Data Processing Agreement

For B2B customers · UK GDPR Article 28

Overview

When your organisation uses SiteSinc, you are the data controller and SiteSinc acts as your data processor for personal data uploaded to the platform, including Project Assistant (AI chat) processing.

Our Data Processing Agreement (DPA) sets out processor obligations under UK GDPR Article 28, including security measures, subprocessor controls, international transfer safeguards, breach notification, and assistance with data subject rights.

Key processor commitments

Process personal data only on your documented instructions
Ensure confidentiality of personnel with data access
Implement appropriate technical and organisational security measures
Engage subprocessors only under GDPR-compliant contracts (see our subprocessor register)
Assist with data subject access, erasure, and portability requests
Notify you of personal data breaches within 72 hours
Delete or return data within 30 days of account termination

AI processing

Project Assistant sends chat messages and retrieved project context to our AI subprocessors OpenAI (embeddings) and xAI (response generation) in the United States. Transfers are protected by UK IDTA / Standard Contractual Clauses. Mailbox content indexed for AI search has sender details and inline email addresses redacted.

Request a signed DPA

Enterprise customers and organisations requiring a countersigned agreement should contact our Data Protection Officer. We will provide the full DPA template for review and execution.

Email: dpo@sitesinc.co.uk