Data Processing Agreement
UK GDPR Article 28 terms for deny.sh customers who process personal data on the Service.
Draft version: 10 May 2026
The short version
This Data Processing Agreement (the "DPA") sets out the terms under which Treehouse in Valhalla Ltd processes personal data on behalf of customers of the deny.sh Service. It is designed to satisfy Article 28 of the UK General Data Protection Regulation (UK GDPR) and the corresponding obligations of the EU GDPR where applicable. The DPA forms part of the Terms of Service and is incorporated by reference for all customers who process personal data through the Service.
1. Definitions
Capitalised terms have the meanings given in the Terms of Service. In addition:
- "Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, the EU GDPR (where applicable), and any other data protection or privacy law applicable to the processing of Personal Data under this DPA.
- "Controller", "Processor", "Sub-Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" have the meanings given in Applicable Data Protection Law.
- "Customer" means the User identified as the account holder for the Service. The Customer acts as Controller of any Personal Data processed through the Service unless the parties expressly agree otherwise in writing.
- "deny.sh", "we", "us", or "our" means Treehouse in Valhalla Ltd, a company registered in England and Wales (Company No. 15770209), trading as deny.sh, acting as Processor under this DPA.
- "Customer Personal Data" means any Personal Data that the Customer (or its end users) submits to or processes through the Service.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission and, for transfers from the UK, the UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner's Office.
2. Scope and roles
This DPA applies whenever Customer Personal Data is processed by us in connection with the Service.
- The Customer is the Controller of Customer Personal Data, except where the Customer is itself a processor acting on behalf of a third-party controller, in which case the Customer represents that it has authority to enter into this DPA on the third party's behalf.
- deny.sh is the Processor, and processes Customer Personal Data only on documented instructions from the Customer as set out in this DPA, the Terms of Service, and Annex 1.
- Each party shall comply with its respective obligations under Applicable Data Protection Law. Nothing in this DPA relieves the Customer of its responsibilities as Controller, including the lawful basis for processing, the provision of privacy notices to Data Subjects, and responding to Data Subject requests.
Annex 1 to this DPA sets out the subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects processed under this DPA.
3. Customer instructions
We will process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers to a third country, unless required to do so by Applicable Data Protection Law to which we are subject. Where we are required to process Customer Personal Data on a different basis, we will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Customer's instructions are set out in this DPA, the Terms of Service, the Service documentation, and any further written instructions issued by the Customer through the Customer's account or through written communication to hello@deny.sh. We will inform the Customer if, in our opinion, an instruction infringes Applicable Data Protection Law.
4. Confidentiality
We ensure that all personnel authorised to process Customer Personal Data are bound by appropriate written confidentiality obligations or are under a statutory obligation of confidentiality. Personnel access to Customer Personal Data is granted on a need-to-know basis and is restricted to what is required to provide and support the Service.
5. Security of processing
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 UK GDPR. These measures include:
- Encryption in transit: all traffic between client and Service is protected by TLS 1.2 or higher.
- Client-side encryption: vault payloads, dead man's switch payloads, and browser-tool data are encrypted in the Customer's browser before transmission. We never receive plaintext content for these features.
- Authentication: API keys are stored as cryptographic hashes, never in plaintext. Account credentials use scrypt password hashing.
- Access control: production systems are accessible only to authorised personnel via key-based authentication. Access is logged and reviewed.
- Network protection: traffic is filtered by Cloudflare's WAF and DDoS protection. Origin servers are firewalled (UFW) and protected against brute-force attacks (fail2ban).
- Patch management: operating system and dependency updates are applied on a regular cadence, with security updates prioritised.
- Logging and monitoring: production systems generate access and application logs. Anomalies are alerted to the operations team.
- Backup and recovery: persistent data stores are backed up daily, with backups retained for 30 days. Recovery procedures are tested periodically.
- Resilience: the Service is designed to recover quickly from infrastructure failure. Managed-vault data on Business and Enterprise plans is replicated within the customer's selected region.
- Personnel training: personnel with access to production systems receive security and data-protection training appropriate to their role.
A current summary of technical and organisational measures is published at /security-posture and forms part of the security commitments under this DPA.
6. Sub-processors
6.1 General authorisation
The Customer provides general authorisation for us to engage sub-processors to support the provision of the Service. Annex 2 lists the current sub-processors at the date of this DPA. Each sub-processor is bound by a written contract that imposes data-protection obligations no less protective than those set out in this DPA, in accordance with Article 28(4) UK GDPR.
6.2 Notice of changes
We will give the Customer at least 30 days' prior notice of any intended addition or replacement of a sub-processor by updating Annex 2 and notifying the Customer by email (where the Customer has provided an email address for this purpose) and by an entry on the deny.sh changelog. The Customer may, on reasonable grounds related to data protection, object to the change in writing within 30 days of notice. The parties will work in good faith to resolve any objection. If no resolution is possible, the Customer may terminate the affected portion of the Service in accordance with the Terms of Service.
