Data Processing Agreement
Version 1.0 · Last updated: 5 April 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Struktive ("Processor") and the customer using the Struktive platform ("Controller"). It governs the processing of personal data by Struktive on behalf of the Controller in accordance with Article 28 of the UK/EU General Data Protection Regulation ("GDPR").
To request a countersigned DPA for your organisation, email [email protected] with your company name and registered address. We aim to respond within 2 business days.
1. Definitions
In this DPA, the following terms have the meanings set out below. All other capitalised terms have the meanings given in the Struktive Terms of Service.
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person contained within the asset data files uploaded to the Struktive platform (e.g., hostnames that include personal identifiers, email addresses in asset owner fields). |
| Processing | Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion. |
| Controller | The customer who determines the purposes and means of processing Personal Data by uploading data to the Struktive platform. |
| Processor | Struktive, which processes Personal Data on behalf of the Controller. |
| Sub-processor | Any third party engaged by Struktive to process Personal Data on behalf of the Controller. |
| Data Subject | The natural person to whom Personal Data relates. |
| Supervisory Authority | The relevant data protection authority in the Controller's jurisdiction (e.g., ICO in the UK, relevant national DPA in the EU). |
2. Subject matter and nature of processing
Struktive processes Personal Data solely to provide the normalisation, classification, and quality-scoring services described in the Struktive Terms of Service. The nature, purpose, and duration of processing are set out in the table below.
| Element | Detail |
|---|---|
| Subject matter | Asset inventory data uploaded by the Controller, which may incidentally contain Personal Data (e.g., hostnames, IP addresses, asset owner names, email addresses in custom fields). |
| Nature of processing | Parsing, normalisation, classification, quality scoring, deduplication, and export of asset records. No profiling, automated decision-making, or marketing processing is performed. |
| Purpose | To provide the Struktive data normalisation service as requested by the Controller. |
| Duration | For the term of the Controller's subscription or use of the service, plus the applicable retention period (90 days for free-tier; 12 months for paid tier), after which data is automatically deleted. |
| Categories of data subjects | Employees, contractors, or other individuals whose personal identifiers may appear in asset inventory fields (e.g., asset owner, assigned user, hostname). |
| Types of Personal Data | Hostnames, IP addresses, asset owner names, email addresses, cost centre codes, and any other personal identifiers present in the uploaded CSV or Excel file. |
3. Processor obligations
Struktive, as Processor, undertakes to:
- 1.Process Personal Data only on documented instructions from the Controller (i.e., the act of uploading a file and requesting normalisation constitutes the instruction), unless required to do so by applicable law.
- 2.Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- 3.Implement and maintain the technical and organisational security measures described in Section 5 of this DPA.
- 4.Not engage a Sub-processor without prior written authorisation from the Controller, except as set out in Section 6 of this DPA.
- 5.Assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, to the extent technically feasible.
- 6.Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and the information available to Struktive.
- 7.Delete or return all Personal Data to the Controller at the end of the service relationship, and delete existing copies, unless applicable law requires retention.
- 8.Make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 GDPR, and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to reasonable notice and confidentiality obligations.
- 9.Notify the Controller without undue delay after becoming aware of a Personal Data breach, and provide the information required under Article 33(3) GDPR.
4. Controller obligations
The Controller warrants that it has a lawful basis for processing the Personal Data uploaded to the Struktive platform, and that it has provided all necessary notices to and obtained all necessary consents from Data Subjects as required by applicable data protection law. The Controller is responsible for ensuring that any Personal Data uploaded to Struktive is limited to what is necessary for the normalisation service (data minimisation principle under GDPR Article 5(1)(c)).
