Data Processing Agreement
LatestDrawing.com Last updated: 11 July 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Forty Four Design Limited ("we", "us", the "Processor") and the customer studio ("you", the "Controller"). It applies where we process personal data on your behalf in providing LatestDrawing.com, and is intended to satisfy Article 28(3) UK GDPR (and, where applicable, EU GDPR).
1. Roles and scope
For personal data you add to the service about people other than yourself — project participants such as builders, clients, subcontractors, consultants and your own staff — you are the controller and we are the processor. (For your own account registration and billing data, we are the controller, as described in our Privacy Policy; that data is outside this DPA.)
2. Details of processing
- Subject matter: provision of the LatestDrawing.com service.
- Duration: the term of your agreement with us, plus the deletion period in clause 8.
- Nature and purpose: storage, organisation, transmission and display of project documents and participant details in order to operate drawing registers and share documents with participants you authorise.
- Categories of data subjects: your personnel; your clients; contractors, subcontractors, consultants and other project participants you invite or record.
- Categories of personal data: names, email addresses, roles/job titles, organisation names, project activity records, and any personal data contained within documents you upload.
- Special category data: the service is not designed for special category data and you agree not to submit it except where it incidentally appears within project documents.
3. Our obligations as processor
We will:
- process personal data only on your documented instructions (your use of the service's features constitutes instructions), unless required by law to do otherwise, in which case we will inform you unless prohibited;
- ensure persons authorised to process the data are bound by confidentiality;
- implement appropriate technical and organisational measures (Annex B);
- engage sub-processors only under clause 4;
- taking into account the nature of the processing, assist you with responding to data subject rights requests — if we receive a request directly from one of your data subjects, we will pass it to you without undue delay;
- assist you with your obligations under Articles 32–36 UK GDPR (security, breach notification, DPIAs), taking into account the information available to us;
- notify you without undue delay after becoming aware of a personal data breach affecting your data, providing sufficient information for you to meet your own notification obligations;
- delete or return personal data at the end of the agreement under clause 8; and
- make available information reasonably necessary to demonstrate compliance with this DPA, and allow audits under clause 7.
4. Sub-processors
You give general written authorisation for the sub-processors listed in Annex A. We will give at least 30 days' notice before adding or replacing a sub-processor (by email or in-app notice). If you reasonably object on data protection grounds and we cannot offer an alternative, you may terminate the affected services. We remain responsible for our sub-processors' performance.
5. International transfers
Data is transferred outside of the UK as required to use the services provided by our sub-processors. We engage the services of a limited number of sub-processors and have endeavoured to keep services as close to the UK as possible. Current transfer mechanisms per sub-processor are noted in Annex A.
6. Your obligations as controller
You warrant that you have a lawful basis for the personal data you submit, that you have provided any required privacy information to your data subjects (our Privacy Policy describes our role and may be referenced), and that your instructions to us comply with data protection law.
7. Audit
We will make available, on request and no more than once per year, our current security documentation and summaries of any third-party audits or certifications of our sub-processors. Where this is insufficient to demonstrate compliance, you may conduct (at your cost, on 30 days' notice, during business hours, subject to confidentiality) an audit limited to our processing of your data.
8. Deletion and return
You can export your project documents at any time during the agreement. All data associated with an account is immediately deleted from our database and is unrecoverable following a request to delete an account, except that data may persist in encrypted backups for up to 7 days before being overwritten, and we may retain data we are legally required to keep.
Following the cancellation of a subscription (not account deletion), we reserve the right to delete your personal data after 30 days, except that data may persist in encrypted backups for up to 7 days before being overwritten, and we may retain data we are legally required to keep.
9. Liability and order of precedence
Liability under this DPA is subject to the limitations in the Terms of Service. If this DPA conflicts with the Terms of Service on data protection matters, this DPA prevails.
Annex A — Approved sub-processors
| Sub-processor | Service | Location of processing | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | Switzerland (AWS eu-central-2, Zurich) | UK adequacy regulations for Switzerland (EU adequacy decision where EU GDPR applies) |
| Stripe, Inc. / Stripe Payments Europe Ltd | Payment processing | EU/UK and United States | UK Extension to EU–US Data Privacy Framework; SCCs with UK Addendum |
| Resend (Plus Five Five, Inc.) | Transactional email | Ireland (eu-west-1); company operations in the United States | UK adequacy for EU processing; SCCs with UK Addendum for US access |
| Vercel, Inc. | Application hosting | United Kingdom (lhr1) with global CDN; company operations in the United States | UK Extension to EU–US Data Privacy Framework; SCCs with UK Addendum |
Annex B — Technical and organisational measures
- Encryption of data in transit (TLS 1.2+) and at rest.
- Passwords stored as salted cryptographic hashes; authentication managed via Supabase Auth.
- Row-level access controls: documents are available for upload, edit and deletion only by authenticated members of the owning studio and participants they have authorised as ‘collaborators’
- All documents are publicly accessible via share links and QR code scan pages
- Role-based permissions within studios (owner/admin/member roles).
- Production access restricted to authorised personnel on a need-to-know basis; administrative actions logged.
- Regular encrypted backups; documented restore procedure.
- Vulnerability management: dependencies monitored and patched; security fixes prioritised.
- Breach response procedure with defined roles and notification steps.