1. Parties and definitions
This Data Processing Agreement is entered into between:
The Controller
The individual or organisation that has registered for a Kinvoy account and is identified in the account registration. The Controller determines the purposes and means of processing personal data entered into the Kinvoy service.
The Processor
Project Freelance Limited (trading as Kinvoy), a company registered in England and Wales under company number 8845897, whose registered office is at 48 Meadow Road, Barlaston, Stoke on Trent, Staffordshire, ST12 9EJ. ICO registration number: CSN1020962.
1.1 Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the UK GDPR.
| Term | Meaning |
|---|---|
| UK GDPR | The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018. |
| Personal Data | Any information relating to an identified or identifiable natural person as defined in Article 4(1) UK GDPR. |
| Processing | Any operation performed on Personal Data, as defined in Article 4(2) UK GDPR. |
| Data Subject | The identified or identifiable natural person to whom Personal Data relates. |
| Sub-processor | Any third party engaged by the Processor to carry out processing activities on behalf of the Controller. |
| Services | The Kinvoy evidence portal and all related features provided under the Terms of Service. |
| Security Incident | Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. |
2. Scope and nature of processing
The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Services described in the Terms of Service. The full details of the processing activities — including the categories of Personal Data, categories of Data Subjects, and retention periods — are set out in Schedule A to this DPA.
The Processor shall not process Personal Data for any purpose other than those specified in Schedule A or as otherwise documented in writing by the Controller, except where required to do so by applicable law, in which case the Processor shall (to the extent permitted by law) inform the Controller before undertaking that processing.
3. Processor obligations
The Processor shall, in relation to any Personal Data processed in connection with the performance of its obligations under this DPA:
3.1 Lawful instructions
Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Controller's use of the Services constitutes documented instructions for the purposes of this clause.
3.2 Confidentiality
Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security
Implement and maintain the technical and organisational security measures described in Schedule C, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.4 Sub-processing
Not engage a Sub-processor without the prior written authorisation of the Controller. The Controller provides general written authorisation for the Processor to engage the Sub-processors listed in Schedule B. The Processor shall notify the Controller of any intended changes to that list at least 30 days in advance, giving the Controller the opportunity to object. Where the Controller objects on reasonable data protection grounds, the parties shall work in good faith to resolve the objection.
3.5 Data subject rights assistance
Assist the Controller, by appropriate technical and organisational measures and insofar as this is possible, in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the UK GDPR (including access, rectification, erasure, restriction, portability, and objection).
3.6 Compliance assistance
Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor.
3.7 Deletion or return
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data. The Processor shall confirm deletion in writing within 30 days of the request.
3.8 Information and audit
Make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 UK GDPR, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, subject to the terms of Section 10.
4. Controller obligations
The Controller represents, warrants, and undertakes that:
4.1 Lawful basis
It has, and will maintain throughout the term, a valid lawful basis under the UK GDPR for each processing activity it instructs the Processor to carry out, including obtaining any necessary consents from Data Subjects.
4.2 Accuracy
All Personal Data provided to the Processor is accurate and up to date to the best of the Controller's knowledge, and the Controller will promptly update or correct any inaccurate Personal Data.
4.3 Sensitive data
Where the Controller uploads or enters special category data (as defined in Article 9 UK GDPR) — including health information, religious beliefs, or biometric data — it has identified and documented an appropriate condition under Article 9(2) UK GDPR for that processing.
4.4 Instructions
Its instructions to the Processor will at all times comply with applicable data protection law, and it will not instruct the Processor to process Personal Data in a way that would cause the Processor to breach applicable law.
5. Sub-processors
The Processor currently uses the Sub-processors listed in Schedule B. Each Sub-processor is engaged under a written contract that imposes data protection obligations equivalent to those in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.
The Processor will publish an updated version of Schedule B on this page whenever a Sub-processor is added or removed. The Controller may subscribe to notifications of changes by emailing [email protected].
6. Security measures
The Processor has implemented the technical and organisational measures described in Schedule C. These measures are reviewed at least annually and updated in response to changes in the threat landscape, technology, and the nature of the processing.
The Processor shall not materially reduce the overall level of security during the term of this DPA. Where the Processor proposes to make a material change to its security measures that could adversely affect the Controller's data, it shall give the Controller at least 30 days' prior written notice.
7. Data subject rights
7.1 Requests received by the Processor
Where the Processor receives a request directly from a Data Subject exercising their rights under the UK GDPR, the Processor shall promptly forward that request to the Controller and shall not respond to the Data Subject directly unless instructed to do so by the Controller or required by applicable law.
