Article 28 UK GDPR
Data Processing Agreement
Holdfast Firm — between the Controller and Nexus SecTech Ltd
Section 1
Background
1.1The Firm uses the Holdfast Firm service to monitor the vault connection status of its clients. In doing so, the Firm (as data controller) instructs Holdfast (as data processor) to process certain personal data on its behalf.
1.2This Agreement sets out the terms on which Holdfast processes that personal data, as required by Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1.3This Agreement supplements and does not replace Holdfast's standard Terms of Service, which continue to apply.
Section 2
Definitions
| Term | Meaning |
|---|
| Personal Data | As defined in UK GDPR Article 4(1) |
| Processing | As defined in UK GDPR Article 4(2) |
| Data Subject | The Firm's clients whose connection data is stored on the Firm's dashboard |
| Sub-processor | A third party engaged by Holdfast to assist in processing Personal Data |
| UK GDPR | The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018 |
Section 3
Details of Processing
| Field | Detail |
|---|
| Subject matter | Monitoring of client vault connection status for digital estate planning purposes |
| Duration | For as long as the Firm maintains an active Holdfast Firm account |
| Nature of processing | Storage, retrieval, display, and deletion of client metadata |
| Purpose | Enabling the Firm to monitor which clients have connected vaults and their check-in status |
| Type of Personal Data | Client email address, connection status, check-in timestamps, delivery status, solicitor-assigned display label |
| Categories of Data Subjects | The Firm's clients who have accepted an invitation to connect their Holdfast vault |
Zero-knowledge limitation. Holdfast operates a zero-knowledge architecture. The Processor does not process, store, or have access to the contents of any client vault, client passphrases, or any credentials or sensitive personal information held within a vault. The Personal Data listed above is metadata only.
Section 4
Processor Obligations
Holdfast agrees to:
4.1Process only on instruction. Process Personal Data only on the documented instructions of the Firm, as set out in this Agreement and the Holdfast Terms of Service, unless required to do so by applicable law.
4.2Confidentiality. Ensure that all personnel authorised to process the Personal Data are subject to appropriate obligations of confidentiality.
4.3Security. Implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Full details are set out in Schedule 2.
4.4Sub-processors. Not engage any new sub-processor without giving the Firm at least 14 days' prior written notice and the opportunity to object. Current sub-processors are listed in Schedule 1.
4.5Data Subject rights. Assist the Firm, insofar as reasonably practicable, in responding to requests from Data Subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection).
4.6Data breach notification. Notify the Firm without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Personal Data processed under this Agreement. Notification will be sent to the email address registered to the Firm's account.
4.7Data Protection Impact Assessments. Provide reasonable assistance to the Firm in carrying out data protection impact assessments where required by UK GDPR Article 35.
4.8Deletion or return. Upon termination of the Firm's account, delete all Personal Data processed under this Agreement within 30 days, except where retention is required by applicable law. On request, Holdfast will confirm deletion in writing.
4.9Audit. Make available to the Firm all information reasonably necessary to demonstrate compliance with this Agreement, and permit and contribute to audits and inspections conducted by the Firm or a mandated auditor, subject to reasonable notice and confidentiality obligations.
Section 5
Controller Obligations
The Firm agrees to:
5.1Ensure it has a lawful basis under UK GDPR for instructing Holdfast to process Personal Data on its behalf.
5.2Ensure that Data Subjects (clients) have been informed, in accordance with UK GDPR Articles 13 and 14, that their connection metadata is stored on the Firm's Holdfast dashboard and that the Firm will be added as a recipient of their vault upon delivery.
5.3Ensure that any instructions given to Holdfast comply with applicable data protection law.
5.4Notify Holdfast promptly if a Data Subject exercises their rights in a way that requires action by Holdfast.
Section 6
Sub-processors
6.1The Firm provides general written authorisation for Holdfast to engage sub-processors as listed in Schedule 1.
6.2Holdfast will ensure that sub-processors are bound by data protection obligations no less stringent than those set out in this Agreement.
