← Back to home

Data Processing Agreement

Last updated: May 2026

This document sets out Deepheem's data processing commitments and applies to all users of the platform. Business plan customers who require a formally executed, countersigned DPA document may contact us at support@deepheem.com.

1. Scope and purpose

This Data Processing Agreement ("DPA") describes how Deepheem ("we", "us", "the Processor") processes personal data on behalf of users and customers ("you", "the Controller") in connection with the Deepheem platform and services.

This DPA forms part of and should be read alongside our Privacy Policy and Terms of Service. In the event of any conflict between this DPA and those documents, this DPA takes precedence in respect of data processing matters.

This DPA applies where you use Deepheem to process personal data about third parties — for example, running an investigation that involves the names, contact details, or activities of identified individuals as part of your professional work in legal, business intelligence, or journalism contexts.

2. Roles of the parties

  • You (the Controller) determine the purposes and means of processing personal data submitted through the platform — for example, the subjects of your investigations and the nature of your research.
  • Deepheem (the Processor) processes that personal data solely on your instructions, as set out in these terms, to deliver the investigation outputs you have requested.

In relation to your own account data (name, email, billing), Deepheem acts as a data Controller in its own right. This is covered separately in our Privacy Policy.

3. Nature of processing

Subject matterAI-assisted investigation and research services
DurationFor the duration of your subscription, plus the retention period specified in section 7
NatureCollection, storage, structuring, retrieval, use, transmission to AI sub-processors, and deletion
PurposeTo generate structured investigation reports, source classifications, evidence status assessments, and evidence summaries based on your brief
Data typesNames, organisations, publicly available facts, activities, and any other personal data included in your investigation brief
Data subjectsIndividuals and entities referred to in your investigation briefs

4. Deepheem's obligations as Processor

Deepheem will, in respect of personal data processed on your behalf:

  • Process personal data only on your documented instructions (i.e. the briefs and parameters you submit), except where required to do so by law
  • Ensure that all personnel with access to personal data are subject to appropriate confidentiality obligations
  • Implement and maintain the technical and organisational security measures described in our Security page
  • Not use investigation brief data to train AI models
  • Notify you without undue delay if we become aware of a personal data breach affecting data processed on your behalf
  • Assist you, where reasonably possible, in responding to requests from data subjects exercising their rights under UK GDPR
  • Delete or return investigation data upon termination of your account, at your request, subject to our legal retention obligations
  • Make available information reasonably necessary to demonstrate compliance with this DPA

5. Your obligations as Controller

By using Deepheem to process personal data about third parties, you confirm that:

  • You have a lawful basis under UK GDPR (or applicable law in your jurisdiction) to process the personal data you submit through the platform
  • You are using the platform for a legitimate professional purpose (legal research, business intelligence, journalism, fact-checking, or similar)
  • You will not use Deepheem to process special category data (health, biometric, racial or ethnic origin, etc.) unless you have explicit legal authority and appropriate safeguards in place
  • You will not use investigation outputs to harass, stalk, surveil, or harm any individual
  • You will independently verify investigation outputs before relying on them for legal, editorial, or business decisions

6. Sub-processors

We use the following sub-processors to deliver the platform. By using Deepheem, you authorise us to engage these sub-processors. We remain responsible for their compliance with this DPA.

Sub-processorPurposeLocation
SupabaseDatabase, authentication, file storageEU (Europe)
VercelApplication hosting and edge deliveryUSA / Global CDN
AnthropicAI investigation processing (Claude language model)USA
TavilyWeb search and source retrieval for investigation processingUSA
StripePayment processing and subscription managementUSA / Ireland (EU)
ResendTransactional email deliveryUSA

We will notify you of any intended changes to this sub-processor list by updating this page. Where a new sub-processor may materially affect your data protection rights, we will provide at least 14 days' prior notice where practicable.

7. International data transfers

Several of our sub-processors are based in the United States. We take the following steps to ensure adequate protection for data transferred outside the UK:

  • We rely on Standard Contractual Clauses (SCCs) as adopted or recognised under UK law (UK Addendum to the EU SCCs, as issued by the ICO) where applicable
  • We select sub-processors who maintain recognised security certifications (SOC 2 Type II, ISO 27001, PCI DSS) and who have made contractual commitments regarding data protection
  • We conduct reasonable due diligence on sub-processor data protection practices before engagement

8. Data retention and deletion

  • Investigation data (briefs, questions, reports) is retained for the duration of your active account and for up to 90 days following account closure, after which it is deleted
  • You may delete individual investigations at any time from your dashboard
  • You may request full account and data deletion by contacting support@deepheem.com
  • We may retain certain data beyond this period where required by law (e.g. financial records for tax purposes)

9. Data subject rights

Where we act as Processor, you (the Controller) are primarily responsible for handling data subject rights requests from third parties whose data appears in your investigations. We will assist you in meeting those requests where it is technically feasible for us to do so.

For rights requests relating to your own account data (where we act as Controller), contact us at support@deepheem.com. You have the right to access, rectify, erase, restrict, or port your data, and to object to certain processing. We will respond within 30 days.

10. Security measures

The technical and organisational measures we apply to protect personal data are described in full on our Security page. These include TLS encryption in transit, AES-256 encryption at rest, bcrypt password hashing, row-level database security, and multi-factor authentication support.

11. Breach notification

In the event of a personal data breach affecting data processed on your behalf, Deepheem will notify you without undue delay and in any event within 72 hours of becoming aware of the breach (to the extent practicable). We will include in our notification the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and the measures taken or proposed to address it.

12. Governing law

This DPA is governed by the laws of England and Wales. It incorporates the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Any disputes arising under this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact and executed DPA requests

For general data protection queries, contact us at support@deepheem.com.

Business plan customers who require a formally executed, countersigned DPA document for their own compliance records may request one by emailing support@deepheem.com with the subject line "DPA Request". We will respond within 5 business days.