Book a Demo
Book a Demo

planbot - Data
Processing Addendum

Data Processing Addendum (DPA) between Ammonite Wealth Ltd (Processor) and the Customer (Controller)

Effective date: 10 September 2025

 

1. Scope and Roles

  • The Customer is the data controller.

  • Ammonite Wealth Ltd (“Processor”) operates Planbot as a data processor.

  • This DPA governs the processing of personal data entered into Planbot to generate documents and reports on behalf of the Controller.

  • For the purposes of Article 28 GDPR, this DPA constitutes the documented instructions of the Controller to the Processor. Additional documented instructions may be given by the Controller in writing, including via email or in-product configuration, provided they are consistent with this DPA.

 

2. Nature and Purpose of Processing

  • The Processor handles personal data temporarily in-memory to generate outputs (reports, documents) using Planbot’s AI and other processing services.

  • Client personal data is processed transiently in memory to generate outputs. The Processor does not persistently store client personal data on its own servers. Limited data may be stored temporarily in the user’s browser via Redis cache and Redux session storage (persisted cache), which is under the Controller’s control. The Processor does not have access to, or control over, data stored in the user’s browser. Such data is cleared automatically on logout, session reset, or account closure.

  • Processing is limited to the purposes of providing Planbot services, including AI-based generation, transcription, storage of templates, and related functionality.

 

3. Categories of Data Subjects and Data

  • Data subjects: clients of the Controller (data subjects whose information is input by the Controller’s staff).

  • Data: names, contact details, financial information, other information entered as free text / transcription / uploaded documents.

 

4. Duration

    • Processing occurs only for the duration of the Controller’s active use of Planbot. Personal data is discarded once outputs are delivered, except for temporary in-browser session storage as described in Section 2.

 

5. Processor Obligations

    • The Processor shall:

(a) process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement unless prohibited by law;

(b) immediately inform the Controller if, in the Processor’s opinion, an instruction infringes GDPR, UK GDPR, or other applicable data protection law;

(c) ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(d) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with Article 32 GDPR, including as appropriate:

  • encryption of data in transit (TLS 1.2 or higher);

  • logical access controls and authentication;

  • audit logging and monitoring;

  • incident response and breach management procedures;

  • regular security testing and review;

(e) assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests for exercising data subject rights under Chapter III GDPR;

(f) assist the Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 GDPR, including security of processing, personal data breach notification, data protection impact assessments, and prior consultation with the supervisory authority;

(g) notify the Controller without undue delay after becoming aware of a personal data breach and provide all information reasonably required to enable the Controller to comply with its obligations under Articles 33 and 34 GDPR;

(h) make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable notice.

 

6. Sub-Processors

6.1 The Controller provides general written authorisation for the Processor to engage sub-processors for the provision of the Planbot services.

6.2 Current Sub-processors:

Sub-Processor Purpose Location Safeguards
OpenAI, LLC AI text generation (language models) United States

UK Addendum to EU Standard Contractual Clauses (SCCs) under OpenAI API DPA; data encrypted in transit; opted out of model training
Deepgram, Inc. Speech-to-text transcription United States

UK Addendum to EU SCCs under Deepgram DPA; data encrypted in transit and at rest; opted out of model training
Google Cloud (europe-west2) Hosting and storage of user templates London, United Kingdom Data stays in UK; encrypted at rest and in transit
 

We contractually prohibit these subprocessors from using any data to train their models.

  • The Processor shall notify the Controller of any intended new sub-processors. The Controller may object within 14 days. If no objection is made, the new sub-processor is approved.

  • The Processor remains liable for sub-processors’ acts and omissions.

 

7. International Transfers

  • Where personal data is transferred outside the UK or EEA, including to OpenAI and Deepgram in the United States, such transfers are governed by Module Two (Controller to Processor) of the EU Standard Contractual Clauses, as supplemented by the UK Addendum to the EU SCCs.

  • The Processor confirms that it has conducted and maintains appropriate transfer risk assessments and that such providers process personal data solely for the purpose of providing their services and do not use customer data to train their models. Data is encrypted in transit and during processing.

 

8. End of Processing / Data Deletion or Return

  • At the end of the provision of services, or upon termination of the Controller’s account, the Processor shall, at the Controller’s choice, either:

    • securely delete all personal data processed on behalf of the Controller; or

    • return all personal data to the Controller, in a mutually agreed format.

  • This obligation does not apply to data retained temporarily in the user’s browser cache during active sessions. Any data retained in the user’s browser cache is cleared automatically upon logout or session reset.

  • Any data retained due to legal obligations or regulatory requirements shall be clearly communicated to the Controller.

  • Upon deletion of personal data in accordance with this section, the Processor shall, upon request, provide written certification to the Controller that such deletion has been completed.

 

9. Liability

Each party’s total liability under this DPA shall be limited to the liability cap in the main Terms of Business.

 

10. Notification of Changes

The Processor will notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors or other material changes to processing arrangements.

 

11. Governing Law

This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the English courts.