StudioThis Data Processing Agreement ("DPA") forms part of the Terms of Service between Studio Blueprint Ltd ("Processor") and the consulting firm or individual using the Studio:Blueprint platform ("Controller"). It governs the processing of personal data by Studio Blueprint Ltd on behalf of the Controller in connection with the Studio:Blueprint service.
1. Definitions
"Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given in UK GDPR.
"Services" means the Studio:Blueprint platform as described in the Terms of Service.
"Sub-processor" means any third party appointed by Studio Blueprint Ltd to process Personal Data in connection with the Services.
2. Roles
The Controller determines the purposes and means of processing Personal Data uploaded to the Services. Studio Blueprint Ltd processes that Personal Data solely on the Controller's instructions and for the purpose of providing the Services.
3. Description of processing
- Nature of processing: Storage, extraction, AI analysis, classification, and retrieval of document content and client engagement data.
- Purpose: Providing the Studio:Blueprint consultancy operating system, including the Evidence Desk, Forge diagnostic engine, Roadmap, and Progress Room.
- Categories of Personal Data: Names and contact details of the Controller's clients and stakeholders; content of documents uploaded by the Controller which may contain Personal Data relating to third parties.
- Data subjects: The Controller's clients, their employees, and any individuals named in uploaded documents.
- Duration: For the duration of the subscription and the retention periods set out in the Privacy Policy.
3a. BYOK and controller-directed AI processing
Where the Controller has enabled BYOK, the Controller directs AI processing to their own chosen provider. The Controller accepts responsibility for ensuring their chosen provider's data processing terms are compatible with their obligations under UK GDPR, including any international transfer requirements applicable to that provider.
4. Controller's obligations
The Controller confirms that: (a) it has a lawful basis under UK GDPR for all Personal Data uploaded to the Services; (b) it has satisfied any professional confidentiality obligations before uploading client documents; (c) it will not upload Special Category Data (as defined in UK GDPR Article 9) without notifying Studio Blueprint Ltd.
5. Processor's obligations
Studio Blueprint Ltd will: (a) process Personal Data only on documented instructions from the Controller; (b) ensure persons authorised to process the data are bound by confidentiality; (c) implement appropriate technical and organisational security measures as described in Section 7; (d) assist the Controller in responding to Data Subject requests within 30 days of receiving a forwarded request; (e) notify the Controller without undue delay and within 72 hours of becoming aware of a Personal Data breach; (f) delete or return all Personal Data on termination of the subscription in accordance with the retention schedule in the Privacy Policy; (g) not access Controller data except for the purpose of providing the Services, resolving support requests at the Controller's explicit request, or as required by law. Any administrative access to Controller data for support purposes will be logged.
6. Sub-processors
Studio Blueprint Ltd uses the sub-processors listed at studioblueprint.uk/legal/subprocessors. Studio Blueprint Ltd will notify the Controller at least 30 days before adding or substituting any sub-processor by updating that page and notifying registered users by email. If the Controller objects to a new sub-processor on reasonable data protection grounds, either party may terminate the relevant Services on 30 days written notice.
AI sub-processing: By default, document text and engagement data sent for AI analysis is routed via OpenRouter Inc to Anthropic PBC. Neither OpenRouter nor Anthropic uses API inputs for model training under commercial API terms. If the Controller enables Bring Your Own Key (BYOK) in Cockpit Settings, AI processing is routed directly through the Controller's chosen provider using the Controller's own API credentials. In this case, the Controller's chosen provider acts as a sub-processor under the Controller's own agreement with that provider, not under Studio Blueprint Ltd's sub-processor arrangements. Studio Blueprint Ltd stores the Controller's API key AES-256 encrypted and uses it solely to authenticate AI requests on the Controller's behalf.
Bug reporting: Bug reports submitted by users via the in-product reporting tool may be routed to Linear Orbit Inc. (USA) for issue tracking. Bug reports do not contain client Personal Data.
7. Security measures
Studio Blueprint Ltd implements the following measures:
- Encryption at rest: Cloudflare R2 server-side encryption (AES-256)
- Encryption in transit: TLS 1.2 or higher on all connections
- Access control: Document content accessible only to authenticated account holders
- Temporary storage: Raw uploaded documents deleted immediately after text extraction
- Key management: Encryption keys managed by Cloudflare's key management infrastructure
- Sub-processor security: Studio Blueprint Ltd contractually requires equivalent security standards from sub-processors
8. International transfers
Where Personal Data is transferred outside the UK or EEA, Studio Blueprint Ltd relies on Standard Contractual Clauses or the UK International Data Transfer Agreement as the transfer mechanism. Regional locations of sub-processors are listed at studioblueprint.uk/legal/subprocessors.
9. Audit rights
The Controller may request written confirmation of Studio Blueprint Ltd's compliance with this DPA once per calendar year. Studio Blueprint Ltd will respond within 30 days.
10. Governing law
This DPA is governed by the laws of England and Wales.
Contact: [email protected]
Last updated: 24 May 2026