7.2 Assistance
The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests within the timescales required by the UK GDPR (generally one calendar month). This includes providing data exports, confirming what data is held, and carrying out erasure or restriction as instructed.
7.3 Self-service tools
The Processor makes available within the Kinvoy portal a self-service account deletion function that permanently erases all Personal Data held by the Processor on behalf of the Controller. Use of this function constitutes a documented instruction from the Controller to delete all associated Personal Data.
8. Personal data breaches
8.1 Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Security Incident affecting Personal Data processed under this DPA. The notification shall include, to the extent available at the time:
- A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records concerned.
- The name and contact details of the Processor's data protection contact.
- A description of the likely consequences of the Security Incident.
- A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.
8.2 Staged notification
Where all required information is not available within 72 hours, the Processor may provide the information in phases, provided that the initial notification is made within the 72-hour window and subsequent information is provided without further undue delay.
8.3 Controller's responsibility
The Controller is solely responsible for determining whether to notify the Information Commissioner's Office (ICO) and/or affected Data Subjects, and for making any such notifications. The Processor shall provide reasonable assistance to the Controller in preparing those notifications.
9. International transfers
The Processor shall not transfer Personal Data outside the United Kingdom or the European Economic Area without the prior written consent of the Controller, except where:
9.1 Adequacy decisions
The transfer is to a country or territory that has received an adequacy decision from the UK Secretary of State under Article 45 UK GDPR, or from the European Commission under Article 45 EU GDPR where that decision has been incorporated into UK law.
9.2 Standard contractual clauses
The transfer is subject to appropriate safeguards under Article 46 UK GDPR, including the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, as applicable.
Details of any international transfers carried out by Sub-processors are set out in Schedule B. The Controller provides general authorisation for those transfers on the basis of the safeguards described in that Schedule.
10. Audit and inspection
The Processor shall, upon reasonable written notice of at least 30 days, make available to the Controller (or an independent auditor appointed by the Controller and approved by the Processor, such approval not to be unreasonably withheld) all information reasonably necessary to demonstrate compliance with this DPA.
Audits shall be conducted during normal business hours, shall not unreasonably disrupt the Processor's operations, and shall be limited to once per calendar year unless the Controller has reasonable grounds to believe a Security Incident has occurred. The Controller shall bear the costs of any audit unless the audit reveals a material breach of this DPA by the Processor.
The Processor may satisfy its audit obligations by providing the Controller with a current ISO 27001 certificate, SOC 2 Type II report, or equivalent independent third-party certification, where available.
11. Termination and return of data
Upon termination or expiry of the Terms of Service, or upon written request from the Controller, the Processor shall:
11.1 Return or deletion
At the Controller's written election, either (a) return all Personal Data to the Controller in a portable, machine-readable format (CSV or JSON) within 30 days, or (b) securely delete all Personal Data and confirm deletion in writing within 30 days.
11.2 Backup retention
The Processor may retain encrypted backup copies of Personal Data for up to 90 days after the deletion date, solely for disaster recovery purposes. Those copies shall be deleted at the end of the 90-day period and shall not be used for any other purpose.
11.3 Legal retention obligations
Notwithstanding clauses 11.1 and 11.2, the Processor may retain Personal Data to the extent required by applicable law (for example, financial records required by HMRC), and shall notify the Controller of any such retention obligation.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited by law.
Where a Data Subject suffers damage as a result of a breach of the UK GDPR, and both the Controller and the Processor are responsible for that damage, each shall be held liable for the entire damage in order to ensure effective compensation of the Data Subject. The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
13. Governing law
This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales. The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.