6.3 Liability for sub-processors
We remain fully liable to the Customer for the performance of any sub-processor's obligations under this DPA.
7. Assistance with Data Subject requests
Taking into account the nature of the processing, we will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for the exercise of Data Subject rights under Chapter III UK GDPR (rights of access, rectification, erasure, restriction, portability, and objection).
Where Data Subjects contact us directly with requests relating to Customer Personal Data, we will, without undue delay, refer them to the Customer and notify the Customer of the request. We do not respond to such requests on the Customer's behalf unless instructed to do so in writing.
For account-level Personal Data that we process as Controller (for example, the Customer's billing email address), we respond to Data Subject requests directly under our Privacy Policy.
8. Assistance with Controller obligations
Taking into account the nature of processing and the information available to us, we will assist the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 UK GDPR, in particular:
- The security of processing (Article 32) by maintaining the measures described in section 5 and at /security-posture.
- Personal Data Breach notification (Articles 33 and 34) as set out in section 9 below.
- Data Protection Impact Assessments (Article 35) by providing the information about the Service that the Customer reasonably requires to perform a DPIA.
- Prior consultation with the Supervisory Authority (Article 36) by providing reasonable cooperation where the Customer is required to consult with a Supervisory Authority.
9. Personal Data Breach notification
We will notify the Customer in writing without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Our notification will include, to the extent then known:
- The nature of the breach, including the categories and approximate number of Data Subjects and records concerned
- The likely consequences of the breach
- The measures taken or proposed to address the breach and to mitigate its effects
- A point of contact for further information
Where it is not possible to provide all of the information at once, we will provide it in phases without undue further delay. We will cooperate reasonably with the Customer in the Customer's investigation, mitigation, and notification of the breach to Supervisory Authorities and Data Subjects, where required by Applicable Data Protection Law.
Notice of a Personal Data Breach is not an admission of fault or liability.
10. Deletion and return of data
At the choice of the Customer, we will delete or return all Customer Personal Data after the end of the provision of the Service, and delete existing copies, unless retention is required by Applicable Data Protection Law.
The Customer may exercise this right by:
- Submitting a request via the deny.sh account interface (where available), or
- Sending a written request to hello@deny.sh identifying the account and the data to be deleted or returned.
We will action a deletion or return request within 30 days of receipt. Confirmation of deletion (a "Deletion Certificate") is available on request. Routine retention timelines for specific data categories are set out in our Privacy Policy and apply where the Customer has not exercised this right.
Where retention is required by law (for example, billing records under tax law), the data will be retained for the legally required period, securely segregated where practicable, and processed only to the extent necessary to comply with that obligation.
11. Audits and information rights
We will make available to the Customer all information necessary to demonstrate compliance with this DPA and Article 28 UK GDPR. This includes:
- Our public security posture documentation at /security-posture
- Our public sub-processor list (Annex 2 below)
- On reasonable written request and subject to confidentiality, summaries of independent security assessments where available
Where the information made available is not, in the Customer's reasonable opinion, sufficient to demonstrate compliance, the Customer may, at its own cost and on at least 30 days' prior written notice, request an audit of our processing activities relevant to this DPA. Audits will:
- Be conducted no more than once in any 12-month period, except where required by a Supervisory Authority or following a confirmed Personal Data Breach
- Be carried out during normal business hours and in a manner that does not unreasonably interfere with the operation of the Service
- Be conducted by the Customer or by an independent auditor mutually agreed by the parties (acting reasonably) who is bound by appropriate confidentiality obligations
- Exclude information relating to other customers, our security configuration where disclosure would create material risk, and information subject to legal privilege or third-party confidentiality
The Customer will provide a copy of any audit report to us and treat the audit findings as our confidential information.
12. International transfers
Customer Personal Data is primarily processed in the United Kingdom. Where Customer Personal Data is transferred to a country outside the UK or EEA that is not the subject of an adequacy decision, the transfer will be made under one of the following safeguards:
- The UK International Data Transfer Addendum to the EU SCCs, where the transfer originates from the UK
- The European Commission's Standard Contractual Clauses, where the transfer originates from the EEA
- The UK-US Data Privacy Framework or EU-US Data Privacy Framework, where the recipient is certified under the relevant framework
- Any other lawful transfer mechanism agreed by the parties in writing
Annex 2 identifies the location of each sub-processor and the transfer mechanism that applies. By entering into this DPA, the Customer authorises the international transfers described in Annex 2 on the basis of the safeguards listed above.
13. Liability
Each party's liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except to the extent that liability cannot be limited or excluded under Applicable Data Protection Law.
Nothing in this DPA limits a Data Subject's rights against either party under Article 82 UK GDPR.
14. Term and survival
This DPA takes effect on the date the Customer first processes Customer Personal Data through the Service, or on the date a fully executed counterpart is signed by both parties, whichever is earlier. It remains in force for as long as we process Customer Personal Data.
