Data Processing Addendum
Last updated: 06 May 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Public Notice Systems Ltd ("gazetted", "we", the "Processor") and the Customer (the "Controller") whose representative has accepted our Terms & Conditions or executed a separate written contract referencing this DPA. It governs the processing of personal data by gazetted on behalf of the Customer in connection with the statutory notice placement service. It supplements our Privacy Policy, which describes processing where gazetted is itself the Controller (e.g. account management).
If you are a UK council, NHS body, or other public-sector buyer evaluating gazetted, this page is the public draft of our DPA. We are happy to execute a copy on Customer paper or accept your council's standard data processing schedule provided the substantive terms are equivalent. Email notices@gazetted.co.uk to begin execution.
1. Parties and definitions
Processor: Public Notice Systems Ltd, trading as gazetted, a company registered in England and Wales (company number 17066508) with registered office at 4 Solon Road, London, SW2 5UY, registered with the UK Information Commissioner's Office under registration number ZC110158.
Controller: the Customer who places statutory notices through the gazetted platform under our Terms & Conditions or under a separately executed agreement.
Personal Data, Processing, Data Subject, Special Categories of Personal Data, Personal Data Breach have the meanings given in the UK GDPR.
Sub-processor means any third party engaged by gazetted to process Personal Data on the Controller's behalf in connection with the Service.
UK GDPR means Regulation (EU) 2016/679 as it forms part of the law of England and Wales by virtue of the European Union (Withdrawal) Act 2018, read with the Data Protection Act 2018.
2. Subject matter, duration, nature and purpose of processing
Subject matter: processing of Personal Data submitted by the Controller (or its end-users) to the gazetted platform for the purpose of placing UK statutory notices in newspapers and the London Gazette.
Duration: for the duration of the agreement between the parties, plus the statutory retention period set out in our Terms & Conditions and Privacy Policy (currently 7 years for order records), after which Personal Data is deleted in accordance with section 10 below.
Nature and purpose of processing: generation, formatting, proofing, transmission, and certification of statutory notices; communication with the Controller and end-users about orders; transmission to newspaper publishers and the London Gazette; payment processing through Stripe; transactional email through Resend; error monitoring; AI-assisted proof verification.
3. Type of personal data and categories of data subjects
Type of Personal Data processed:
- •Identification data: full name, business name, role/title
- •Contact data: email address, postal address, telephone number
- •Account data: username (email), hashed password, session tokens
- •Order data: applicant names, addresses, company details; deceased person details (probate notices); planning applicant details (planning notices); estate agent / executor details
- •Payment data: card transaction references and amounts (full card data is processed by Stripe, never stored on gazetted infrastructure)
- •Technical data: IP address, browser metadata, request logs
- •Free-text fields submitted by the Controller in the course of placing a notice
Categories of Data Subjects:
- •Controller's employees and authorised users (account holders)
- •Applicants named in the notice (e.g. probate applicants, planning applicants)
- •Deceased persons (probate notices, where Personal Data of deceased individuals is in scope under section 171 Data Protection Act 2018 only)
- •Third parties incidentally named in free-text notice content (e.g. previous owners on a probate notice)
No Special Categories of Personal Data are processed in the ordinary course of the Service. Probate notices may contain information from which health or death information could be inferred; the Controller is responsible for ensuring an appropriate Article 9 condition where this engages Article 9 UK GDPR.
4. Controller and processor obligations (Article 28(3) sub-paragraphs a–h)
The Processor shall:
(a) Process Personal Data only on documented instructions from the Controller, including transfers of Personal Data to a third country, unless required to do so by UK or member state law to which the Processor is subject; in such case the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. The Controller's documented instructions are set out in (i) our Terms & Conditions, (ii) the configuration choices the Controller makes in the platform (e.g. which newspaper, which publication date), and (iii) any subsequent written instructions sent to notices@gazetted.co.uk.
(b) Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All gazetted personnel are bound by written confidentiality obligations in their employment or contractor agreements.
(c) Take all measures required pursuant to Article 32 UK GDPR, as set out in section 6 of this DPA.
