Data Processing Agreement

Effective Date: 15 July 2026

1. Purpose

This Data Processing Agreement ("DPA") governs the processing of personal data by Droblet Ltd. ("Processor") on behalf of enterprise clients ("Controller") in connection with the Droblet platform, in compliance with GDPR and UK GDPR.

2. Roles and Responsibilities

Data Controller

The enterprise client who determines the purposes and means of processing personal data.

Data Processor (Droblet Ltd.)

Processes personal data only on documented instructions from the Controller and solely for the purposes defined in the services agreement.

3. Processor Obligations

  • Process data only on documented instructions from the Controller
  • Ensure all authorised personnel are bound by confidentiality
  • Implement appropriate technical and organisational security measures
  • Assist the Controller in fulfilling data subject rights requests
  • Delete or return all personal data upon termination of services
  • Provide all information necessary to demonstrate compliance

4. Sub-processors

Droblet may engage sub-processors to assist in delivering services. A full list is maintained at Subprocessors. We will notify Controllers of any intended changes and allow objection before engagement.

5. Security Measures

Droblet implements technical and organisational measures including:

  • Encryption of personal data at rest using AES-256-GCM
  • Encryption of database connections in transit using TLS (sslmode=require)
  • Data hosted on UK-based servers (AWS London, eu-west-2)
  • Least-privilege access to personal data, recorded in audit logs

Droblet does not currently hold ISO 27001 or SOC 2 certification and has not yet completed a formal third-party penetration test.

6. Contact

Data Protection Contact: privacy@droblet.ai

Company: Droblet Ltd.