Data Processing Addendum summary.

DefenceFile is designed for customer-controlled ECCTA readiness data. Data categories may include business contact data, associated-person data, evidence metadata, redacted evidence text, reviewer notes, attestation answers, audit events, and export metadata.

Product analytics categories may include public route paths, CTA identifiers, pilot-request qualification outcomes, first-touch UTM fields, hashed source identifiers, tenant-scoped app-moment event names, role labels, workflow counts, review decisions, board-pack export/share status, and walkthrough step states.

External participant data includes associated-person attestation responses, adviser share recipient names, public access/download audit events, and hashed public-token attempt records.

If the customer uses the workspace for allegations, investigations, proceedings, or other criminal-offence data, the signed DPA or controller records should identify the Article 6 basis and the Article 10 official-authority route or DPA 2018 Schedule 1 condition.

Baseline measures include private tenant-scoped storage, hash-based provenance, HMAC token handling, rate limiting for public links, noindex/no-referrer token pages, browser security headers, audit events, readiness checks, and deployment secret requirements.

Product analytics source data is hashed, sensitive property keys are dropped, email and IPv4-looking strings in event properties are redacted, and the internal analytics dashboard is gated by the `analytics:view` permission.

Audit CSV exports are tenant-scoped and formula-safe, with adviser share and attestation provenance recorded without raw public bearer tokens.

Customer-specific deletion, return, backup, legal-hold, and support timelines should be agreed before production onboarding. Pilot defaults include source evidence for the agreed pilot term plus 30 days, email delivery metadata for 90 days, stale attempt rows after `ATTEMPT_CLEANUP_RETENTION_DAYS`, and 35 daily plus 6 monthly backups unless signed terms say otherwise.

Public-token attempt rows should be pruned after the configured retention period unless an active abuse investigation or legal hold requires preservation under the controller's instructions.

Where Schedule 1 conditions require an appropriate policy document or extra records, those controller documents should reconcile the product retention defaults with the controller's retention and deletion policy.

Infrastructure, database, object-storage, and email providers should be listed by name in the signed customer DPA. Runtime environment names and local examples are not a final subprocessor schedule. DefenceFile should not imply unverified certifications or transfer safeguards on this public page.

DUAA changes are phased in and ICO guidance continues to be updated; signed customer documents should control any revised privacy notice, complaints-process, transfer, and non-essential-cookie posture.