Data Processing Agreement
tree·canopy — operated by Aurenia Group Limited
Effective date: 12 May 2026
Version: 1.0
Introduction
When you use tree·canopy to conduct surveys, you create and store data about your clients' sites and trees. That data belongs to you. Under UK GDPR and the Data Protection Act 2018, you are the data controller and Aurenia Group Limited is the data processor.
This Data Processing Agreement ("DPA") sets out how we will handle that processing relationship. It applies to all tree·canopy subscribers and forms part of the Terms of Service.
1. Definitions
In this DPA:
"Controller" means you, the tree·canopy subscriber, as the entity that determines the purposes and means of processing Personal Data.
"Processor" means Aurenia Group Limited, trading as tree·canopy (corporation number 726662166, incorporated under the Canada Business Corporations Act, registered office 3 Old Lochview Court, Fall River, NS B2T 1J1, Canada), which processes Personal Data on the Controller's behalf.
"Personal Data" has the meaning given to it in UK GDPR Article 4(1): any information relating to an identified or identifiable natural person.
"Processing" has the meaning given to it in UK GDPR Article 4(2).
"Data Subject" means a natural person whose Personal Data is processed under this DPA.
"UK GDPR" means the UK General Data Protection Regulation as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018, as amended.
"DPA 2018" means the Data Protection Act 2018.
"Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Details of processing
2.1 Subject matter
The Processor provides an arboricultural survey application that enables the Controller to capture, store, manage, and report on tree survey data.
2.2 Duration
Processing begins when the Controller creates an account and continues until the account is deleted and all data purged in accordance with section 9.
2.3 Nature and purpose of processing
| Nature | Purpose |
|---|---|
| Storage | Persist survey records, tree data, and associated files |
| Retrieval and display | Serve data back to the Controller and their authorised users |
| Transformation | Convert voice recordings to structured BS 5837 field data; draft report narrative from structured data |
| Transmission | Sync data between the Controller's devices; deliver generated PDF reports |
| Deletion | Purge data on account termination or upon instruction |
2.4 Types of Personal Data processed
The following categories of Personal Data may be processed under this DPA:
- Survey personnel data: Names, email addresses, and professional role information for the Controller's surveyors
- Site-linked location data: GPS coordinates and addresses of survey sites and individual tree locations
- Voice recordings and transcripts: Audio captured during field surveys and the text extracted from it
- Photographs: Tree photos captured in the field, which may incidentally contain images of people or vehicle registration plates
- Client references: Any client name, address, or project reference the Controller enters into a survey record
- Report content: Completed BS 5837 reports, which may reference land owners, planning authorities, or commissioning clients by name
2.5 Categories of Data Subjects
- The Controller's employees and contractor surveyors
- The Controller's clients (insofar as referenced in survey records or reports)
- Members of the public who may appear incidentally in survey photographs
3. Processor obligations
The Processor agrees to:
3.1 Act only on instruction
Process Personal Data only on the documented instructions of the Controller, as expressed through the Controller's use of the service and these terms. The Processor will not process Personal Data for its own purposes, including AI model training, unless the Controller has given explicit opt-in consent.
If the Processor is required by law to process Personal Data beyond these instructions, it will notify the Controller before doing so (unless prohibited by law from giving that notice).
3.2 Confidentiality
Ensure that persons authorised to process Personal Data are bound by enforceable duties of confidentiality (contractual or statutory). Access to Personal Data is restricted to staff who need it to deliver or support the service.
3.3 Security
Implement technical and organisational measures appropriate to the risk, as set out in section 6.
3.4 Sub-processors
Engage Sub-processors only as set out in section 5, and hold them to data protection standards equivalent to those in this DPA.
3.5 Data Subject rights assistance
Assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection) within a timeframe that allows the Controller to meet its own statutory obligations. Where Data Subjects contact the Processor directly, the Processor will redirect them to the Controller within 5 business days.
