Privacy summary for defence-file evidence and associated-person workflows.

The data controller for DefenceFile is the organisation operating the pilot instance under the terms of the signed customer agreement. Contact details for data protection enquiries should be provided in that agreement or by contacting the pilot desk.

The workspace can process organisation profile data, source-file metadata, redacted evidence text, reviewer decisions, associated-person names and emails, attestation answers, audit events, and export metadata.

Product analytics can process public page paths, CTA identifiers, pilot-request qualification outcomes, first-touch UTM fields, hashed source identifiers, login roles, scope-save counts, evidence source categories, review decisions, board-pack export/share counts, and walkthrough step states.

The product is designed to avoid writing raw access codes, raw public bearer tokens, raw source IP addresses, full connection strings, or document contents into audit logs or product analytics properties.

Zero-login attestation tokens, adviser-share tokens, login sources, public-token attempt sources, and attestation submission audit references are stored as hashes or scoped metadata rather than raw bearer tokens.

The customer controller should identify and document the Article 6 lawful basis for each processing purpose, such as legitimate interests in maintaining ECCTA failure-to-prevent-fraud readiness evidence or contractual necessity where the controller has agreed pilot terms.

Where evidence includes allegations, investigations, proceedings, or other criminal-offence data, ICO guidance says Article 10 adds a further requirement: the controller needs official authority or a DPA 2018 Schedule 1 condition in addition to the Article 6 basis.

Where associated-person contact details are processed for attestation purposes, the controller should document the legitimate-interest assessment, necessity, safeguards, and any Schedule 1 condition if criminal-offence data is involved.

Data is processed to operate the ECCTA readiness workspace: scope screening, evidence intake, human review, associated-person attestations, alerts, audit trails, and adviser or board-pack exports.

Product analytics is used to understand acquisition, activation, and usage trends in the internal analytics dashboard; it does not set third-party analytics cookies or advertising identifiers.

Under UK GDPR you have the right to access your personal data, to request correction or erasure, to restrict or object to processing, and to data portability where processing is based on consent or contract.

To exercise any of these rights, contact the data controller named in your customer agreement. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

DUAA changes are phased in between June 2025 and June 2026, and some ICO individual-rights guidance is under review. Signed customer privacy notices should reflect the controller's final complaints process and rights-handling procedure.

Pilot defaults in the runbook retain source evidence objects for the agreed pilot term plus 30 days unless the customer requests earlier deletion. Redacted evidence text, audit events, and export metadata follow workspace retention through the pilot term and any agreed legal hold.

Email delivery metadata defaults to 90 days unless needed for legal hold. Stale login and public-token attempt rows default to `ATTEMPT_CLEANUP_RETENTION_DAYS` cleanup; active lockouts and investigation records should be preserved only when the controller needs them for abuse review or legal hold.

Backups default to 35 daily and 6 monthly copies unless contract terms require otherwise.

Final retention, deletion, legal-hold, DPIA, appropriate-policy-document, and support arrangements should be documented in the customer contract, DPA, or privacy notice where applicable.

Associated-person attestation and adviser-share pages are token-scoped public surfaces. They use noindex/no-referrer guardrails, safe unavailable states, and rate-limit records that avoid raw token and raw source-address storage.

Tenant audit CSV exports may include recipient names, board-pack SHA context, actions, actors, and timestamps for review provenance, but they should not include raw attestation tokens or raw adviser-share bearer tokens.

The DefenceFile pilot uses the following infrastructure providers to operate the service:

Railway — Application hosting and managed PostgreSQL database. Data processed: workspace data, evidence metadata, audit events, email outbox, product analytics. Data location: US West (AWS us-west-2).

Cloudflare — Content delivery network, DNS, DDoS protection, and R2 object storage for evidence files and board-pack artifacts. Data processed: encrypted evidence objects at rest, cached public page content. Data location: Global edge network with R2 storage in auto-configured region.

Resend — Transactional email delivery for attestation reminders, adviser-share links, lifecycle emails, and alert notifications. Data processed: recipient email addresses, email subjects, and message bodies. Data location: US (Resend infrastructure).

Signed customer agreements should list the specific sub-processors, data locations, and transfer mechanisms applicable to that deployment in the DPA or order form. Public environment examples are not a sub-processor schedule.