Sections that by their nature should survive termination, including section 10 (deletion and return), section 11 (audits), section 13 (liability), and any obligation of confidentiality, will survive termination of this DPA.
15. Order of precedence
If there is any conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to the processing of Customer Personal Data. Where the Customer has executed a separate written data processing agreement with us, that separate agreement prevails over this DPA in the event of conflict.
16. Governing law and jurisdiction
This DPA is governed by and construed in accordance with the laws of England and Wales. Disputes arising under or in connection with this DPA are subject to the exclusive jurisdiction of the courts of England and Wales, save that either party may seek injunctive relief in any court of competent jurisdiction.
17. Changes to this DPA
We may update this DPA from time to time to reflect changes in Applicable Data Protection Law, our processing activities, or our sub-processor arrangements. Material changes will be notified by email (where the Customer has provided an email address for this purpose) and by an entry on the deny.sh changelog at least 30 days in advance, except where a shorter period is required by law. Continued use of the Service after the effective date of an updated DPA constitutes acceptance of the changes.
Annex 1: Details of processing
Subject matter and nature of processing
Provision of the deny.sh Service, including deniable encryption API operations, browser-based encryption tools, encrypted vault storage, dead man's switch delivery, inheritance features, and related account and billing operations.
Purpose of processing
To provide the Service requested by the Customer in accordance with the Terms of Service, to authenticate API requests, to meter usage, to deliver dead man's switch and inheritance payloads to designated recipients on the Customer's behalf, and to comply with our legal obligations.
Duration of processing
For the duration of the Customer's account, plus any period required to comply with the Customer's deletion or return instructions and any legally mandated retention period.
Categories of Data Subjects
- The Customer (where the Customer is a natural person) and the Customer's authorised personnel
- Recipients of dead man's switch payloads or inheritance disbursements designated by the Customer
- End users of any Customer-built application that integrates with the Service via the API, where the Customer has elected to process their Personal Data through the Service
Categories of Customer Personal Data
- Account data: email address, account identifier, hashed API key, optional display name, subscription tier, billing reference
- Usage metadata: API request counts, timestamps, response codes, rate-limit state, IP address (for abuse prevention and rate limiting)
- Recipient data for dead man's switch and inheritance: recipient email addresses, optional recipient names, delivery schedule, check-in history
- Encrypted payloads: vault payloads, dead man's switch payloads, and inheritance payloads, all of which are encrypted in the Customer's browser before transmission and which we cannot read
- Server access logs: IP address, request path, status code, timestamp, user agent (rotated and deleted daily)
- Support correspondence: any Personal Data the Customer or a Data Subject voluntarily includes in communications with us
Special categories of Personal Data
The Customer should not deliberately submit special categories of Personal Data (Article 9 UK GDPR) or Personal Data relating to criminal convictions and offences (Article 10 UK GDPR) outside the encrypted payloads described above. Where such data is included only within client-side-encrypted payloads, we cannot read it and do not process it as special category data in the technical sense, although the Customer remains responsible as Controller for its lawful processing.
Annex 2: Approved sub-processors
The following sub-processors are authorised at the date of this DPA. The Customer is notified of any addition or replacement in accordance with section 6.2.
| Sub-processor | Service provided | Location of processing | Transfer mechanism |
|---|---|---|---|
| Cloudflare, Inc. | Network edge, WAF, DDoS protection, TLS termination | Global edge (UK and EU PoPs prioritised); some metadata may transit US infrastructure | UK-US Data Privacy Framework; Cloudflare standard data-processing terms |
| Amazon Web Services, Inc. | Managed-vault hosting for Business and Enterprise plans | eu-west-2 (London) by default; optional secondary regions on Business and Enterprise plans | UK-US Data Privacy Framework; AWS Data Processing Addendum (incorporating SCCs and UK IDTA) |
| Stripe, Inc. | Payment processing for paid subscriptions | United States and other jurisdictions per Stripe's published list | UK-US Data Privacy Framework; Stripe SCCs and UK IDTA |
| Resend, Inc. | Transactional email (account communications, dead man's switch and inheritance notifications) | United States | UK-US Data Privacy Framework |
| DigitalOcean, LLC | Application origin hosting (compute and storage for the deny.sh API and website) | London (LON1) region | Within UK; no extra-UK transfer mechanism required for primary processing |
Web fonts (DM Sans, Space Mono, both under the SIL Open Font License) and all static assets are self-hosted from the application origin and do not introduce a third-party processor.
18. Signatures
This DPA is incorporated by reference into the Terms of Service and takes effect on acceptance of those terms. Customers requiring an executed counterpart for procurement records may request one by emailing hello@deny.sh. The signed counterpart will reflect the terms of this published DPA as of the date of signature.
Treehouse in Valhalla Ltd
Company No. 15770209
Registered in England and Wales
Email: hello@deny.sh