Data Processing Agreement
Last updated: June 3, 2026
1. Controller Identity
Virtus Nemeton Limited (“Controller”, “we”, “us”)
Company Number: 17181232
Registered in England and Wales
Data Protection Contact: dpo@virtusnemeton.co.uk
This Data Processing Agreement (“DPA”) supplements our Privacy Policy and Terms of Service. It describes how personal data is processed when you use the Virtus Nemeton platform, and the sub-processors we engage to deliver our services.
2. Sub-Processors
We engage the following sub-processors to deliver the platform. All sub-processors are bound by data processing agreements with us and are required to process data only as we instruct.
| Sub-Processor | Purpose | Data Location | Agreement |
|---|---|---|---|
| Supabase Inc | Database, authentication, file storage | EU West (London, eu-west-2) | Policy → |
| Vercel Inc | Application hosting and deployment | EU West (Frankfurt / London) | Policy → |
| Resend Inc | Transactional and newsletter email delivery | United States (SCCs apply) | Policy → |
| Anthropic PBC | AI content generation (newsletter drafts, research) | United States (SCCs apply) | Policy → |
| SAP SE | ERP integration for maintenance workflows (enterprise customers only) | EU10 Frankfurt / EU20 Netherlands | Policy → |
Where sub-processors are located outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under UK GDPR Article 46(2)(c).
3. Data Categories Processed
- Account data: Name, email address, profile picture URL
- Authentication data: Hashed passwords, session tokens (managed by Supabase Auth)
- Professional data: LinkedIn profile information, OAuth access tokens
- Content data: Newsletter drafts, LinkedIn post drafts, calendar schedules
- Consultation data: Workflow descriptions, pain points, budget ranges submitted through the consultation wizard (may be pseudonymous)
- Usage data: API request logs, agent session logs
- Maintenance data (enterprise): SAP work order IDs, equipment IDs, contractor field log submissions
4. Retention Periods
- Account data: Until account deletion or erasure request
- Content drafts and posts: Until account deletion
- Consultation submissions: 2 years from submission date
- Agent session logs: 90 days rolling
- FieldLog submissions: 7 years for audit trail compliance
- LinkedIn OAuth tokens: Until token expiry, account deletion, or explicit disconnection
5. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access (Article 15): Request a copy of all data we hold about you
- Right to rectification (Article 16): Correct inaccurate data via your account settings
- Right to erasure (Article 17): Delete your account and all associated data via
DELETE /api/user/dataor your account settings - Right to data portability (Article 20): Export all your data as JSON via
GET /api/user/exportor your account settings - Right to object (Article 21): Object to processing based on legitimate interests
- Right to restriction (Article 18): Request restriction of processing in certain circumstances
To exercise any right, contact dpo@virtusnemeton.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
6. Security Measures
We implement appropriate technical and organisational measures including: TLS 1.3 in transit, AES-256 at rest (Supabase managed), Row Level Security (RLS) on all user-facing database tables, httpOnly session cookies, CSRF protection, input validation via Zod schemas, and rate limiting on sensitive endpoints. We conduct periodic security reviews and maintain an incident response plan. Data breaches affecting UK residents are reported to the ICO within 72 hours.
7. Contact
Data Protection Officer: dpo@virtusnemeton.co.uk
General enquiries: hello@virtusnemeton.co.uk
Virtus Nemeton Limited, Company No 17181232, England and Wales