Data Processing Agreement
Last updated: 23 May 2026 | UK GDPR Article 28 Compliant | DPO Ready
This Data Processing Agreement (DPA) forms part of the NEXDOC Service Agreement and governs the processing of personal data in accordance with UK GDPR and the Data Protection Act 2018.
1. Parties
Data Processor: Tomasz Waloch trading as NEXDOC, Nottingham, United Kingdom (help@nexdoc.co.uk)
Data Controller: The Client — the mortgage broker who has entered into a Service Agreement with NEXDOC.
2. Subject Matter
NEXDOC processes personal data on behalf of the Client for the purpose of automating the preliminary organisation of mortgage-related documents submitted by the Client's end-customers.
3. Nature and Purpose of Processing
- Receiving documents from the Client's Gmail account
- Classifying document type using AI (Claude by Anthropic)
- Checking document legibility and date validity
- Saving documents to the Client's Google Drive
- Logging processing events in the Client's Google Sheets (Audit Log)
4. Categories of Personal Data
- Full names of end-customers
- Financial records (payslips, P60, bank statements, SA302)
- Identity documents (passport, driving licence, BRP)
- Contact details (email address)
- Address information (utility bills, council tax)
5. Data Architecture — Zero Retention
Key data protection guarantee: End-customer documents are never permanently stored on NEXDOC servers. All data is processed in server memory only and automatically deleted within 15 minutes. Documents land exclusively on the Client's own Google Drive.
6. Sub-Processors
| Sub-Processor | Role | Server Location |
|---|
| Anthropic Inc. | AI document classification (no training on client data per API ToS) | USA (SCCs applied) |
| Google LLC | Gmail, Drive, Sheets — Client's own ecosystem | EU — Belgium (EEA) |
| Hetzner Online GmbH | Server infrastructure | Germany (EEA) |
| Telegram FZ-LLC | Operational notifications only — no PII | UK / UAE (optional) |
7. Processor Obligations
NEXDOC (as Data Processor) commits to:
- Processing personal data only on documented instructions from the Client
- Ensuring all authorised persons are bound by confidentiality
- Implementing appropriate technical and organisational security measures
- Notifying the Client of any data breach within 24 hours
- Assisting the Client in responding to data subject rights requests
- Deleting all Client data within 14 days of service termination
- Providing all information necessary to demonstrate UK GDPR compliance
8. Security Measures
- All data in transit encrypted via HTTPS / TLS 1.3
- API keys stored in encrypted n8n Credentials vault (inaccessible even to NEXDOC admin)
- Server access via SSH key only (ed25519), root login disabled, fail2ban active
- Complete Audit Log maintained in Client's own Google Sheets
- Server located in Germany — EEA jurisdiction
9. Client Rights
- Full ownership and control of all data at all times
- Right to audit NEXDOC compliance (Audit Log available at all times)
- Right to revoke Google OAuth2 access at any time via Google account settings
- Right to receive a copy of the full Audit Log upon termination
10. Governing Law
This DPA is governed by the law of England and Wales and complies with UK GDPR Article 28.
11. Contact
For data protection enquiries: help@nexdoc.co.uk
📱 WhatsApp: +44 7383 571285 (message preferred, reply within 1–2h Mon–Fri)
To request a signed DPA for your organisation, please contact us directly.