(d) Respect the conditions referred to in paragraphs 2 and 4 of Article 28 for engaging another processor (sub-processor), as set out in section 5 of this DPA.
(e) Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III UK GDPR. Where a data subject submits a rights request directly to gazetted, we will forward it to the Controller within 5 working days. Where the Controller forwards a data subject rights request to gazetted, we will assist the Controller's response without undue delay and at no additional cost.
(f) Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 UK GDPR taking into account the nature of processing and the information available to the Processor. This includes assistance with security, breach notification, data protection impact assessments, and prior consultation with the ICO.
(g) At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless UK or member state law requires storage of the Personal Data. See section 10.
(h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. See section 7.
5. Sub-processors
The Processor uses the following sub-processors. The Controller authorises the use of these sub-processors at the date of this DPA. The Processor will give the Controller at least 30 days' prior notice of any addition or replacement of a sub-processor by updating the table below and emailing registered Controller contacts. The Controller may object on reasonable data-protection grounds within that 30-day window; if the parties cannot agree on a resolution, the Controller may terminate the affected service and receive a pro-rata refund.
| Sub-processor | Legal entity | Processing purpose | Personal data categories | Location | UK transfer mechanism |
|---|---|---|---|---|---|
| Vercel | Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA | Application hosting, edge functions, static asset delivery, blob storage for proof PDFs | All categories (transient request/response data); proof-of-publication PDFs persisted to blob storage | USA (primary), EU regions for edge cache | UK IDTA + Vercel DPA |
| Supabase | Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992 (with EU data centre operator) | Postgres database hosting (canonical data store via PrismaPg adapter) | All persisted Personal Data including account, order, audit-log records | Ireland (AWS eu-west-1) | UK IDTA + Supabase DPA; data does not leave the UK/EEA |
| Stripe | Stripe Payments UK, Limited, 7th Floor, The Bower Warehouse, 211 Old Street, London EC1V 9NR, UK | Card payment processing, invoice generation, payment method storage | Cardholder name, card data (held by Stripe, not gazetted), billing address, payment metadata | UK / Ireland (primary), USA (Stripe Inc. fallback) | UK Stripe entity is UK-based; international transfers covered by Stripe's UK IDTA |
| Resend | Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA | Transactional email delivery (order confirmations, proofs, certificates, account emails) | Recipient email, recipient name, email body content (which may include order details and notice text) | USA (primary), EU regions available | UK IDTA + Resend DPA |
| Qmuli (AddFast / AdLib / AdSync) | Qmuli Limited, UK-registered (delivery integration partner for UK newspaper publishers) | Artwork delivery to newspaper publishers via the AdFast PDF upload channel; publication ID lookup via AdLib | Notice text (including names, addresses, applicant details), URN, newspaper-targeting metadata | UK | Sub-processor is UK-based; no international transfer |
| OpenAI | OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA | AI-assisted proof-of-publication verification (GPT-4o vision compares received proof against original notice text) and inbound proof-reply classification | Proof-of-publication PDF/image (which contains published notice text); original notice text from the order; no account or payment data | USA | UK IDTA + OpenAI DPA; OpenAI API content is not used for training under the API data-usage policy |
| Sentry | Functional Software, Inc., d/b/a Sentry, 132 Hawthorne Street, San Francisco, CA 94107, USA | Error monitoring and exception tracking | IP address, request URL, user agent, technical context captured at error time; gazetted's Sentry SDK is configured to scrub email addresses and request bodies before transmission | USA (primary), EU region available | UK IDTA + Sentry DPA |
The Processor does not engage any sub-processor outside this list without prior notice as set out above.
6. Security measures (Article 32)
The Processor implements the following technical and organisational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing:
- •Encryption in transit: all connections to the gazetted platform and between the platform and sub-processors are encrypted using TLS 1.2 or higher.
- •Encryption at rest: the production database (Supabase Postgres on AWS eu-west-1) is encrypted at rest using AES-256 by the underlying infrastructure provider. Vercel Blob storage is encrypted at rest by the underlying provider.
