Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller") and AllocBoard ("Processor"), based in the United Kingdom. This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation (UK GDPR) and sets out the terms on which the Processor processes personal data on behalf of the Controller when providing the AllocBoard platform. Where the Controller is established in the European Economic Area, references to UK GDPR include the EU General Data Protection Regulation (EU GDPR) as applicable.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1)
• Processing: Any operation performed on personal data, including collection, storage, alteration, retrieval, use, disclosure, and erasure
• Sub-processor: A third-party processor engaged by the Processor to process personal data on behalf of the Controller
• Data Subject: An identified or identifiable natural person whose personal data is processed
• Controller: The customer who determines the purposes and means of processing personal data
• Processor: AllocBoard, who processes personal data on behalf of the Controller

3. Scope and Purpose

The Processor processes personal data solely for the purpose of providing the AllocBoard staff allocation management platform to the Controller.

4. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorised to process the personal data have committed themselves to confidentiality
• Implement appropriate technical and organisational security measures, including AES-256-GCM field-level encryption, per-tenant encryption keys, Row-Level Security (RLS) on all tenant data tables, Supabase Vault for key management, and blind indexes (HMAC-based) for searching encrypted data without decryption
• Assist the Controller in responding to Data Subject Access Requests (DSARs) and Data Protection Impact Assessments (DPIAs)
• Make available to the Controller all information necessary to demonstrate compliance with this DPA
• Delete or return all personal data to the Controller on termination of the service agreement, in accordance with Section 10
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes UK GDPR or other data protection law

5. Sub-processors

The Processor uses the following sub-processors to provide the service. The Controller consents to the use of these sub-processors as of the date of this DPA.

The Processor shall notify the Controller of any intended changes to sub-processors, giving the Controller reasonable opportunity to object. If the Controller objects on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected service.

6. International Transfers

Where personal data is transferred outside the United Kingdom or European Economic Area, the Processor ensures appropriate safeguards are in place: • Transfers to the United States (Clerk, Stripe, Anthropic, Vercel) are governed by the UK International Data Transfer Agreement (IDTA) and/or EU Standard Contractual Clauses (SCCs) as applicable • The primary database (Supabase) is hosted in London, UK (eu-west-2) — no international transfer applies to core application data • The Processor regularly reviews the data protection adequacy of all sub-processor jurisdictions

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under UK GDPR Chapter III, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

AllocBoard provides built-in tools for data export and DSAR handling to assist Controllers in meeting these obligations.

8. Data Breach Notification

In the event of a personal data breach, the Processor shall: • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach • Provide the Controller with sufficient information to enable the Controller to meet its obligations under UK GDPR Articles 33 and 34 Breach notifications shall include: • The nature of the personal data breach, including the categories and approximate number of data subjects and records concerned • The likely consequences of the breach • The measures taken or proposed to address the breach, including measures to mitigate possible adverse effects

9. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall: • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and UK GDPR Article 28 • Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller • Provide reasonable cooperation and access to relevant documentation Audits shall be requested no more than once per 12-month period, with a minimum of 30 days' written notice. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations. The Controller shall bear the cost of any third-party auditor engaged to conduct the audit.

10. Data Retention and Deletion

Upon termination of the service agreement, the Processor shall:

• Personal data is immediately anonymised upon account closure or termination
• Anonymised data is retained for 30 days before hard deletion
• Database backups containing personal data are retained for up to 7 days for disaster recovery, after which they are overwritten
• Payment and billing records are retained for 6 years after the end of the financial year in which the transaction took place, as required by HMRC
• Audit logs are retained for the period specified by the Controller's plan tier (1, 3, or 5 years) before deletion

The Controller may request confirmation of deletion. The Processor shall provide written confirmation that personal data has been deleted in accordance with this section.

11. Controller Obligations

The Controller warrants that:

• It has a lawful basis under UK GDPR (or EU GDPR where applicable) for all personal data entered into the platform, including staff names, emails, and salary information
• It has provided appropriate notice to data subjects whose personal data is processed through the platform
• All instructions given to the Processor for the processing of personal data comply with applicable data protection law

12. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent that such limitation is not permitted by applicable law.

13. Term and Termination

This DPA is effective from the date the Controller begins using the AllocBoard platform and shall remain in effect for as long as the Processor processes personal data on behalf of the Controller. This DPA automatically terminates when the service agreement between the parties ends, subject to the data retention obligations in Section 10.

14. Contact

For questions about this Data Processing Agreement, please contact us: Email: [email protected] The Controller may also contact the Information Commissioner's Office (ICO) for guidance on data protection matters.