6.3Holdfast remains fully liable to the Firm for the performance of any sub-processor's obligations under this Agreement.
Section 7
International Transfers
7.1Holdfast stores Personal Data within the UK and EU. No Personal Data is transferred to countries outside the UK or EEA without appropriate safeguards in place.
7.2Where a sub-processor processes Personal Data outside the UK/EEA, Holdfast will ensure that an adequate transfer mechanism is in place, such as a UK International Data Transfer Agreement or EU Standard Contractual Clauses as applicable.
Section 8
Term and Termination
8.1This Agreement remains in force for as long as Holdfast processes Personal Data on behalf of the Firm.
8.2Either party may terminate this Agreement on written notice if the other party materially breaches its obligations and fails to remedy that breach within 30 days of written notice.
8.3Termination of this Agreement does not affect any rights or liabilities that have accrued prior to termination.
Section 9
Liability
9.1Each party's liability under this Agreement is subject to the limitations set out in Holdfast's standard Terms of Service.
9.2Nothing in this Agreement limits either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be limited by law.
Section 10
Governing Law
10.1This Agreement is governed by the laws of England and Wales. Any dispute arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Section 11
Contact and Notices
All notices and communications under this Agreement should be sent to:
Holdfast / Nexus SecTech Ltd
Email: hello@nexus-sec.tech
Subject line: DPA — [Firm Name]
To request a countersigned version of this Agreement, email the address above with your firm name, registered address, and the name and title of the signatory.
Execution
Signatures
Where the parties wish to execute this Agreement as a standalone signed document, both parties should sign below. This is optional — the Agreement takes effect automatically upon creation of a Holdfast Firm account.
The Processor
Nexus SecTech Ltd
Company No. 17126982
Authorised signatory
Name and title
Date
The Controller (The Firm)
Firm name
Authorised signatory
Name and title
Date
Schedule 1
Approved Sub-processors
| Sub-processor | Purpose | Data location | Privacy policy |
|---|
| Supabase Inc. |
Database hosting — stores encrypted vault ciphertext and account metadata |
EU (West EU region) |
supabase.com/privacy |
| Vercel Inc. |
Application hosting and serverless infrastructure |
EU/UK CDN edge |
vercel.com/legal/privacy-policy |
| Resend Inc. |
Transactional email — check-in reminders, delivery notifications, client invitations |
EU |
resend.com/legal/privacy-policy |
| Stripe Inc. |
Payment processing — subscription billing only |
UK/EU |
stripe.com/gb/privacy |
| Google LLC (Google Workspace) |
Waitlist lead capture — stores email addresses submitted via the Holdfast waitlist form (Google Sheets). EU data residency configured. Google's Data Processing Amendment is in force. |
EU (Google Workspace region) |
workspace.google.com/terms/dpa |
Holdfast will provide at least 14 days' written notice before adding or replacing any sub-processor. The Firm may object in writing within that period. If no resolution can be reached, either party may terminate the Firm account without penalty.
Schedule 2
Technical and Organisational Security Measures
Technical measures
- All data in transit encrypted via TLS 1.2 or higher
- All data at rest encrypted at the database layer (AES-256)
- Vault contents encrypted client-side with AES-256-GCM prior to transmission — Holdfast never holds plaintext vault data
- Authentication via Supabase Auth with JWT-based session tokens; sessions expire and require re-authentication
- All API endpoints require authenticated sessions; no unauthenticated data access is possible
- Environment secrets (API keys, Stripe keys, email keys) stored in Vercel environment variables — never committed to source code or version history
Organisational measures
- Access to production systems limited to authorised personnel only
- Dependencies and infrastructure reviewed regularly for security updates
- Incident response process in place; personal data breaches notified within 72 hours as required by UK GDPR Article 33
- Data minimisation by architecture — only metadata is processed; vault contents are inaccessible to Holdfast by design
This document is published by Nexus SecTech Ltd and is effective for all Holdfast Firm accounts. To request a countersigned copy or discuss amendments, contact hello@nexus-sec.tech. Last updated April 2026.
Use the Download PDF button in the navigation bar to save or print this document.