3.6 Security Incident notification
Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Security Incident affecting the Controller's Personal Data. Notification will include:
- The nature of the Security Incident
- The categories and approximate number of Data Subjects affected
- The categories and approximate volume of records affected
- Likely consequences of the Security Incident
- Measures taken or proposed to address it
Initial notification may be made before all information is available; the Processor will provide updates as further details emerge.
3.7 Data protection impact assessments
Provide reasonable assistance to the Controller in conducting data protection impact assessments and, where required, consulting the Information Commissioner's Office, where the processing is likely to result in a high risk to Data Subjects.
3.8 Deletion and return
On termination of the service, or on written request from the Controller, delete or return all Personal Data as specified in section 9. The Processor will certify completion of deletion on request.
3.9 Audit
Make available to the Controller, on reasonable written request (no more than once per 12-month period), information necessary to demonstrate compliance with this DPA. The Processor may satisfy this obligation by providing relevant audit reports, certifications, or summaries in lieu of direct on-site access.
4. Controller obligations
The Controller agrees to:
- Comply with UK GDPR and DPA 2018 in its capacity as controller
- Ensure it has a lawful basis for processing Personal Data and for instructing the Processor
- Ensure that any relevant notices to Data Subjects accurately describe how the Processor will process data on the Controller's behalf
- Not instruct the Processor to process Personal Data in any way that would cause the Processor to breach applicable data protection law
- Promptly notify the Processor of any Data Subject requests it needs the Processor's assistance to fulfil
5. Sub-processors
5.1 Current sub-processors
The Controller grants general written authorisation for the Processor to engage the following Sub-processors. Each is bound by data processing agreements consistent with UK GDPR Article 28.
| Sub-processor | Registered country | Processing activity | Data location | Transfer safeguard |
|---|---|---|---|---|
| Supabase Inc. | United States | Database (Postgres) and file storage | EU (Frankfurt) | Standard contractual clauses |
| Vercel Inc. | United States | Web hosting, edge functions, API gateway | US (edge globally) | UK IDTA / SCCs |
| Google LLC | United States | Voice-to-structured-data (Gemini Flash) | US (transient) | UK IDTA / SCCs |
| Anthropic PBC | United States | Report narrative drafting (Claude Haiku) | US (transient) | UK IDTA / SCCs |
| INRIA (Pl@ntNet) | France | Species identification API | France (EU) | EU adequacy — no transfer |
| RevenueCat Inc. | United States | Subscription management | US | UK IDTA / SCCs |
| Stripe Inc. | Ireland / United States | Enterprise payment processing | Ireland / US | EU adequacy (Ireland); UK IDTA (US entity) |
| Zoho Corporation | United States | Transactional email (SMTP) | US | UK IDTA / SCCs |
Note on AI sub-processors: Google LLC and Anthropic PBC process voice recordings and report drafts transiently to return structured outputs. Neither provider retains Controller data beyond the processing request under our current agreements, and neither uses Controller data for general model training.
Note on Supabase: All structured survey data and file storage is held in Supabase's EU (Frankfurt) region. Data does not leave the EU for storage purposes.
5.2 Changes to sub-processors
The Processor will notify the Controller of any intended change to the sub-processor list (addition or replacement) by email at least 14 days before the change takes effect.
If the Controller reasonably objects to a new or replacement Sub-processor, the Controller must notify the Processor in writing within 14 days of receiving notice, specifying the grounds of objection. The Processor will work in good faith to address the objection. If the parties cannot agree, the Controller may terminate the service on 30 days' written notice without penalty.
