Bespoke Champions League Ltd · Company No. 16778449 · Last updated: January 2026
DRAFT - PENDING LEGAL REVIEW. This document has not been reviewed by legal counsel and must not be executed as-is.
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Bespoke Champions League Ltd ("Bespea", "Processor", "we") and the Customer ("Controller", "you") governing the processing of Personal Data in compliance with UK GDPR and Data Protection Act 2018. Effective Date: Upon acceptance of Terms of Service. Applicable To: Enterprise customers, Studios processing employee data, or any Customer acting as a Controller under UK GDPR.
"Personal Data" means information relating to an identified or identifiable natural person as defined in UK GDPR Article 4(1). "Processing" means any operation performed on Personal Data as defined in UK GDPR Article 4(2). "Controller" means the entity that determines the purposes and means of Processing (typically the Customer). "Processor" means Bespea, which processes Personal Data on behalf of the Controller. "Sub-Processor" means third-party service providers engaged by Bespea to process Personal Data. "Data Subject" means an individual whose Personal Data is processed. "Supervisory Authority" means the Information Commissioner's Office (ICO) in the UK.
Bespea processes Personal Data as a Processor on behalf of the Controller for the following purposes: platform service delivery (project management, escrow, certification); AI matching and recommendation services; BRIGALSS scoring and blockchain certification; audit trail generation (Decision Passports); and security and fraud prevention.
The Controller: determines the purposes and means of Processing; ensures lawful bases for Processing under UK GDPR Article 6; obtains necessary consents from Data Subjects; provides Data Subject disclosures per UK GDPR Articles 13-14; and ensures data accuracy and minimal collection.
Employees of the Controller; Clients of the Controller; Artisans engaged by the Controller; End-users of Controller's projects.
Bespea will process Personal Data only in accordance with documented instructions from the Controller, including: Terms of Service and this DPA; written instructions provided via support@bespea.com; and configuration settings within the Platform. Bespea will NOT: process Personal Data for purposes other than those instructed; transfer Personal Data outside UK/EU without Controller consent (except to approved Sub-Processors); retain Personal Data beyond agreed retention periods; or share Personal Data with third parties without lawful basis. If Bespea believes an instruction violates UK GDPR or other data protection laws, Bespea will promptly inform the Controller and may refuse to comply.
Information security policy, acceptable use policy, and incident response plan. Annual data protection and security training for all personnel. Background screening for personnel with data access. Non-disclosure agreements for employees and contractors. Immutable hash-chain audit logs for all data access.
Security measures are reviewed at least annually and updated as necessary to address evolving threats.
The Controller provides general authorization for Bespea to engage Sub-Processors necessary for service delivery. Bespea will notify the Controller of any intended changes at least 30 days in advance. The Controller may object within 14 days.
| Sub-Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| AWS | Cloud hosting, database, storage | UK/EU regions | DPA, ISO 27001, SOC 2 |
| Stripe | Payment processing, escrow | Global | DPA, PCI DSS Level 1 |
| SumSub | KYC/AML verification | EU | DPA, UK GDPR compliant |
| OpenAI | AI processing (text analysis) | US | DPA, SCCs, anonymization |
| Sentry | Error monitoring | EU | DPA, UK GDPR compliant |
| Cloudflare | CDN, DDoS protection | Global | DPA, ISO 27001 |
All Sub-Processors are bound by data processing agreements equivalent to this DPA, implement appropriate security measures, comply with UK GDPR obligations, and permit audits.
Bespea will assist the Controller in responding to Data Subject requests, including: Right of Access (Art. 15) - provide copies of Personal Data; Right to Rectification (Art. 16) - correct inaccurate data; Right to Erasure (Art. 17) - delete Personal Data (subject to legal retention obligations); Right to Restrict Processing (Art. 18) - limit processing during disputes; Right to Data Portability (Art. 20) - export data in machine-readable format (JSON/CSV); Right to Object (Art. 21) - stop processing based on legitimate interests. Requests received by Bespea will be forwarded to the Controller within 2 business days. The Controller is responsible for verifying identity and responding within 30 days per UK GDPR Article 12(3).
Bespea will notify the Controller of any Personal Data Breach within 72 hours of becoming aware, via email to the registered account, including: nature of the breach; categories and approximate number of affected Data Subjects and records; likely consequences; and measures taken or proposed to address the breach. Bespea will cooperate with the Controller to investigate and remediate, provide forensic logs and evidence, and assist with Supervisory Authority and Data Subject notifications. The Controller is responsible for notifying the ICO within 72 hours if the breach poses a risk to Data Subjects' rights and freedoms.
If the Controller's processing is likely to result in high risk to Data Subjects (per UK GDPR Article 35), Bespea will assist in conducting a Data Protection Impact Assessment by providing: technical documentation on processing operations; security measures implemented; Sub-Processor details; and data flow diagrams.
The Controller may audit Bespea's compliance with this DPA once per year (or more frequently if required by a Supervisory Authority), upon at least 30 days' written notice, during business hours (9am-5pm GMT, Monday-Friday). Audits may include review of security policies, inspection of access controls and logs, Sub-Processor documentation, and data retention procedures.
Controller bears the cost of audits. Bespea may charge £150/hour for staff time exceeding 8 hours per year.
Bespea maintains the following certifications (provided annually): ISO 27001 (Information Security Management) [PLANNED]; SOC 2 Type II (Security, Availability, Confidentiality) [IN PROGRESS].
Personal Data may be transferred to Sub-Processors outside the UK/EU using the following safeguards: Standard Contractual Clauses (SCCs) - EU Commission-approved clauses (Module 2: Controller-to-Processor); Adequacy Decisions - transfers to countries with UK adequacy decisions; UK GDPR Article 46 - other approved transfer mechanisms. Bespea will notify the Controller of any new international transfers not disclosed in Section 6 at least 30 days in advance.
Upon termination, Bespea will delete or anonymize Personal Data within 90 days (except legally required audit records) and provide certification of deletion upon request (£149 fee). Audit logs (ProjectEvent, KernelHashChainEvent, DecisionPassport tables) are retained indefinitely. Personal identifiers are pseudonymized after 7 years.
Bespea is liable only for damages caused by Processing that does not comply with UK GDPR obligations or that acts outside or contrary to lawful instructions. Liability is subject to limitation clauses in the Terms of Service (£10,000 cap, £1,000 for AI-specific claims). Each party indemnifies the other for fines, damages, and costs arising from the indemnifying party's breach of UK GDPR obligations.
This DPA remains in effect for the duration of the Terms of Service and any Processing of Personal Data thereafter. Sections 5 (Security), 8 (Breach Notification), 12 (Data Deletion), and 13 (Liability) survive termination.
Material changes to this DPA will be notified at least 30 days in advance. Continued use after changes constitutes acceptance.
This DPA is governed by the laws of England and Wales. Disputes resolved in the courts of England and Wales.
Data Protection Contact: dpo@bespea.com
Security Incidents: security@bespea.com
General Inquiries: support@bespea.com
Version: v1.0 (DRAFT). January 22, 2026 - Initial draft pending legal review