Data Processing Agreement
Effective 1 March 2026
This Data Processing Agreement (“DPA”) is between Eugene Merwe-Chartier trading as Registrum (“Processor”) and you, the customer (“Controller”). It supplements our Terms of Service and applies where you use the Registrum API to process personal data as defined under UK GDPR.
1. Subject matter and scope
Registrum provides an API that retrieves UK company data from Companies House and returns it in structured JSON format. In the course of providing this service, Registrum may process personal data relating to company directors, officers, and persons with significant control (PSC) that appears on the public Companies House register. This data is sourced under the Open Government Licence v3.0 and is already publicly available.
2. Nature and purpose of processing
- Retrieving and caching company records from the Companies House API
- Parsing iXBRL financial filings to extract structured financial data
- Traversing director appointment records to build network maps
- Returning this data to you via the Registrum API
The purpose is to enable you (the Controller) to integrate UK corporate data into your own products and services.
3. Types of personal data
The data may include:
- Director names and appointment dates
- PSC names, nationality, and country of residence
- Registered addresses (where applicable to individuals)
This data is sourced directly from the public Companies House register. Registrum does not enrich, augment, or combine it with data from other sources.
4. Processor obligations
Registrum agrees to:
- Process personal data only on your documented instructions
- Ensure all personnel with access to the data are bound by confidentiality
- Implement appropriate technical and organisational security measures
- Not engage sub-processors without informing you in advance
- Assist you in responding to data subject rights requests where feasible
- Delete or return personal data upon termination of the service
- Make available information necessary to demonstrate compliance with UK GDPR
5. Sub-processors
Registrum uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database (API keys, usage logs) | EU (Ireland) |
| Railway | API hosting | EU (Frankfurt) |
| Vercel | Website hosting | Global CDN |
| Stripe | Payment processing | EU / US |
| Resend | Transactional email | EU |
6. Security measures
- All API keys stored as bcrypt hashes — never in plaintext
- All data in transit encrypted via TLS 1.2+
- Access to production infrastructure restricted to authorised personnel
- Usage logs retained for 12 months then deleted
7. Data breaches
In the event of a personal data breach affecting your data, Registrum will notify you without undue delay (and within 72 hours where feasible) with sufficient information to allow you to comply with your own notification obligations under UK GDPR.
8. Governing law
This DPA is governed by the laws of England and Wales and subject to the jurisdiction of the courts of England and Wales.
Contact
DPA queries: support@registrum.co.uk