Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between applywell(“applywell”, “Processor”) and you (“Customer”, “Controller”) when you subscribe to an applywell professional plan and upload personal data on behalf of your clients. It governs how applywell processes that personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

“Personal Data”, “Controller”, “Processor”, “Data Subject”, and “Processing” have the meanings given in the UK GDPR.

2. Roles

Customer is the Controller of any personal data it (or its clients) uploads to applywell — typically client names, email addresses, postcodes, project details and architectural drawings that may contain personal data. applywell acts as Processor on the Customer's documented instructions.

3. Subject matter and duration

applywell processes personal data only to provide the applywell service to the Customer for the duration of the Customer's subscription. The nature of processing is storage, AI-assisted analysis (using sub-processors listed below), and presentation of results to authorised users invited by the Customer.

4. Categories of data subjects and personal data

• The Customer's clients and the architect's collaborators (named users invited to a case).
• Names, email addresses, UK postcodes, site addresses, project descriptions, uploaded drawings and supporting documents.
• No special-category data (Article 9) is required for the service; the Customer should not upload it.

5. applywell's obligations as Processor

1. Process personal data only on the Customer's documented instructions, including transfers outside the UK (none currently applicable; see §8).
2. Ensure persons authorised to process personal data are bound by confidentiality.
3. Take all measures required under Article 32 (security of processing) — see §7 below.
4. Engage sub-processors only with the Customer's general written authorisation (see §6) and impose equivalent data-protection obligations on them.
5. Assist the Customer in responding to data-subject rights requests (access, rectification, erasure, portability, restriction, objection, automated decision-making).
6. Notify the Customer of any personal-data breach without undue delay after becoming aware.
7. At the Customer's choice, delete or return all personal data after the end of the service (delete by default; export is available on request).
8. Make available all information necessary to demonstrate compliance with this DPA, and allow for audits in line with §10.

6. Sub-processors (general authorisation)

The Customer authorises applywell to use the following sub-processors:

• Supabase, Inc. — database, authentication, file storage. Region: EU (eu-north-1).
• Vercel, Inc. — application hosting and edge network.
• Anthropic PBC — AI inference (Claude). Inputs are not used to train Anthropic models.
• Stripe Payments Europe Limited — payment processing (the Customer's billing data only, not the Customer's end-clients).
• Cloudflare, Inc. — DNS and edge security.
• Resend (Resend.com) — transactional email delivery.

applywell will give the Customer at least 30 days' written notice of any new sub-processor or replacement, during which the Customer may object on reasonable data-protection grounds.

7. Security measures

• Data encrypted in transit (TLS 1.2+) and at rest (database + object storage).
• Authentication via single-use email links; no plaintext password storage.
• Row-level access control in the database; least-privilege service keys.
• Logical separation between customer accounts.
• Regular dependency updates and review of sub-processor security posture.
• Incident response with breach notification to Customers and, where required, the ICO.

8. International transfers

Personal data is stored in the EEA (Supabase eu-north-1). Transfers to sub-processors based outside the UK/EEA (Anthropic, Vercel, Cloudflare, Stripe, Resend, where applicable) take place under the UK's International Data Transfer Addendum to the EU SCCs (or equivalent adequacy mechanism in force at the time).

9. Data-subject requests

applywell will, taking into account the nature of processing, provide reasonable assistance to the Customer in fulfilling data-subject rights requests. The Customer remains responsible for responding to data subjects.

10. Audits

The Customer may, on 30 days' written notice and no more than once per 12-month period, request information necessary to demonstrate compliance with this DPA. On-site audits are at the Customer's cost and require mutual agreement on scope and timing; SOC-2 / ISO-27001 reports from sub-processors will be shared in lieu of an on-site audit where available.

11. Liability and term

The liability cap and governing-law provisions of the main Terms of Service apply to this DPA. This DPA terminates automatically when the underlying subscription ends.

12. Contact

Data-protection queries and breach notifications: hello@applywell.co.uk. You can also contact the UK Information Commissioner's Office.

By subscribing to an applywell professional plan and uploading data on behalf of clients, you accept this DPA on behalf of the Controller. If you require a counter-signed PDF version for your records, email hello@applywell.co.uk.