5. Technical and organisational security measures
Struktive implements the following technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:
| Measure | Implementation |
|---|---|
| Encryption in transit | All data transmitted between the Controller's browser and Struktive servers is encrypted using TLS 1.2 or higher. |
| Encryption at rest | Uploaded files and processed records are stored in encrypted cloud storage (AES-256). |
| Access control | Access to production systems is restricted to authorised personnel only, using multi-factor authentication. |
| Data minimisation | Raw uploaded files are deleted within 24 hours of job completion. Processed records are automatically purged after the applicable retention period. |
| Audit logging | All access and processing events are logged. Audit log IP addresses are anonymised after 90 days; log entries are deleted after 12 months. |
| Incident response | Struktive maintains an incident response procedure. Personal Data breaches are reported to the Controller within 72 hours of discovery. |
| Sub-processor security | Sub-processors are contractually required to implement equivalent security measures. |
| No AI training | Personal Data is never used to train machine learning models or shared with AI service providers for training purposes. |
6. Sub-processors
The Controller provides general authorisation for Struktive to engage the following Sub-processors. Struktive will notify the Controller of any intended changes to this list (additions or replacements) with at least 14 days' notice, giving the Controller the opportunity to object.
| Sub-processor | Location | Purpose |
|---|---|---|
| Manus Cloud Infrastructure | Singapore / US | Hosting, database, and file storage infrastructure |
| Amazon Web Services (S3) | US East | Encrypted file storage for uploaded CSV files and generated exports |
| Stripe Inc. | United States | Payment processing (billing data only — no asset data is shared) |
| Resend Inc. | United States | Transactional email delivery (email addresses only) |
7. International data transfers
Where Personal Data is transferred outside the UK or European Economic Area (EEA), Struktive ensures that such transfers are subject to appropriate safeguards in accordance with GDPR Chapter V. For transfers to the United States, Struktive relies on Standard Contractual Clauses (SCCs) approved by the European Commission (2021/914) and the UK International Data Transfer Agreement (IDTA) as applicable. A copy of the applicable SCCs is available on request by emailing [email protected].
8. Data subject rights
Where a Data Subject exercises their rights under GDPR (access, rectification, erasure, restriction, portability, or objection) directly with Struktive, Struktive will promptly notify the Controller and assist the Controller in responding within the applicable statutory timeframe. The Controller remains responsible for responding to Data Subject requests. Authenticated users may delete their account and associated job data directly via the Settings page. Anonymous users may request deletion by emailing [email protected] with their job ID; Struktive will confirm deletion within 5 business days.
9. Audit rights
The Controller may, upon reasonable written notice of at least 30 days and no more than once per calendar year, request an audit of Struktive's data processing activities covered by this DPA. Struktive may satisfy this obligation by providing a current third-party security audit report (e.g., SOC 2 Type II, ISO 27001 certificate) in lieu of a direct audit, where such a report covers the relevant processing activities. All audit activities are subject to confidentiality obligations and must not unreasonably interfere with Struktive's business operations.
10. Term and termination
This DPA remains in force for as long as Struktive processes Personal Data on behalf of the Controller. Upon termination of the service relationship, Struktive will delete all Personal Data within the applicable retention period (90 days for free-tier data; 12 months for paid-tier data), unless a longer retention period is required by applicable law. The Controller may request earlier deletion by emailing [email protected].
11. Governing law
This DPA is governed by the laws of England and Wales. For Controllers established in the EU, this DPA shall be interpreted in accordance with the EU GDPR (Regulation 2016/679). For Controllers established in the UK, this DPA shall be interpreted in accordance with the UK GDPR as incorporated into UK law by the Data Protection Act 2018.
12. Contact and countersigned DPA
To request a countersigned DPA for your organisation, or for any questions about this DPA, contact us at [email protected]. Please include your company name, registered address, and the name of your data protection contact. We aim to respond within 2 business days.
Note for enterprise procurement: If your organisation requires a DPA as a condition of procurement, please email us before or alongside your trial. We can typically turn around a countersigned DPA within 3–5 business days. For ISO 27001 or SOC 2 evidence requests, please include this in your email and we will provide available documentation.