Data Processing Agreement
On this page
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the business using Pro-cess) and Pro-cess Business Solutions Ltd, company number 17111409, registered office 15 Gattison Lane, Doncaster, DN11 0NG. It applies automatically to your account whenever we process personal data on your behalf, and it governs that processing under UK data protection law. You do not need to sign anything separately; a countersigned copy is available on request at [email protected].
1. Roles and scope #
For personal data you put into Pro-cess about your own customers and contacts, you are the controller and we are the processor. You decide what data to collect and why; we process it on your documented instructions to provide the Platform.
This DPA covers all such processing. Where a conflict arises on data-protection matters, this DPA prevails over the rest of the Terms.
2. Definitions #
"UK GDPR", "controller", "processor", "personal data", "special category data", "processing", "data subject" and "personal data breach" have the meanings given in the UK GDPR and the Data Protection Act 2018. "Sub-processor" means any third party we engage to process personal data on your behalf. Other capitalised terms have the meaning given in the Terms.
3. Details of processing #
- Subject matter: providing the Pro-cess Platform and its features to you.
- Duration: for as long as your account is active, plus the retention and deletion periods in section 12 and our Privacy Policy.
- Nature and purpose: storing, organising, displaying, transmitting, backing up and otherwise handling your customer and business data so you can run bookings, quotes, invoices, communications, records and the other features you use.
- Types of personal data: names, contact details, addresses and postcodes, appointment and service history, notes, and, where you choose to collect it (for example on consultation or intake forms), special category data such as health information.
- Categories of data subjects: your customers, contacts, leads, and, where applicable, contractors and other individuals whose data you record.
4. Processing on your instructions #
We process personal data only on your documented instructions, which are given by your use of the Platform's features, your account settings, and the Terms and this DPA, unless we are required to do otherwise by law (in which case we will tell you, unless the law forbids it). If we believe an instruction breaches data protection law, we will tell you.
You confirm you have a lawful basis for the personal data you process using the Platform, and, for any special category data, a valid Article 9 condition (such as explicit consent).
5. Confidentiality #
We ensure that anyone we authorise to process your personal data is bound by an appropriate duty of confidentiality and only accesses the data as needed to provide and support the Platform.
6. Security #
We implement appropriate technical and organisational measures to protect personal data, meeting UK GDPR Article 32, taking account of the state of the art, the costs, and the risks to individuals. Those measures are described in our Security overview, which forms the security schedule to this DPA, and include encryption in transit, encryption at rest of sensitive data (including integration tokens and special-category intake responses), tenant isolation, access control, and regular backups.
7. Sub-processors #
You give us general authorisation to engage the sub-processors listed on our Sub-processors page, which forms part of this DPA. We impose data-protection obligations on each sub-processor that are equivalent to those in this DPA, and we remain responsible to you for their performance.
We will give at least 30 days' notice before adding or replacing a sub-processor. If you have a reasonable data-protection objection, tell us at [email protected] within that period; if we cannot resolve it, you may terminate the affected part of the service.
8. Assisting with data subject requests #
The Platform lets you access, correct, export and delete your customers' data directly. Taking that into account, we will assist you by appropriate technical and organisational measures, so far as possible, to respond to requests from data subjects exercising their rights. If a data subject contacts us directly about data you control, we will refer them to you and let you know.
9. Personal data breaches #
We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and give you the information you reasonably need to meet your own notification duties under UK GDPR Articles 33 and 34. Notification of a breach is not an admission of fault.
10. Impact assessments #
Taking into account the nature of the processing and the information available to us, we will give you reasonable assistance with data protection impact assessments and any prior consultation with the ICO under UK GDPR Articles 35 and 36.
11. International transfers #
We will not transfer your personal data outside the UK except as described in our Privacy Policy and the Sub-processors page, and where a lawful transfer mechanism applies (UK adequacy regulations, the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, or the UK Extension to the EU-US Data Privacy Framework where the recipient is certified).
12. Return and deletion #
You can export your data from the Platform at any time. On termination we give you a reasonable window to export, then delete or return the personal data as you choose, except where we must keep it by law (for example financial records for HMRC, which are retained and anonymised). Backups are deleted on the cycle described in our Privacy Policy.
13. Audits and information #
We will make available the information reasonably needed to demonstrate our compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint. In the first instance we will satisfy audit requests by providing our security documentation and answering reasonable questions; an on-site audit may be arranged where reasonably necessary, on reasonable notice, no more than once a year unless required by a regulator or following a breach, and subject to confidentiality and to not compromising other customers' security.
14. Liability #
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Terms.
15. General #
This DPA takes effect for as long as we process personal data on your behalf and survives termination for as long as necessary. It is governed by the law of England and Wales. Questions about it go to [email protected].