Data Processing Addendum
Last updated: June 2026 | Effective: June 2026
This Data Processing Addendum ("DPA") forms part of the agreement between you ("Controller") and DscvryAI / DISCOVERY AI LIMITED ("Processor") and governs the processing of personal data by Structurify on your behalf. By using the Service you accept this DPA. Enterprise customers may request a countersigned DPA by emailing privacy@structurify.ai.
1. Definitions
| Term | Meaning |
|---|---|
| Controller | You — the customer or organisation that determines the purposes and means of processing personal data submitted to Structurify. |
| Processor | DscvryAI / DISCOVERY AI LIMITED, operating Structurify, which processes personal data on behalf of the Controller. |
| Personal Data | Any information relating to an identified or identifiable natural person contained in documents or data submitted to the Service. |
| Processing | Any operation performed on Personal Data, including storage, extraction, structuring, and deletion. |
| Sub-processor | A third party engaged by the Processor to carry out processing activities on behalf of the Controller. |
| GDPR | EU General Data Protection Regulation 2016/679 and its UK equivalent (UK GDPR). |
2. Scope of Processing
| Field | Details |
|---|---|
| Subject matter | AI-powered document data extraction and structuring services. |
| Duration | For the duration of the Service agreement, plus any statutory retention period. |
| Nature and purpose | Processing documents uploaded by the Controller to extract structured data fields using AI models. |
| Type of Personal Data | As determined by the Controller — may include names, addresses, financial data, identification numbers, or other personal data contained in uploaded documents. |
| Categories of data subjects | Individuals whose personal data appears in documents submitted to the Service (e.g. invoice counterparties, medical patients, employees, customers). |
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by applicable law.
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures in accordance with GDPR Article 32.
- Not engage a Sub-processor without prior written authorisation from the Controller, except as set out in Section 5.
- Assist the Controller in responding to data subject rights requests (Articles 15–22 GDPR).
- Notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach.
- Delete or return all Personal Data upon termination of the Service, at the Controller's choice, and delete existing copies unless retention is required by law.
- Provide all information necessary to demonstrate compliance with this DPA and allow for audits or inspections by the Controller or its auditors.
4. Controller Obligations
The Controller:
- Warrants that it has a lawful basis for processing Personal Data and for instructing the Processor to process it.
- Is responsible for ensuring data subjects have been informed of the processing in accordance with GDPR Articles 13 and 14.
- Must not submit special categories of personal data (Article 9 GDPR) or criminal conviction data (Article 10 GDPR) without first notifying the Processor and obtaining appropriate safeguards.
5. Approved Sub-processors
The Controller hereby authorises the Processor to engage the following Sub-processors. The Processor will notify the Controller of any intended changes and allow a reasonable objection period.
| Sub-processor | Country | Processing activity | Safeguard |
|---|---|---|---|
| Cloudflare, Inc. | United States | Edge infrastructure, storage (R2), database (D1), Workers compute, WAF/DDoS protection | Standard Contractual Clauses (SCCs) — EU Commission 2021/914 |
| Microsoft Corporation | United States | Authentication (Microsoft Entra External ID / Azure AD B2C) | Standard Contractual Clauses + Microsoft Data Processing Agreement |
| Anthropic, PBC | United States | AI document processing (Claude API — data not retained beyond request) | Standard Contractual Clauses; Anthropic does not train on API data |
6. International Data Transfers
Where Personal Data is transferred outside the European Economic Area or the UK, the Processor ensures that appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) — EU Commission Decision 2021/914, incorporated into Sub-processor agreements.
- UK International Data Transfer Addendum (IDTA) — Applied where transfers involve UK personal data.
- Adequacy decisions — Relied upon where applicable.
7. Security Measures
The Processor maintains the following technical and organisational measures:
- Encryption at rest: AES-256 via Cloudflare R2 and D1
- Encryption in transit: TLS 1.3
- Access control: Role-based access; Microsoft Entra authentication required
- Web Application Firewall: Cloudflare WAF with DDoS protection
- Audit logging: All privacy-sensitive operations are logged
- Data minimisation: Documents are processed and structured; raw content is not retained beyond operational needs
- No AI training: Document contents are not used to train AI models
8. Data Subject Rights
The Processor will assist the Controller in fulfilling data subject requests. Data subjects may also exercise certain rights directly through the Service:
- Export (portability): Users can export their data as JSON or CSV from the Privacy & Data settings.
- Deletion: Users can delete their account and all associated data from the Privacy & Data settings or by contacting privacy@structurify.ai. Deletion is completed within 30 days.
- Access: Contact dpo@structurify.ai to request a summary of personal data held.
9. Breach Notification
In the event of a Personal Data breach affecting data processed under this DPA, the Processor will:
- Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware.
- Provide a description of the nature of the breach, categories of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
- Cooperate with the Controller in meeting any obligations to notify supervisory authorities or affected data subjects.
10. Term and Termination
This DPA remains in force for the duration of the Service agreement. Upon termination:
- The Controller may export their data within 30 days of termination using the Service export tools.
- The Processor will delete all Personal Data within 30 days of the termination date, unless retention is required by law.
- Deletion confirmation is available on request.
11. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales, except where applicable data protection law requires otherwise.
Request a Countersigned DPA
Enterprise customers and organisations that require a countersigned copy of this DPA for their compliance records may request one by emailing privacy@structurify.ai with the subject line "DPA Request — [Organisation Name]".
We aim to respond within 5 business days.
12. Contact
- Data protection enquiries: dpo@structurify.ai
- DPA requests: privacy@structurify.ai
- EU Representative: james.stevenson@dscvryai.com
Operated by: DscvryAI / DISCOVERY AI LIMITED, London, UK.
Related policies: Privacy Policy · Terms of Service · Acceptable Use Policy