UK GDPR Data Processing Addendum
Effective Date: 10 February 2026 Last Updated: 10 February 2026
This Data Processing Addendum ("DPA") supplements the DiscoverWorthy Privacy Policy and Terms of Service for users located in the United Kingdom. It addresses the requirements of the UK General Data Protection Regulation (UK GDPR) as retained under the Data Protection Act 2018.
1. Definitions
- "UK GDPR" means the retained EU GDPR as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018, read with the Data Protection Act 2018.
- "Controller" means DiscoverWorthy, which determines the purposes and means of processing personal data.
- "Processor" means a third party that processes personal data on behalf of the Controller.
- "Data Subject" means an identified or identifiable UK resident whose personal data is processed.
- "ICO" means the UK Information Commissioner's Office.
- "SCCs" means Standard Contractual Clauses approved for international data transfers.
2. Controller and Processor Roles
2.1. DiscoverWorthy as Controller
DiscoverWorthy acts as the data controller for personal data collected through the Platform from UK data subjects. We determine the purposes and means of processing.
2.2. Sub-Processors
We engage the following sub-processors:
| Sub-Processor | Role | Data Processed | Location |
|---|---|---|---|
| Azure OpenAI (Microsoft) | AI content generation | Blog content, customer names, conversation transcripts, brand voice data | United States |
| Azure DALL-E 3 (Microsoft) | Image generation | Blog titles, keywords | United States |
| Stripe, Inc. | Payment processing | Payment methods, billing data | United States |
| Google LLC | Search Console, Business Profile | OAuth tokens, search data | United States |
| Twilio, Inc. | SMS delivery | Phone numbers | United States |
| Brave Software, Inc. | SERP keyword tracking | Keywords, locale | United States |
| Azure Communication Services (Microsoft) | Email delivery | Email addresses, message content | United States |
| Azure SQL Database (Microsoft) | Data storage | All personal data (encrypted via TDE) | Australia East |
2.3. Sub-Processor Changes
We will notify you of any changes to our sub-processors by updating this DPA. You may object to a new sub-processor by contacting us within 30 days of notification.
3. Legal Bases for Processing
| Legal Basis | Article | Processing Activities |
|---|---|---|
| Performance of contract | 6(1)(b) | Account creation, subscription management, AI content generation, blog publishing, billing |
| Legitimate interests | 6(1)(f) | Analytics (usage patterns for service improvement), security monitoring, fraud prevention |
| Consent | 6(1)(a) | Customer story collection and publication, referral collection, marketing emails |
| Legal obligation | 6(1)(c) | Tax record retention, fraud prevention, responding to legal requests |
3.1. Legitimate Interest Assessment
For processing based on legitimate interests, we have conducted balancing tests considering:
- The necessity of the processing for our legitimate business purposes
- The impact on data subjects' rights and freedoms
- Appropriate safeguards to mitigate any impact
4. Data Subject Rights
UK data subjects have the following rights under the UK GDPR:
4.1. Right of Access (Article 15)
You may request a copy of all personal data we hold about you. We will respond within one month. For complex requests, this may be extended by two additional months with notice.
4.2. Right to Rectification (Article 16)
You may request correction of inaccurate personal data or completion of incomplete data.
4.3. Right to Erasure (Article 17)
You may request deletion of your personal data where:
- It is no longer necessary for the purposes collected
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- Data has been unlawfully processed
Exceptions: We may retain data where required for legal compliance, establishment or defence of legal claims, or archiving in the public interest.
4.4. Right to Restriction of Processing (Article 18)
You may request restriction of processing where you contest accuracy, processing is unlawful, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification.
4.5. Right to Data Portability (Article 20)
You may request your data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.
4.6. Right to Object (Article 21)
You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights.
4.7. Rights Related to Automated Decision-Making (Article 22)
Our AI content generation involves automated processing but does not make decisions that produce legal effects or similarly significant effects on individuals. The AI generates content suggestions that are reviewed and approved by human users before publication.
4.8. How to Exercise Your Rights
Submit requests to dpo@discoverworthy.com. We will:
- Verify your identity before processing the request
- Respond within one month (extendable by two months for complex requests)
- Provide information free of charge (reasonable fees may apply for repetitive or excessive requests)
5. International Data Transfers
5.1. Transfer Mechanisms
All our major sub-processors are based in the United States. For transfers of UK personal data to the US, we rely on:
| Mechanism | Applicable To |
|---|---|
| UK International Data Transfer Agreement (IDTA) | Transfers to US-based processors |
| UK Addendum to EU SCCs | Where processors use EU SCCs |
| Processor-specific safeguards | Microsoft (DPA), Stripe (DPA), Google (DPA) |
5.2. Supplementary Measures
In addition to transfer mechanisms, we implement:
- Encryption in transit (TLS 1.2+) for all data transfers
- Encryption at rest (Azure SQL TDE, AES-256)
- Strict access controls with role-based permissions
- Regular security assessments of sub-processors
6. Data Breach Notification
6.1. Notification to the ICO
In the event of a personal data breach likely to result in a risk to data subjects' rights, we will notify the ICO within 72 hours of becoming aware of the breach.
6.2. Notification to Data Subjects
Where a breach is likely to result in a high risk to data subjects, we will notify affected individuals without undue delay, providing:
- Description of the breach
- Contact details for our data protection point of contact
- Likely consequences of the breach
- Measures taken to address and mitigate the breach
7. Data Protection Impact Assessment
We have conducted a Data Protection Impact Assessment (DPIA) for high-risk processing activities, particularly:
- AI content generation with customer personal data (names, companies, conversation transcripts sent to Azure OpenAI without anonymization)
- Automated processing of customer stories and referrals
- Analytics tracking of UK users
The DPIA is available upon request to the ICO.
8. Records of Processing Activities
We maintain records of processing activities as required by Article 30, including:
- Categories of data subjects and personal data
- Purposes of processing
- Categories of recipients
- International transfers and safeguards
- Retention periods
- Security measures
9. Security Measures
9.1. Technical Measures
- Encryption at rest (Azure SQL Transparent Data Encryption)
- Encryption in transit (HTTPS/TLS 1.2+)
- httpOnly, Secure session cookies with SameSite=Lax
- Rate limiting on authentication and API endpoints
- Parameterized SQL queries (SQL injection prevention)
- Input validation and output encoding
9.2. Organizational Measures
- Access controls based on role and necessity
- Regular review of access permissions
- Incident response procedures
- Data protection awareness
10. Data Retention
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account data | Until deletion + 30 days | Contract |
| Billing records | 7 years | Legal obligation |
| Blog content | Until deleted by user | Contract |
| Analytics | 24 months, then aggregated | Legitimate interest |
| Customer stories | Until deleted by org owner | Consent |
| Conversation transcripts | Life of associated content | Consent |
| Session tokens | 30 days | Contract |
11. Complaints
You have the right to lodge a complaint with the ICO:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We encourage you to contact us first at dpo@discoverworthy.com so we can try to resolve your concern.
12. Contact
For all data protection matters:
- Email: dpo@discoverworthy.com
- Address: 140 Keller Road, ESSENDON NORTH, VIC 3041