Data Processing Agreement
Aegis Care Shield Ltd (“Processor”)
Office 5678, 58 Peregrine Road, Hainault, Essex, IG6 3SZ
And:
The Customer organisation named in the SafeRecruit account (“Controller”)
This Data Processing Agreement (“DPA”) forms part of the Terms of Service and takes effect on the date the Customer activates a SafeRecruit account.
1. Definitions
“UK GDPR” means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.
“Personal Data”, “Processing”, “Data Subject”, “Data Controller”, “Data Processor”, and “Supervisory Authority” have the meanings given in UK GDPR.
“Sub-processor” means any third party appointed by the Processor to process Personal Data under this DPA.
2. Scope and Purpose of Processing
2.1 The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the SafeRecruit platform and associated services as described in the Terms of Service.
2.2 The categories of data subjects are: the Controller’s employees, workers, and contractors whose records are managed through SafeRecruit.
2.3 The categories of personal data processed include: names and contact details, employment information, identity documents, DBS certificate references and status, right to work records, professional qualifications and registrations, expiry dates for compliance documents, e-signatures, and any other data the Controller uploads to the platform.
2.4 Special category data processed may include: criminal conviction data (DBS records) and health information (where uploaded by the Controller).
2.5 Processing shall continue for the duration of the Terms of Service and for 90 days following termination, after which all Personal Data shall be deleted in accordance with clause 9.
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by law
- Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures in accordance with clause 5
- Not engage any Sub-processor without prior written authorisation from the Controller, subject to clause 6
- Assist the Controller in responding to data subject rights requests in accordance with clause 7
- Assist the Controller in meeting its obligations under Articles 32–36 of UK GDPR insofar as possible given the nature of the processing
- Delete or return all Personal Data on termination in accordance with clause 9
- Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA
4. Controller Obligations
The Controller shall:
- Ensure it has a valid lawful basis for all Personal Data it uploads to SafeRecruit
- Provide clear and complete instructions to the Processor regarding the processing of Personal Data
- Ensure it has provided appropriate privacy notices to data subjects whose data is processed through SafeRecruit
- Obtain any necessary consents before uploading Personal Data relating to its staff
5. Security
The Processor maintains the following technical and organisational measures:
- Encryption of all data in transit using TLS
- Access controls and authentication requirements for all platform users
- Dedicated database isolation per customer organisation
- Regular automated backups with secure storage
- Error monitoring and incident response capability
- Restriction of access to Personal Data to authorised personnel only
The Processor will notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a Personal Data breach affecting the Controller’s data.
6. Sub-processors
6.1 The Controller provides general written authorisation for the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Ionos | Server hosting and data storage | EU (Germany) |
| Stripe | Payment processing | USA |
| Brevo | Transactional email delivery | EU (France) |
| Twilio | SMS notifications | USA |
| Sentry | Error monitoring | EU (Germany) |
6.2 The Processor shall ensure each Sub-processor is bound by data protection obligations no less protective than those in this DPA.
6.3 The Processor shall notify the Controller of any intended changes to Sub-processors by email at least 14 days in advance. The Controller may object on reasonable grounds within that period. If the parties cannot resolve the objection, either party may terminate with 30 days’ notice.
6.4 For Sub-processors located outside the UK or EU, the Processor relies on Standard Contractual Clauses or UK International Data Transfer Agreements as the transfer mechanism.
7. Data Subject Rights
The Processor shall, upon receiving a request relating to a data subject whose Personal Data is processed under this DPA: forward the request to the Controller without undue delay, provide reasonable technical assistance to enable the Controller to respond within the required timeframe, and not respond directly to the data subject without the Controller’s authorisation unless required by law.
8. Audit Rights
8.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
8.2 The Controller may conduct an audit of the Processor’s data processing activities upon giving at least 30 days’ written notice. Audits shall be conducted during business hours, at the Controller’s cost, and shall not unreasonably disrupt the Processor’s operations. No more than one audit per calendar year unless there is specific cause for concern.
9. Deletion and Return of Data
9.1 On termination of the Terms of Service, the Controller has 90 days to export its data from the platform using the available export tools.
9.2 After the 90-day period, the Processor shall permanently and irreversibly delete all Personal Data belonging to the Controller, including all copies held by Sub-processors, unless retention is required by law.
9.3 The Processor shall provide written confirmation of deletion upon request.
10. Governing Law
This DPA is governed by the laws of England and Wales.
11. Order of Precedence
In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence in respect of the processing of Personal Data.
Aegis Care Shield Ltd — Office 5678, 58 Peregrine Road, Hainault, Essex, IG6 3SZ — support@aegiscareshield.com