Data Processing Agreement
Under Article 28 of the UK General Data Protection Regulation (UK GDPR), organisations that use DocsCheck to process personal data on behalf of their clients are required to have a written Data Processing Agreement (DPA) in place with Zayn Productions Ltd.
This page sets out the terms of that agreement. By using DocsCheck to process personal data, you agree to these terms. If your organisation requires a countersigned DPA document for internal compliance records, please contact us at privacy@docscheck.co.uk.
1. Parties
Data Controller: The organisation subscribing to DocsCheck (you).
Data Processor: Zayn Productions Ltd, 1 Alvin Street, Gloucester, England, GL1 3EJ (Company No. 16892199).
2. Subject matter and duration
This DPA governs the processing of personal data by Zayn Productions Ltd on behalf of the Data Controller in connection with the provision of the DocsCheck platform. The agreement remains in force for the duration of the DocsCheck subscription and for 90 days following termination.
3. Nature and purpose of processing
Zayn Productions Ltd processes personal data to provide the DocsCheck platform services, including:
- Storing and managing uploaded immigration documents
- Processing questionnaire responses submitted by clients
- Running AI analysis on documents and case data
- Sending automated communications to clients (reminders, invitations)
- Generating representation letters and case outputs
- Maintaining audit logs and case records
4. Types of personal data
- Identity data (names, dates of birth, nationality, passport numbers)
- Contact data (email addresses, phone numbers, postal addresses)
- Immigration documents (passports, financial records, employment evidence, biometric residence permits)
- Questionnaire responses (employment history, financial circumstances, family details)
- Special category data where uploaded by the Data Controller (health information, criminal convictions — as may be relevant to asylum or human rights applications)
5. Categories of data subjects
- Immigration applicants managed by the Data Controller
- Sponsors and family members referenced in immigration applications
- Staff and administrators of the Data Controller's organisation
6. Obligations of the processor
Zayn Productions Ltd agrees to:
- Process personal data only on documented instructions from the Data Controller
- Ensure that persons authorised to process data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Security page)
- Not engage sub-processors without prior general or specific authorisation from the Data Controller
- Assist the Data Controller in responding to data subject rights requests
- Assist the Data Controller in meeting obligations relating to security, breach notification, and DPIAs
- Delete or return all personal data at the end of the service provision
- Provide all information necessary to demonstrate compliance with Article 28
7. Sub-processors
The Data Controller provides general authorisation for Zayn Productions Ltd to use the following sub-processors. Zayn Productions Ltd will notify the Data Controller of any intended changes via email to the registered account address, with at least 14 days' notice.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| OpenAI | AI document analysis, letter generation | USA | Standard Contractual Clauses |
| Google Cloud Storage | Document and file storage | EU/UK | EU adequacy / SCCs |
| Neon (PostgreSQL) | Database hosting | EU | EU hosting |
| Brevo | Email delivery | EU | EU hosting |
| ElevenLabs | Voice agent (Firm plan) | USA | Standard Contractual Clauses |
| Replit | Application hosting | USA | Standard Contractual Clauses |
8. Security measures
Zayn Productions Ltd implements the following technical and organisational measures:
- Two-factor authentication for staff and administrator accounts
- Multi-tenant data isolation at the database query level
- HTTPS/TLS encryption for all data in transit
- Server-side encryption for data at rest (Google Cloud Storage)
- Bcrypt password hashing (cost factor 12)
- Login audit logging with IP and user agent
- Automatic account lockout on repeated failed authentication
- Daily automated health monitoring
9. Data breach notification
Zayn Productions Ltd will notify the Data Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons. Notification will be sent to the registered account email address and will include all information required under Article 33(3) UK GDPR to the extent available at the time.
10. Data subject rights
Zayn Productions Ltd will, insofar as possible given the nature of the processing, assist the Data Controller in fulfilling its obligations to respond to data subject rights requests. Data Controllers may submit requests to privacy@docscheck.co.uk.
11. Deletion of data
Upon termination of the subscription, Zayn Productions Ltd will retain personal data for 90 days to allow the Data Controller to export their data. After this period, all personal data will be deleted from active systems. Backups will be purged within a further 30 days. The Data Controller may request immediate deletion at any time.
12. Governing law
This DPA is governed by the laws of England and Wales.
Need a countersigned DPA?
If your organisation's compliance processes require a formal countersigned DPA document, we can provide one on request. Contact us at privacy@docscheck.co.uk.
Request a signed DPA →