Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the customer that operates an Altix tenant (the "Controller") and the operator of Altix ("Processor", "we", "us"). It governs the processing of Personal Data on behalf of the Controller in connection with the Altix service.

By creating an Altix account and using the service to process Personal Data, the Controller accepts this DPA.

"UK GDPR" means the UK General Data Protection Regulation. "Personal Data", "Processing", "Data Subject", and "Sub-processor" have the meanings given to them in UK GDPR.

The Processor processes Personal Data only for the purpose of providing the Altix service to the Controller, for the duration of the underlying subscription, until termination and completion of the deletion process described in section 11.

Categories of Data Subjects:

• The Controller's workers and prospective workers.
• The Controller's team members (owners, managers, accountants).
• Workers' nominated next of kin.

Categories of Personal Data:

• Identity data: name, DOB, nationality, photo, photo of ID document.
• Contact data: email, phone, address, next of kin.
• Tax and financial data: NI number, UTR, sort code, account number.
• Right-to-work data: government share code.
• Employment-credential data: CSCS, certifications, expiry dates.
• Site assignment and induction records.
• Account and audit-log data for team members.

The Processor will only process Personal Data on documented instructions from the Controller, which are set out in the Terms of Service, this DPA, and the Controller's use of the service's features. The Processor will inform the Controller if, in its opinion, an instruction infringes UK GDPR.

The Processor ensures that personnel authorised to process Personal Data are bound by confidentiality obligations.

The Processor implements the following technical and organisational measures:

• TLS 1.2+ for all data in transit, with HSTS preloaded.
• Application-layer AES-256-GCM encryption of high-sensitivity identifiers (NI number, UTR, bank details, share code).
• Tenant isolation enforced at the database layer on every table that holds Personal Data.
• At-rest encryption for the database and storage bucket.
• Signed, short-lived URLs for all document downloads; no public-bucket exposure.
• Append-only audit log of consequential write actions, retained for 24 months.
• Unique credentials and least-privilege access for personnel.
• Regular dependency upgrades and security review of the codebase.

The Controller authorises the Processor to engage the Sub-processors listed at /legal/sub-processors. The Processor will give the Controller at least 30 days' prior written notice (by email to the firm owner) before engaging or replacing a Sub-processor. The Controller may object on documented data-protection grounds, in which case they may terminate the underlying subscription and receive a pro rata refund of any unused prepaid fees.

Taking into account the nature of the Processing, the Processor will assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil obligations to respond to data subject rights requests. The self-service export and deletion features in the application are made available to Controllers for this purpose.

The Processor will notify the Controller without undue delay (and within 72 hours of becoming aware) of any Personal Data Breach affecting the Controller's data, providing available information to assist the Controller's own ICO notification obligations. The Processor follows the runbook published at /legal/breach-runbook.

On termination, the Controller may export their data through the in-app export within 30 days. After 30 days the Processor will delete the Controller's tenant Personal Data, subject to any backups which roll off according to the Sub-processor's standard retention.

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for, and contribute to, audits — including inspections — conducted by the Controller or another auditor mandated by the Controller. Subject to reasonable notice, confidentiality, and frequency limits.

Where Personal Data is transferred outside the UK to a Sub-processor, the transfer is covered by the UK International Data Transfer Addendum to the EU SCCs and supplementary measures (encryption in transit, application-layer encryption of sensitive identifiers).

Liability under this DPA is subject to the limitations set out in the Terms of Service. This DPA is governed by the laws of England and Wales.