Data Processing Agreement

“UK GDPR” means the UK General Data Protection Regulation as it forms part of UK law. “Personal Data”, “Data Subject”, “Processing”, “Controller” and “Processor” have the meanings given to them in the UK GDPR.

Sageon processes personal data on your instructions for the purpose of providing the Sageon Business service for as long as your subscription is active, plus a 90-day recovery window before deletion.

Hosting, storage, organisation, retrieval, display and transmission of personal data you upload or generate inside Sageon Business — including project, programme, portfolio, RAID, HR, CRM and financial records — and the operation of the Sage AI advisor on that data when invoked by your users.

• Employee data: name, contact details, job role, employment dates, salary, leave records, performance notes
• Customer / contact data: name, company, email, phone, opportunity notes
• User account data: name, email, organisation, role, audit logs
• Any other personal data you choose to upload into project notes, RAID items, documents, etc.

• Your employees and contractors
• Your customers, suppliers and other business contacts
• Your users of Sageon Business

• Process personal data only on your documented instructions (your use of the service is your instruction).
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational measures (see Section 8).
• Engage subprocessors only as permitted in Section 7.
• Assist you in responding to data subject requests and DPIAs, where reasonably possible.
• Notify you without undue delay (and within 72 hours where feasible) of a personal data breach affecting your data.
• Delete or return personal data at the end of the service in line with Section 9.
• Make available the information necessary to demonstrate compliance with this DPA.

You provide a general authorisation for Sageon to engage the subprocessors listed at /subprocessors. We will notify you of any intended changes by updating that page, giving you the opportunity to object on reasonable grounds.

We remain liable to you for the acts and omissions of our subprocessors as if they were our own.

• Encryption in transit (TLS 1.2+) and at rest (AES-256 via Supabase / Postgres).
• Row-level security: each organisation's data is logically isolated by tenant ID at the database level.
• Authentication via Supabase Auth with hashed password storage; optional SSO on enterprise plans.
• Role-based access control (5 system roles + custom roles).
• Audit logs of admin actions retained for 12 months.
• Daily encrypted database backups, 30-day retention.
• Principle of least privilege for Sageon personnel; production access limited to the director and named engineers.

Full detail at /security.

On termination, your data remains available for 90 days for export or recovery, then is permanently deleted from production systems. Encrypted backups expire on a rolling 30-day basis thereafter, so all data is gone within ~120 days.

You can request earlier deletion in writing to hello@sageon.co.uk.

Some subprocessors (Anthropic, Vercel, Stripe) may process data in the US. Where personal data leaves the UK, transfers are governed by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (or the IDTA), as published by the ICO.

You may request, no more than once per year and with 30 days' written notice, a copy of our latest security documentation and answers to a reasonable security questionnaire. On-site audits are not offered as standard but may be agreed for Enterprise customers under separate terms.

Liability under this DPA is subject to the limitations in our Terms of Service.

This DPA is governed by the laws of England and Wales.

By using Sageon Business to process personal data, you accept this DPA on behalf of the Controller. No signature is required. If you need a counter-signed copy for your records, email hello@sageon.co.uk.