Draft — pending legal review. This is a working draft, not yet legal advice. It will be finalised by our solicitors before launch.

Data Processing Agreement

ButtonUp Research is a trading name of Belt and Braces Ltd. Last updated 16 June 2026 · Version 2026-06-16.

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service between you ("Customer", the controller) and Belt and Braces Ltd trading as ButtonUp Research ("ButtonUp", "we", the processor). It applies where we process personal data on the Customer's behalf in providing the Service ("Customer Personal Data"). Terms not defined here have the meaning given in the Terms or in UK data-protection law.

1. Roles and scope

The Customer is the controller and ButtonUp is the processor of Customer Personal Data. Each party will comply with its obligations under UK GDPR and the Data Protection Act 2018 ("Data Protection Law"). Where the EU GDPR applies, references are read accordingly.

This DPA does not apply to personal data for which ButtonUp is itself the controller (e.g. account and website data), which is covered by our Privacy Policy.

2. Processing instructions

We process Customer Personal Data only on the Customer's documented instructions, which are: the Terms, this DPA, the Customer's configuration and use of the Service, and any further written instructions the Customer gives. We will tell the Customer if, in our opinion, an instruction infringes Data Protection Law (though we are not obliged to give legal advice), and may suspend processing of the affected instruction.

The subject matter, duration, nature, purpose, types of personal data and categories of data subjects are set out in Annex 1.

3. Customer obligations

The Customer warrants that: it is and will remain the controller (or has authority from the controller); there is a valid lawful basis (and, for special-category data, a valid condition) for the processing; the necessary privacy notices have been given and consents obtained; and its instructions are lawful.

4. Confidentiality

We ensure that persons authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.

5. Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2 (and we may update them provided protection is not materially reduced).

6. Sub-processors

The Customer gives general authorisation for us to engage the sub-processors listed at our sub-processors page. We impose data-protection obligations on each sub-processor that are no less protective than this DPA, and we remain liable for their performance. We will give reasonable notice of any intended addition or replacement of a sub-processor, and the Customer may object on reasonable data-protection grounds; if we cannot resolve the objection, the Customer may terminate the affected Service.

7. Data subject rights

Taking into account the nature of the processing, we will assist the Customer by appropriate technical and organisational measures (and through Service features such as export and erasure) to respond to data subjects exercising their rights. If we receive a request directly from a data subject, we will forward it to the Customer and not respond except on the Customer's instruction or as required by law.

8. Personal data breach

We will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, provide the information reasonably available to us, and reasonably assist the Customer with its own breach obligations.

9. DPIAs and prior consultation

We will provide reasonable assistance to the Customer with data protection impact assessments and any prior consultation with a supervisory authority, taking into account the nature of the processing and the information available to us.

10. International transfers

Customer Personal Data is hosted in the UK / EU, except where Annex 1 / the sub-processors page shows processing outside that region (for example, AI processing in the USA). Where we transfer Customer Personal Data outside the UK/EEA, we put in place an appropriate transfer mechanism (e.g. the UK International Data Transfer Agreement / Addendum or EU Standard Contractual Clauses) and apply supplementary measures, including the pseudonymisation described in our Privacy Policy.

11. Deletion or return

On termination of the Service, and at the Customer's choice, we will delete or return Customer Personal Data and delete existing copies, unless Data Protection Law requires us to retain it. The Service also provides self-service export and erasure during the term.

12. Audit

We will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates — on reasonable prior notice, no more than once a year (unless required by a supervisory authority or following a breach), subject to confidentiality, and where possible satisfied by our existing documentation or third-party reports.

13. Liability

Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability in the Terms, and any caps apply in the aggregate across the Terms and this DPA.

14. General

If there is a conflict, this DPA prevails over the Terms on data-protection matters, and an applicable transfer mechanism (SCCs / IDTA) prevails over this DPA on transfer matters. This DPA is governed by the law of England and Wales. It takes effect when the Customer accepts the Terms and continues for as long as we process Customer Personal Data.

Annex 1 — Details of processing

  • Subject matter: provision of the ButtonUp Research Service to the Customer.
  • Duration: the term of the Terms, plus any retention period set out in the Terms / Privacy Policy.
  • Nature and purpose: hosting and storage; recruitment, outreach (email) and scheduling; collection of survey and interview responses; AI-assisted drafting and analysis; reporting and export — all to provide the Service.
  • Types of personal data: identifiers and contact details of the Customer's research participants (e.g. names, email addresses, phone numbers); screener and survey responses; interview transcripts, notes and uploaded files, which may contain any data the Customer chooses to include, including special-category data; and the Customer's own users (name, email, role).
  • Categories of data subjects: the Customer's research participants, and the Customer's personnel/authorised users.

Annex 2 — Technical and organisational security measures

  • Encryption in transit (TLS) and at rest (database and file storage).
  • Field-level encryption of sensitive participant identifiers (names, emails, phones).
  • Pseudonymisation / minimisation of direct identifiers before content is sent to the AI sub-processor.
  • Access control: role-based access (Admin / Researcher / Viewer), per-workspace tenant isolation enforced at the data layer, optional two-factor authentication, least-privilege internal access.
  • Audit logging of access to participant records and of communications and erasures.
  • Hosting in the EU region; rate limiting on public endpoints; secret scanning in the development pipeline.
  • Resilience: managed, backed-up database; right-to-erasure and subject-access tooling.
  • Incident response: breach detection and notification process (clause 8).

Annex 3 — Sub-processors

The current list of sub-processors, with their purpose and location, is maintained at our sub-processors page and forms part of this Annex.