Data Processing Agreement
Last updated 16 July 2026 · version 2026-07-16.
Current operational version. This DPA governs Aven's processing of personal data on behalf of a client (the“Controller”) when Aven handles its working-file data, including through connected engineering sources and AI-assisted evidence features. An authorised company representative executes this version electronically in the Aven dashboard before the first connector redirect or AI-assisted processing. Aven records the signer’s account, name, role, exact attestation, document version and acceptance time as an immutable company record.
1. Roles
The Controller is the client company. The Processor is Aven HQ, an early-stage project operated by an individual based in the UK (not yet incorporated as a company; contact hello@avenhq.com). Aven processes personal data only on the Controller’s documented instructions (this DPA and the service).
2. Subject-matter, duration, nature & purpose
Subject-matter: assembling AIF-aligned R&D evidence from the Controller’s engineering history. Duration: for the term of the engagement plus deletion. Nature & purpose: read-only ingestion of commit, pull-request, ticket and selected document metadata and text; redaction; storage; evidence capture; and presentation in an evidence pack for accountant review, with expert review where purchased. Aven never files claims or gives tax advice.
3. Types of personal data & data subjects
Personal data: contributor identities present in version-control, tracker and selected document history; names, usernames and email addresses in metadata or text; Controller account details; staff and payroll evidence supplied by the Controller; and recorded interview or testimony responses. Data subjects include the Controller’s engineers, staff and authorised users. No special-category data is sought. Source code is never stored.
4. Processor obligations
- Process only on documented instructions; no purpose beyond the service.
- Ensure persons authorised to process are bound by confidentiality.
- Implement appropriate technical & organisational security (clause 6).
- Assist the Controller with data-subject requests and with DPIAs / breach duties.
- Delete or return all personal data at the end of the engagement (clause 8).
- Make available information to demonstrate compliance and allow audits (clause 9).
5. Sub-processors
The Controller authorises the sub-processors Aven uses to run the service, currently: Supabase (database, auth, storage; EU/London region), Vercel (hosting), Stripe (payments), Resend (transactional email), PostHog (EU-region analytics), and Anthropic (AI processing through its API behind deterministic and human review gates). Anthropic API requests may contain the following, depending on the feature: project names, project summaries and redacted evidence excerpts to tailor interview questions; the project name and recorded interview questions and responses to draft an optional follow-up; or the question and the user’s unsaved draft testimony when that user selects “Tidy my draft”. Internal narrative-drafting requests may contain the project name, redacted evidence excerpts, recorded testimony and draft narrative sections; critique requests may also contain the current narrative text. Guided-session assistant requests are separately minimised to generic workflow intent and categorical card availability. Aven remains responsible for its sub-processors and will give notice of changes, allowing objection.
6. Security
- Read-only integration scopes; no write access to client systems.
- Stored OAuth tokens are encrypted before database storage using AES-256-GCM, with the key held separately as a restricted deployment secret; tokens are never logged.
- Ingestion-time redaction of secrets and obvious PII; source code never stored.
- Row-level security isolating each company’s data; least-privilege access.
- Encryption in transit; access limited to authorised personnel.
7. Personal-data breach
Aven will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller’s data, with the information needed for the Controller’s own notifications.
8. Deletion & return
Disconnecting a tool immediately erases Aven’s local OAuth credentials and re-ingestable connector cache. On termination or request, Aven deletes (or returns, then deletes) personal data processed for the Controller, save where retention is legally required. Audit records and evidence incorporated into controlled or released work follow the applicable engagement and legal retention obligations.
9. Audit & international transfers
Aven makes available information reasonably necessary to demonstrate compliance and submits to audits on reasonable notice. Core application records are hosted in the UK/EU. Some service providers, including Anthropic, may process a request outside the UK/EEA. Any such transfer must use an appropriate contractual safeguard. Anthropic’s published standard API policy describes deletion of inputs and outputs within 30 days, subject to stated exceptions. Aven verifies the terms and configuration that apply to this service through its legal and supplier review. This DPA does not promise a shorter provider retention period or a model-training exclusion. See Anthropic’s retention information.
10. Liability & governing law
Liability is as set out in the main services agreement. This DPA is governed by the law of England and Wales. Where it conflicts with the services agreement on data protection, this DPA prevails.
Electronic dashboard acceptance records the company’s execution of this operational version. This document is not legal advice. Aven maintains a separate legal and supplier review gate for real-client processing, including the sub-processor and international transfer terms.