What is a Data Processing Agreement under UK GDPR?

A written contract required under UK GDPR Article 28 between a controller (the customer) and a processor (the vendor) covering subject matter, duration, nature and purpose of processing, types of personal data, categories of data subjects, controller obligations, and sub-processors.

Where does Beamprobe store data?

Documents are stored on Cloudflare R2 in EU jurisdiction by default. UK or US regions are available on Business and Enterprise plans. The Beamprobe application holds wrapping keys; the storage provider only sees AES-256 encrypted ciphertext.

Who are Beamprobe's sub-processors?

Cloudflare R2 (document storage, EU), Hetzner (application and database hosting, EU), Resend (transactional email, EU), Stripe (billing, EU). Site analytics is provided by a self-hosted Plausible Community Edition instance on the same Hetzner infrastructure and does not constitute a separate sub-processor.

Can I get a counter-signed DPA from Beamprobe?

Yes. Email dpo@beamprobe.com with your account email and registered company details. Most paid plans accept the DPA by reference through the Terms of Service; a counter-signed PDF is available for procurement or audit purposes.

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Beamprobe Terms of Service. It applies whenever the customer ("Controller") uses Beamprobe ("Processor") to process personal data on the Controller's behalf under UK GDPR Article 28 and, where applicable, EU GDPR Article 28. By using a paid Beamprobe plan, the Controller accepts this DPA. A countersigned copy is available on request at [email protected].

1. Parties

Controller: the customer entity identified in the Beamprobe account.
Processor: Beamprobe, operated by Sandra Walczak (a sole trader based in Rochdale, England).

2. Subject matter, duration, nature, and purpose

The Processor provides a virtual data room platform for the secure storage and external sharing of confidential documents. Personal data is processed only as required to provide that service, for the duration of the Controller's subscription plus any documented retention window.

3. Types of personal data and categories of data subjects

Account users: name, email address, hashed password, IP address, device user agent, login timestamps, billing identifiers.
Document viewers (third-party recipients of shared links): email address (when collected via email gate), IP address, user agent, NDA acceptance metadata, page-by-page view timings.
Document contents: as supplied by the Controller. Beamprobe does not inspect or scan document contents beyond what is required for storage, indexing for search, and processing into per-page renders.

4. Obligations of the Processor

Beamprobe shall:

Process personal data only on documented instructions from the Controller, including the instructions implicit in normal use of the service.
Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
Implement and maintain the technical and organisational measures described in Schedule A.
Engage sub-processors only as listed in Schedule B and notify the Controller in advance of any intended change.
Assist the Controller, taking into account the nature of the processing, in fulfilling its obligations under Articles 15 to 22 (data subject rights) and Articles 32 to 36 (security, breach notification, impact assessments).
At the Controller's choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless storage is required by law.
Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits.

5. International transfers

Beamprobe stores customer documents and account data in the European Union or the United Kingdom by default. Where any sub-processor processes data outside the UK or EEA, the transfer is governed by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (or equivalent UK GDPR transfer mechanism in force at the time).

6. Security incidents

Beamprobe will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's personal data. The notification will include, to the extent known, the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.

7. Data subject requests

If Beamprobe receives a request directly from a data subject, it will redirect the request to the Controller and notify the Controller within 5 working days unless prohibited by law.

8. Audit rights

The Controller may, on reasonable written notice (at least 30 days), audit Beamprobe's compliance with this DPA no more than once per 12 months unless required by a regulator or following a notified breach. Beamprobe will provide existing third-party audit reports in lieu of an on-site audit where these are available and relevant.

9. Liability and indemnity

The Parties' liability under this DPA is subject to the limitations and exclusions set out in the Beamprobe Terms of Service. Nothing in this DPA limits either Party's liability where such limitation is not permitted by law.

10. Term, termination, and return of data

This DPA remains in force for as long as Beamprobe processes personal data on behalf of the Controller. On termination, Beamprobe will retain data only for the documented retention window required to allow the Controller to export, then delete or anonymise it.

11. Order of precedence

To the extent of any conflict, this DPA prevails over the Terms of Service in matters relating to the processing of personal data under UK GDPR / EU GDPR.

Schedule A - Technical and organisational measures (Article 32)

Encryption at rest: AES-256 envelope encryption applied to every document before it reaches storage. The wrapping key is held by the Beamprobe application, not by the storage provider.
Encryption in transit: TLS 1.2+ enforced for all client connections. HSTS preload, modern ciphers only.
Access control: per-user accounts, role-based access, password hashing (Argon2), session token rotation on privilege change, mandatory 2FA available on Business and Enterprise plans.
Audit logging: all owner actions, link creations, NDA acceptances, and document views recorded with timestamp, IP, and user agent. Tamper-evident export available.
Network segmentation: application servers run behind a reverse proxy on private network. Database and storage are not reachable from the public internet.
Backups: encrypted nightly database backups retained for the documented retention window, restorable to point-in-time within retention.
Vulnerability management: dependency scanning on each deploy, security patches applied within documented SLA based on severity.
Personnel: all personnel with production access sign confidentiality agreements and complete data-protection training.
Pseudonymisation: IP addresses associated with analytics are hashed where used for aggregated reporting; bot traffic is filtered.

Schedule B - Sub-processors

Sub-processor	Purpose	Location
Cloudflare R2	Document object storage (encrypted ciphertext only)	EU jurisdiction by default; UK on request
Hetzner Online GmbH	Application servers and database hosting	European Union (Germany / Finland)
Resend	Transactional email delivery	European Union
Stripe Payments Europe Ltd	Subscription billing	Ireland (EU)

Material changes to this sub-processor list will be communicated by email to billing contacts at least 14 days in advance. Controllers may object to any new sub-processor within the notice period; if the objection cannot be resolved, the Controller may terminate the affected service.

How to sign or request a counter-signed copy

For most paid plans, accepting the Beamprobe Terms of Service incorporates this DPA by reference and is sufficient. If you require a counter-signed PDF for procurement or audit, email [email protected] with your account email and registered company details.

Beamprobe (Sandra Walczak, sole trader). ICO registration in progress; reference number will be added on completion. Last review 14 May 2026.

Data Processing Agreement.