Schedule A — Processing details
| Field | Detail |
|---|---|
| Subject matter | Provision of the Kinvoy evidence portal — a secure digital service for managing next-of-kin responsibilities following bereavement. |
| Duration | For the term of the Controller's subscription to the Services, plus any post-termination retention period described in clause 11. |
| Nature of processing | Collection, storage, organisation, retrieval, disclosure by transmission, erasure, and destruction of Personal Data via the Kinvoy web application and associated infrastructure. |
| Purpose of processing | To enable the Controller to record, organise, and manage estate administration tasks, documents, deadlines, financial transactions, and communications relating to the estate of a deceased person. |
| Categories of Personal Data | Identity data (name, date of birth, National Insurance number) of the deceased; identity and contact data of the Controller and collaborators; estate financial data; uploaded documents; activity logs; billing data. |
| Special category data | Health information (cause of death, medical records) and religious or philosophical beliefs (funeral preferences) may be uploaded by the Controller as part of estate documents. The Controller is responsible for identifying the lawful basis for processing such data. |
| Categories of Data Subjects | Deceased persons; next of kin (Controllers); estate collaborators (solicitors, accountants, family members); beneficiaries named in documents. |
| Retention period | Personal Data is retained for the duration of the active subscription. Following cancellation or deletion, data is deleted within 30 days (with encrypted backups retained for a further 90 days for disaster recovery). See clause 11. |
Schedule B — Approved sub-processors
The following Sub-processors are approved as at the date of this DPA. The Processor will update this schedule and notify the Controller of any changes with at least 30 days' notice.
| Sub-processor | Country | Purpose | Safeguard |
|---|---|---|---|
| PingCAP / TiDB Cloud | USA / EU | Primary relational database — stores all structured Personal Data including user accounts, estate records, tasks, and financial transactions. | EU Standard Contractual Clauses (UK Addendum) |
| Amazon Web Services (AWS S3) | USA / EU | Object storage — stores uploaded documents (PDFs, images, Word files) uploaded by Controllers. | EU Standard Contractual Clauses (UK Addendum); AWS Data Processing Addendum |
| Stripe, Inc. | USA | Payment processing — processes subscription payments. Stripe stores billing name, email, and card metadata. Stripe does not receive estate or deceased person data. | EU Standard Contractual Clauses (UK Addendum); Stripe Data Processing Agreement |
| Resend, Inc. | USA | Transactional email delivery — sends welcome emails, trial reminders, invite links, and system notifications. Email addresses and names are transmitted. | EU Standard Contractual Clauses (UK Addendum) |
| Manus AI | USA | AI assistant infrastructure — provides the LLM and voice transcription features within the portal. Prompts and transcription requests may contain estate-related data. | Data Processing Agreement with Manus AI |
Schedule C — Technical and organisational security measures
The Processor has implemented the following technical and organisational measures in accordance with Article 32 UK GDPR. These measures are reviewed and updated at least annually.
Access control
- ✓All user access to the portal requires authentication via Manus OAuth (OpenID Connect).
- ✓Role-based access control (RBAC) with distinct user and admin roles.
- ✓Estate-level access control: collaborators can only access estates to which they have been explicitly invited.
- ✓Administrative access to production systems is restricted to named individuals and requires multi-factor authentication.
Data in transit
- ✓All data transmitted between the user's browser and the Kinvoy servers is encrypted using TLS 1.2 or higher.
- ✓HTTP Strict Transport Security (HSTS) is enforced with a minimum max-age of one year.
- ✓All API endpoints are served exclusively over HTTPS.
Data at rest
- ✓Database data is encrypted at rest using AES-256 encryption provided by the database host (TiDB Cloud).
- ✓Document files stored in AWS S3 are encrypted at rest using AES-256 (SSE-S3).
- ✓Session tokens are signed using HS256 JWT with a secret key stored as an environment variable, not in source code.
Application security
- ✓HTTP security headers are set on all responses: Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, and Cross-Origin-Resource-Policy.
- ✓Rate limiting is applied to all API endpoints (120 requests/minute general; 20 requests/minute for authentication; 30 requests/minute for AI features).
- ✓All user-supplied input is validated server-side using Zod schema validation before processing.
- ✓SQL queries are parameterised via Drizzle ORM; raw SQL is not used.
- ✓File uploads are validated for MIME type and size before storage.
Organisational measures
- ✓All personnel with access to Personal Data are subject to confidentiality obligations.
- ✓A data breach response procedure is in place, with a 72-hour notification commitment to Controllers.
- ✓This DPA and the Privacy Policy are reviewed at least annually and updated to reflect changes in processing activities.
- ✓Dependency vulnerabilities are monitored via automated tooling and patched on a risk-based schedule.
Business continuity
- ✓Database backups are taken daily and retained for 30 days.
- ✓Document files in S3 are replicated across multiple availability zones.
- ✓Encrypted backup copies of Personal Data are retained for up to 90 days following deletion requests for disaster recovery purposes only.
Prepared by: Project Freelance Limited (trading as Kinvoy) · Company no.: 8845897 · Version: 1.0 · Last reviewed: 25 March 2026
For a countersigned copy of this DPA, or to raise a query, contact: [email protected]