Last updated: 3 April 2026
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and Bid Refinery Ltd ("Processor") for the use of the Bid Refinery platform. This DPA applies where we process personal data on your behalf in accordance with the UK GDPR and the Data Protection Act 2018.
1. Roles and Responsibilities
- Controller. The Customer determines the purposes and means of processing personal data uploaded to the Service. The Customer is responsible for ensuring a lawful basis for processing.
- Processor. Bid Refinery Ltd processes personal data solely on the documented instructions of the Controller for the purpose of providing the Service.
2. Processing Purposes
We process data exclusively to provide the Service, including:
- Tender document analysis and requirement extraction.
- AI-powered response generation using library content.
- Compliance and coverage analysis.
- Quality assurance and claim verification.
- Document export and formatting.
- User authentication and access control.
3. Categories of Data Processed
| Category | Description |
|---|---|
| Tender Documents | PDFs, DOCX files, and text content uploaded for bid analysis, which may contain personal data of the Controller's clients or employees. |
| Company Library Content | Capability statements, case studies, CVs, and reference materials that may contain personal data. |
| User Account Data | Names, email addresses, organisation membership, and roles of individuals using the platform. |
| Generated Responses | AI-generated bid responses, compliance matrices, and analysis outputs derived from uploaded content. |
4. Security Measures
We implement the following technical and organisational measures to protect processed data:
- Row-Level Security (RLS). Database-level policies enforce strict data isolation between organisations. No cross-tenant data access is possible.
- Encryption. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
- Audit Logging. Comprehensive logging of all significant actions, including data access, modifications, and exports.
- Signed URLs. Time-limited, authenticated download links for all file exports, preventing unauthorised access to exported documents.
- CSRF Protection. Double-submit cookie pattern on all state-changing routes to prevent cross-site request forgery.
- Access Controls. Role-based access control with organisation-level permissions and membership management.
- Rate Limiting. Request rate limiting and idempotency keys to prevent abuse and duplicate processing.
5. Sub-Processors
The following sub-processors are authorised to process data on our behalf:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, and file storage | EU / US |
| Stripe Inc. | Payment processing and subscription management | US |
| Anthropic PBC | AI processing (Claude) for tender analysis and response generation | US |
We will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to a new sub-processor by notifying us in writing within 14 days. If we cannot reasonably accommodate the objection, either party may terminate the affected services.
6. Data Breach Notification
- We will notify the Controller of any confirmed personal data breach without undue delay and in any event within 72 hours of becoming aware of the breach.
- Notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
- We will cooperate with the Controller and provide all information necessary for the Controller to fulfil its own notification obligations to supervisory authorities and affected data subjects.
7. Data Subject Rights
We will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, and objection) by providing the necessary technical and organisational measures. Requests should be directed to the Controller, who may instruct us to action them. We will respond to Controller instructions within 10 business days.
8. Data Retention and Deletion
- Upon termination or expiry of the agreement, we will delete or return all personal data within 30 days, at the Controller's election.
- The Controller may request data export at any time during the term of the agreement.
- Enterprise customers may configure custom data retention periods. The default retention period for tender project data is 90 days after project completion.
9. Audits and Compliance
We will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller (or an independent auditor appointed by the Controller) may conduct audits with 30 days' written notice, no more than once per calendar year, during normal business hours and subject to reasonable confidentiality obligations.
10. International Transfers
Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO and, where applicable, supplementary measures such as encryption and pseudonymisation. We do not transfer personal data to any country without an adequate level of protection unless appropriate safeguards are in place.
11. Term and Termination
This DPA remains in effect for the duration of the Controller's use of the Service. Obligations relating to data security, confidentiality, and deletion survive termination.
12. Contact
For questions about this DPA or to request a signed copy, contact us at dpa@bidrefinery.com.
For general privacy enquiries, contact our Data Protection Officer at privacy@bidrefinery.com.