Data Processing Agreement

LatestDrawing.com Last updated: 11 July 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Forty Four Design Limited ("we", "us", the "Processor") and the customer studio ("you", the "Controller"). It applies where we process personal data on your behalf in providing LatestDrawing.com, and is intended to satisfy Article 28(3) UK GDPR (and, where applicable, EU GDPR).

1. Roles and scope

For personal data you add to the service about people other than yourself — project participants such as builders, clients, subcontractors, consultants and your own staff — you are the controller and we are the processor. (For your own account registration and billing data, we are the controller, as described in our Privacy Policy; that data is outside this DPA.)

2. Details of processing

  • Subject matter: provision of the LatestDrawing.com service.
  • Duration: the term of your agreement with us, plus the deletion period in clause 8.
  • Nature and purpose: storage, organisation, transmission and display of project documents and participant details in order to operate drawing registers and share documents with participants you authorise.
  • Categories of data subjects: your personnel; your clients; contractors, subcontractors, consultants and other project participants you invite or record.
  • Categories of personal data: names, email addresses, roles/job titles, organisation names, project activity records, and any personal data contained within documents you upload.
  • Special category data: the service is not designed for special category data and you agree not to submit it except where it incidentally appears within project documents.

3. Our obligations as processor

We will:

  1. process personal data only on your documented instructions (your use of the service's features constitutes instructions), unless required by law to do otherwise, in which case we will inform you unless prohibited;
  2. ensure persons authorised to process the data are bound by confidentiality;
  3. implement appropriate technical and organisational measures (Annex B);
  4. engage sub-processors only under clause 4;
  5. taking into account the nature of the processing, assist you with responding to data subject rights requests — if we receive a request directly from one of your data subjects, we will pass it to you without undue delay;
  6. assist you with your obligations under Articles 32–36 UK GDPR (security, breach notification, DPIAs), taking into account the information available to us;
  7. notify you without undue delay after becoming aware of a personal data breach affecting your data, providing sufficient information for you to meet your own notification obligations;
  8. delete or return personal data at the end of the agreement under clause 8; and
  9. make available information reasonably necessary to demonstrate compliance with this DPA, and allow audits under clause 7.

4. Sub-processors

You give general written authorisation for the sub-processors listed in Annex A. We will give at least 30 days' notice before adding or replacing a sub-processor (by email or in-app notice). If you reasonably object on data protection grounds and we cannot offer an alternative, you may terminate the affected services. We remain responsible for our sub-processors' performance.

5. International transfers

Data is transferred outside of the UK as required to use the services provided by our sub-processors. We engage the services of a limited number of sub-processors and have endeavoured to keep services as close to the UK as possible. Current transfer mechanisms per sub-processor are noted in Annex A.

6. Your obligations as controller

You warrant that you have a lawful basis for the personal data you submit, that you have provided any required privacy information to your data subjects (our Privacy Policy describes our role and may be referenced), and that your instructions to us comply with data protection law.

7. Audit

We will make available, on request and no more than once per year, our current security documentation and summaries of any third-party audits or certifications of our sub-processors. Where this is insufficient to demonstrate compliance, you may conduct (at your cost, on 30 days' notice, during business hours, subject to confidentiality) an audit limited to our processing of your data.

8. Deletion and return

You can export your project documents at any time during the agreement. All data associated with an account is immediately deleted from our database and is unrecoverable following a request to delete an account, except that data may persist in encrypted backups for up to 7 days before being overwritten, and we may retain data we are legally required to keep.

Following the cancellation of a subscription (not account deletion), we reserve the right to delete your personal data after 30 days, except that data may persist in encrypted backups for up to 7 days before being overwritten, and we may retain data we are legally required to keep.

9. Liability and order of precedence

Liability under this DPA is subject to the limitations in the Terms of Service. If this DPA conflicts with the Terms of Service on data protection matters, this DPA prevails.


Annex A — Approved sub-processors

Sub-processorServiceLocation of processingTransfer mechanism
Supabase, Inc.Database, authentication, file storageSwitzerland (AWS eu-central-2, Zurich)UK adequacy regulations for Switzerland (EU adequacy decision where EU GDPR applies)
Stripe, Inc. / Stripe Payments Europe LtdPayment processingEU/UK and United StatesUK Extension to EU–US Data Privacy Framework; SCCs with UK Addendum
Resend (Plus Five Five, Inc.)Transactional emailIreland (eu-west-1); company operations in the United StatesUK adequacy for EU processing; SCCs with UK Addendum for US access
Vercel, Inc.Application hostingUnited Kingdom (lhr1) with global CDN; company operations in the United StatesUK Extension to EU–US Data Privacy Framework; SCCs with UK Addendum

Annex B — Technical and organisational measures

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Passwords stored as salted cryptographic hashes; authentication managed via Supabase Auth.
  • Row-level access controls: documents are available for upload, edit and deletion only by authenticated members of the owning studio and participants they have authorised as ‘collaborators’
  • All documents are publicly accessible via share links and QR code scan pages
  • Role-based permissions within studios (owner/admin/member roles).
  • Production access restricted to authorised personnel on a need-to-know basis; administrative actions logged.
  • Regular encrypted backups; documented restore procedure.
  • Vulnerability management: dependencies monitored and patched; security fixes prioritised.
  • Breach response procedure with defined roles and notification steps.