Legal
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Cheqpoint Terms of Service and governs how Cheqpoint Ltd processes personal data on your behalf as a data processor under the UK GDPR and EU GDPR.
Last updated: January 2026 · Effective: January 2026
1. Parties
Data Controller: The organisation or individual that signs up for Cheqpoint (“Customer” or “you”).
Data Processor: Cheqpoint Ltd, a company registered in England and Wales.
2. Subject Matter
Cheqpoint processes personal data on behalf of the Customer to provide the human-in-the-loop approval platform described in the Terms of Service. This includes storing approval requests, decisions, audit logs, and account data.
3. Categories of Data Processed
| Category | Description | Retention |
|---|---|---|
| Account data | Name, email address, hashed password, workspace name | Until account deletion + 30 days |
| Approval request data | AI action payloads, approval decisions, decision notes, timestamps | Per plan: Trial 14d, Starter 30d, Growth 90d, Business 1yr, Enterprise custom |
| Audit logs | All decision events, user actions, system events with actor and timestamp | Permanent (immutable by policy) |
| Integration credentials | Webhook URLs, API keys (encrypted at rest), Slack/Discord/Teams tokens | Until disconnected + 7 days |
| Usage analytics | Approval counts, response times, agent activity (aggregated) | 24 months |
| Session data | HMAC-signed session tokens, IP addresses for rate limiting | 7 days (session expiry) |
4. Data Subject Rights
Cheqpoint assists Customers in fulfilling data subject requests under Articles 15–22 of the GDPR:
- →Right of access - export your data from Settings → Danger Zone
- →Right to erasure - account and request data deleted on request (audit logs retained for compliance)
- →Right to rectification - update profile and workspace data via the dashboard
- →Right to portability - CSV export available for approval history
- →Right to restriction - contact privacy@cheqpoint.io
5. Technical & Organisational Measures
- ✓AES-256 encryption at rest
- ✓TLS 1.3 in transit
- ✓HMAC-SHA256 signed sessions
- ✓Password hashing with bcrypt (cost factor 10)
- ✓Account lockout after 10 failed attempts
- ✓Immutable audit logs
- ✓Role-based access control (RBAC)
- ✓Multi-tenant data isolation by workspaceId
- ✓SOC 2 Type II controls (in progress)
- ✓Regular dependency security updates
6. Sub-processors
Cheqpoint engages the following sub-processors. We maintain DPAs with each. Customers will be notified 30 days before any new sub-processor is added.
Slack Technologies (Salesforce)
View DPA →Outbound Slack notifications (optional, customer-configured)
Location: US
7. International Data Transfers
Where data is transferred outside the UK or EEA, Cheqpoint relies on:
- →UK International Data Transfer Agreements (IDTAs)
- →EU Standard Contractual Clauses (SCCs) where applicable
- →Adequacy decisions where available
Questions about this DPA?
Contact our Data Protection Officer at privacy@cheqpoint.io.
Also see our Privacy Policy and Security Overview.