- •Access controls: application access is gated by NextAuth v5 credential authentication with hashed passwords (bcrypt). Role-based access control restricts access to portal, admin, and council surfaces. Database access is restricted to the application service principal and authorised gazetted personnel. Production secrets are managed in Vercel environment variables scoped per environment.
- •Audit logging: order state transitions and admin-initiated actions are recorded in an append-only audit log table. Authentication events are logged.
- •Network security: the platform is deployed on Vercel with managed DDoS protection, automatic TLS certificate renewal, and HTTP security headers (HSTS, CSP, X-Frame-Options).
- •Software supply chain: dependencies are managed via npm with
package-lock.json; security advisories are reviewed. - •Backups: the production database is backed up by Supabase on a continuous-backup schedule with point-in-time recovery.
- •Personnel: all personnel with access to Personal Data are bound by written confidentiality obligations and use multi-factor authentication for production access.
Certifications not currently held: the Processor does NOT currently hold ISO 27001, SOC 2, or Cyber Essentials certifications. Cyber Essentials certification is targeted for Q3 2026 alongside the WCAG 2.1 AA independent audit. The Processor will update this DPA when those certifications are awarded. The Processor relies on its sub-processors' SOC 2 / ISO 27001 reports where available (Vercel, Supabase, Stripe, Resend, OpenAI, Sentry all maintain SOC 2 Type II); copies are available to the Controller on reasonable request.
7. Audit rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 UK GDPR. The Controller (or an independent auditor mandated by the Controller, bound by confidentiality) may, on at least 30 days' prior written notice and no more than once per twelve-month period (or more frequently in the event of a Personal Data Breach), audit the Processor's compliance with this DPA. Audits shall be conducted during business hours and shall not unreasonably interfere with the Processor's operations. The Processor may satisfy the audit obligation by providing the Controller with copies of its sub-processors' SOC 2 Type II / ISO 27001 reports and a written attestation of compliance with this DPA. Each party shall bear its own costs in connection with an audit, save where the audit reveals material non-compliance with this DPA, in which case the Processor shall reimburse the Controller's reasonable audit costs.
8. International transfers
Some sub-processors process Personal Data outside the UK (see section 5). For each such transfer, the Processor relies on the UK International Data Transfer Agreement ("UK IDTA") issued by the Information Commissioner under section 119A of the Data Protection Act 2018, or on the EU Standard Contractual Clauses with the UK Addendum, as set out in each sub-processor's published DPA. Where a sub-processor's DPA does not provide an adequate transfer mechanism, the Processor will not engage that sub-processor for processing of Controller Personal Data.
9. Personal data breach notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification shall include, to the extent the information is then available: (a) the nature of the breach including the categories and approximate number of data subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its possible adverse effects; and (d) the contact point at the Processor for further information. The Processor shall provide reasonable assistance to the Controller in fulfilling the Controller's own obligations under Articles 33 and 34 UK GDPR.
10. Return or deletion of personal data on termination
On termination of the agreement, at the Controller's choice, the Processor shall delete or return all Personal Data to the Controller and delete existing copies, unless UK or member state law requires storage. The Processor's standard retention is 7 years from order completion for statutory record-keeping (Companies Act 2006 / HMRC requirements / probate-notice creditor-claim window). Personal Data persisted to backups will be deleted in line with the relevant sub-processor's backup-retention schedule, after which it shall not be restored except where required to recover from a disaster.
11. Liability
The liability of each party under this DPA is governed by the limitation of liability provisions in the Terms & Conditions (section 8). For the avoidance of doubt, nothing in this DPA limits liability for any matter for which liability cannot be excluded or limited under applicable law.
12. Governing law
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.
13. Contact and execution
For DPA execution, sub-processor objections, audit requests, data subject rights requests forwarded by the Controller, or any other matter under this DPA, contact: notices@gazetted.co.uk.
The Processor is willing to execute this DPA on its own paper (this document, signed by both parties) or to accept the Controller's standard DPA / data-processing schedule provided the substantive terms are equivalent.
Signed for and on behalf of Public Notice Systems Ltd: Otto Clarke, Director.
Signed for and on behalf of the Controller: [Controller signature block].