CyConex
← Back to home
Legal

Data Processing Agreement

This page summarises CyConex data processing terms for customers who use the platform to process personal data on behalf of their organisation.

Last updated: 21 June 2026

1. When a DPA applies

When a customer organisation uses CyConex to upload evidence, run assessments, or otherwise process personal data within the platform, CyConex generally acts as a data processor on behalf of the customer, who remains the data controller for that content.

A formal Data Processing Agreement ("DPA") sets out the obligations of both parties under UK GDPR and the Data Protection Act 2018.

2. Scope of processing

Under the DPA, CyConex processes personal data only:

  • On documented instructions from the customer.
  • For the purpose of providing the CyConex assurance platform and related support.
  • In accordance with applicable data protection law.

3. Key processor commitments

CyConex commits to:

  • Processing personal data only on customer instructions except where required by law.
  • Ensuring personnel with access to personal data are subject to confidentiality obligations.
  • Implementing appropriate technical and organisational security measures.
  • Assisting customers with data subject rights requests where feasible.
  • Notifying customers of personal data breaches without undue delay where required.
  • Deleting or returning personal data at the end of the service relationship, subject to legal retention requirements.
  • Making available information necessary to demonstrate compliance with processor obligations.

4. Sub-processors

CyConex uses sub-processors to host and operate the platform, including UK-based cloud infrastructure providers and service providers supporting email delivery, monitoring, and authentication. We maintain controls over sub-processors through contractual terms and security assessments.

Customers will be informed of material sub-processor changes in accordance with the DPA or commercial agreement.

5. UK data residency

CyConex production services are hosted in UK Azure regions. Customer platform data is stored and processed within the United Kingdom unless otherwise agreed in writing. Further detail is available on our Security & trust page.

6. International transfers

If personal data is transferred outside the UK, CyConex will ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement or an adequacy regulation, consistent with UK GDPR requirements.

7. Obtaining a DPA

Organisations requiring a signed DPA for procurement, GovAssure, or enterprise onboarding should contact us at admin@cyconex.com. We provide our standard DPA on request and can discuss customer-specific requirements where appropriate.

Use of the CyConex platform to process personal data should not commence until applicable contractual and data protection arrangements are in place.