confidentiality and have received adequate data protection training. Access is restricted to personnel who require it to fulfil Formulize's obligations.
4.3 Security
Formulize shall implement and maintain the technical and organisational security measures in Appendix A. Formulize shall take into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.
4.4 Sub-processors
The Controller provides general authorisation for Formulize to engage Sub-Processors, subject to:
- Formulize maintaining and making available an up-to-date sub-processor list (Appendix B);
- Formulize imposing data protection obligations on each Sub-Processor equivalent to those in this DPA;
- Formulize notifying the Controller at least 30 days before adding a new Sub-Processor that will process Personal Data. If the Controller reasonably objects on data protection grounds, the parties shall work in good faith to resolve the concern; and
- Formulize remaining fully liable for Sub-Processors' acts and omissions to the same extent as if Formulize had performed the processing directly.
4.5 Data Subject Rights
Formulize shall provide reasonable assistance to the Controller in fulfilling its obligations to respond to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection). Where a Data Subject submits a request directly to Formulize, Formulize shall forward it to the Controller without undue delay.
4.6 Assistance with Controller obligations
Formulize shall provide reasonable assistance in ensuring compliance with the Controller's obligations under UK GDPR Articles 32–36, including in relation to security, Security Incident notifications, data protection impact assessments, and prior ICO consultation.
4.7 Security Incident notification
The Controller is responsible for notifying the ICO within 72 hours under UK GDPR Article 33. Formulize's 48-hour notification is designed to give the Controller sufficient time to meet that obligation.
4.8 Deletion and return of data
On termination of the EULA, or on written request, Formulize shall, at the Controller's election:
- securely delete all Personal Data (other than as required by applicable law); or
- return all Personal Data in a commonly used machine-readable format.
4.9 Audit rights
Formulize shall permit audits and inspections conducted by the Controller or an independent auditor, subject to:
- not less than 30 days' written notice;
- audit during normal business hours, minimising disruption;
- maximum once per calendar year (unless a Security Incident has occurred); and
- appropriate confidentiality obligations.
5. Controller Obligations
The Controller warrants and undertakes that:
- it has a lawful basis for processing and sharing with Formulize all Personal Data submitted to the Platform;
- it has made all necessary disclosures to, and obtained all necessary consents from, the Data Subjects whose Personal Data is processed under this DPA;
- it will not instruct Formulize to process Personal Data in a manner that would cause Formulize to breach Applicable Data Protection Law; and
- it will comply with its own obligations as a data controller under Applicable Data Protection Law, including maintaining a Record of Processing Activities that includes the processing described in this DPA.
6. International Transfers
If Formulize engages a Sub-Processor that processes Personal Data outside the UK, appropriate transfer safeguards will be implemented under UK GDPR Chapter V (UK IDTA, UK Addendum to SCCs, or adequacy decision) before any transfer occurs. The current position of each Sub-Processor is set out in Appendix B.
7. Liability
Each party's liability under this DPA is subject to the limitations and exclusions in the EULA, except that nothing in this DPA or the EULA limits either party's liability:
- to Data Subjects for breach of Applicable Data Protection Law; or
- to the ICO or other supervisory authority for regulatory fines, penalties, or enforcement action.
8. Term and Termination
This DPA takes effect on the Effective Date and continues for the duration of the EULA. It terminates automatically on termination or expiry of the EULA. Obligations of confidentiality, data deletion, and audit rights survive termination.
9. Governing Law
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising under this DPA.
Appendix A — Technical and Organisational Security Measures
| Category | Measures implemented |
|---|---|
| Encryption in transit | All data transmitted between users and the Platform is encrypted in transit using current industry-standard transport security. Connections over unencrypted channels are rejected. |
| Encryption at rest | Personal Data stored on the Platform is protected by encryption at rest using industry-standard cryptographic algorithms. Encryption keys are managed separately from data and access to them is restricted to authorised personnel. |
| Access controls | Access to production systems and Personal Data is restricted to authorised personnel on a need-to-know basis. The production environment is network-isolated and protected by appropriate perimeter controls. Multi-factor authentication is required for all production system access. |
| Password security | User passwords are stored as salted cryptographic hashes using an industry-standard algorithm appropriate for password storage. Plain-text passwords are never stored or transmitted. Two-factor authentication is available to all users and mandatory for platform administrators. |
| Bot and abuse protection | Automated abuse prevention — bot detection and CAPTCHA verification is applied to authentication-related forms to prevent automated credential-stuffing and account-creation abuse. |
| Backup and recovery | Regular automated backups are taken and encrypted; backups are stored at a geographically separate location within the UK to support disaster recovery. |
| Vulnerability management | Security patches are applied to operating systems, application frameworks, and third-party dependencies on a regular basis. Dependencies are reviewed for known vulnerabilities prior to deployment. |
| Physical security | Platform hosted at a UK-based ISO 27001 certified data centre. |
| Incident response | Formulize maintains an internal Security Incident response procedure. Incidents are logged, assessed, and escalated in accordance with Section 4.7 above. |
| Audit logging | Authentication events, administrative actions, and material changes to user data are logged for security and accountability purposes, and retained in accordance with the retention schedule in the Privacy Notice. |
Appendix B — Authorised Sub-Processors
The following Sub-Processors are authorised to process Personal Data under this DPA as at the Effective Date:
| Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| DigitalOcean LLC | Cloud hosting, primary data storage, and automated backups | United Kingdom | UK data centre — no international transfer. DigitalOcean DPA in place. |
| Mailjet SAS | Transactional email delivery for account and platform communications. Processes recipient email address and name only. | European Union | UK Adequacy Decision for EU transfers. Mailjet DPA in place. |
| Cloudflare Inc. | Bot protection and CAPTCHA verification on authentication forms. Processes form interaction signals and IP address for bot-detection purposes only; no user-submitted form data is shared with Cloudflare. | United States | UK IDTA with Cloudflare Inc. in place. |