6. Technical and organisational security measures
The Processor maintains the following measures, appropriate to the risk presented by the processing:
6.1 Access control
- Role-based access control with row-level security at the database level (Supabase RLS)
- Authentication required for all data access (Supabase Auth)
- Principle of least privilege applied to internal staff access
- Multi-factor authentication required for all staff with production access
6.2 Data in transit
- All data transmitted over TLS 1.2 or higher
- HSTS enforced on all web endpoints
6.3 Data at rest
- Database encrypted at rest (Supabase managed encryption)
- File storage encrypted at rest
6.4 Data isolation
- Survey data is isolated by organisation in the database using Row Level Security
- No cross-customer data access is architecturally possible at the application layer
6.5 Sub-processor security
- Sub-processors are selected for their security certifications (SOC 2, ISO 27001 where applicable)
- DPAs with all sub-processors reviewed before onboarding
6.6 Incident response
- Security Incident detection via monitoring and alerting
- Incident response procedure with defined escalation paths
- 72-hour notification obligation to Controller (see 3.6)
6.7 Personnel
- All personnel with access to Personal Data are subject to confidentiality obligations
- Data protection awareness training conducted on onboarding and annually
6.8 Vulnerability management
- Security review conducted against OWASP standards before each major release
- Dependency vulnerability scanning in CI/CD pipeline
7. International transfers
Where Personal Data is transferred to a country outside the UK that does not benefit from UK adequacy regulations, the Processor relies on:
- UK International Data Transfer Agreement (IDTA) — entered into with the relevant Sub-processor; or
- EU Standard Contractual Clauses (SCCs) with UK Addendum — where the Sub-processor holds EU SCCs, the Processor applies the UK Addendum per the ICO template.
The Controller acknowledges and authorises the international transfers described in the sub-processor table in section 5.1, subject to the safeguards listed therein.
8. Data Subject rights
The Processor will:
- Redirect Data Subject requests received directly to the Controller within 5 business days
- Assist the Controller in fulfilling access, portability, erasure, restriction, and rectification requests, to the extent the Processor has the technical capability to do so
- Not independently respond to Data Subject requests that should properly be directed to the Controller (except where legally required to do so)
The Controller remains responsible for responding to Data Subjects within the statutory timeframes (one calendar month under UK GDPR, with a possible two-month extension for complex requests).
9. Return and deletion of data
On termination of the Controller's account:
- The Controller has 30 days to export all survey data via the in-app export tools (CSV, JSON) and to download any generated PDF reports.
- After 30 days, the Processor will begin permanent deletion of the Controller's Personal Data from live systems. Deletion from live systems will complete within 90 days of the account deletion date.
- Residual copies in encrypted backup systems will be purged within 180 days of the account deletion date.
- On request, the Processor will provide written confirmation that deletion is complete.
Data that the Processor is required to retain by law (e.g., financial records) will be retained only for as long as legally required, isolated from operational systems, and deleted at the earliest legally permissible date.
10. Liability
Each party's liability under this DPA is governed by the limitation of liability provisions in the Terms of Service. Where a party is responsible for a regulatory fine or third-party claim that would not have arisen but for that party's breach of this DPA, that party is responsible for the resulting liability.
11. Term and termination
This DPA applies for as long as the Processor processes Personal Data on behalf of the Controller. It terminates automatically on complete deletion of the Controller's Personal Data as described in section 9.
12. Governing law
This DPA is governed by the laws of the Province of Nova Scotia and the federal laws of Canada applicable therein. Disputes arising under it are subject to the exclusive jurisdiction of the courts of Nova Scotia, Canada. Nothing in this clause removes any mandatory data protection rights a UK-based Controller has under UK GDPR.
13. Order of precedence
In the event of conflict between this DPA and the Terms of Service, this DPA takes precedence with respect to data protection obligations. In all other matters, the Terms of Service govern.
14. Contact
For data protection enquiries under this DPA:
Email: privacy@treecanopy.app
Post: Data Protection, Aurenia Group Limited, 3 Old Lochview Court, Fall River, NS B2T 1J1, Canada
For Enterprise customers requiring a countersigned copy of this DPA or a DPA on your own template, contact hello@treecanopy.app.
Aurenia Group Limited — incorporated in Canada (CBCA) — corporation number 726662166
This DPA forms part of the tree·canopy Terms of Service (effective 12 May 2026).