Data Processing Agreement
Last updated: January 2025
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between WorkerRecord Ltd (“Processor”) and the organisation subscribing to the Service (“Controller”). It is entered into automatically upon acceptance of the Terms of Service.
1. Definitions
In this DPA:
- “UK GDPR” means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
- “Personal Data” means any information relating to an identified or identifiable natural person processed under this DPA.
- “Processing” has the meaning given in UK GDPR Article 4(2).
- “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- “Data Subject” means the natural persons whose Personal Data is processed — principally the Controller's subcontractors.
2. Subject matter and duration
The Processor processes Personal Data on behalf of the Controller for the purposes of providing the WorkerRecord compliance document management service, as described in the Terms of Service. Processing continues for the duration of the subscription and for 30 days following termination, after which Personal Data is permanently deleted.
3. Nature and purpose of processing
The Processor processes Personal Data for the following purposes:
- Storing and displaying compliance documents submitted by the Controller's subcontractors
- Sending automated expiry and reminder notifications to the Controller's team members and subcontractors
- Generating compliance reports and audit trail records for the Controller
- Operating the upload portal that subcontractors use to submit documents
The Processor does not process Personal Data for any purpose other than providing the Service to the Controller.
4. Types of personal data
The Personal Data processed under this DPA includes:
- Subcontractor identity data: name, email address, mobile phone number
- Subcontractor document data: compliance certificates and documents, expiry dates, document review status and notes
- Subcontractor communication preferences: preferred notification channel and contact details
- Controller team member data: name, email address, mobile phone number (where provided for SMS/WhatsApp alerts), role
5. Categories of data subjects
- The Controller's subcontractors and their employees or representatives
- The Controller's employees and team members who access the Service
6. Processor obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by applicable law
- Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in the Privacy Policy
- Notify the Controller without undue delay (and in any event within 72 hours where feasible) after becoming aware of a Personal Data breach affecting the Controller's data
- Delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
- Not engage a Sub-processor without the Controller's prior specific or general written authorisation
7. Controller obligations
The Controller warrants and undertakes that:
- It has a lawful basis under UK GDPR for collecting and processing the Personal Data of its subcontractors
- It has provided, or will provide, appropriate privacy information to data subjects (its subcontractors) explaining that their compliance documents and personal data will be stored in WorkerRecord
- It will respond to any data subject requests received directly from its subcontractors in relation to Personal Data processed through the Service
- It will notify the Processor promptly of any data subject request it receives that requires the Processor's assistance to fulfil
8. Sub-processors
The Controller grants general authorisation for the Processor to engage the following Sub-processors, who are each subject to a data processing agreement with the Processor:
| Sub-processor | Purpose | Location |
|---|
| DigitalOcean LLC | Cloud server hosting | UK / EU |
| Amazon Web Services / DigitalOcean Spaces | Document file storage | UK (eu-west-2 / LON1) |
| Stripe, Inc. | Payment processing | UK / EU |
| Resend Inc. | Transactional email delivery | EU |
| Twilio Inc. | SMS and WhatsApp message delivery | US (Standard Contractual Clauses apply) |
The Processor will notify the Controller of any intended changes to the above list by updating this DPA and providing at least 14 days' notice before the change takes effect. The Controller may object to the change within that period by contacting privacy@workerrecord.co.uk.
9. Data subject rights
Taking into account the nature of the processing, the Processor will assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to requests for exercising data subjects' rights under UK GDPR. The Controller remains responsible for responding to data subjects. To request assistance, contact privacy@workerrecord.co.uk.
10. Security measures
The Processor implements the following security measures, among others:
- Encryption of Personal Data in transit (HTTPS/TLS 1.2+) and at rest
- Compliance documents stored on private cloud storage with no public access; all access through authenticated signed URLs
- Access controls ensuring each Controller's data is isolated from other Controllers
- Rate limiting, security headers, and regular security reviews
11. International transfers
Where Personal Data is transferred to Twilio Inc. (US), such transfers are subject to Standard Contractual Clauses (SCCs) under UK GDPR, as supplemented by the UK International Data Transfer Agreement (IDTA) where applicable. The Controller's acceptance of these Terms constitutes acceptance of such transfer mechanisms.
12. Audit rights
The Processor shall make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Controller shall provide reasonable advance notice of any audit and bear its own costs.
13. Governing law
This DPA is governed by the law of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.
14. Contact
For all data protection and DPA queries, contact: privacy@workerrecord.co.uk
WorkerRecord Ltd
[Registered address - set SITECERT_REGISTERED_ADDRESS in .env]
England, United Kingdom