Data Processing Agreement

Effective: March 2026 · Last updated: March 2026

Between Tru-Digital Services Ltd (Processor) and the Customer (Controller)

Agreement Summary

The Customer is the Controller and agrees to appoint Tru-Digital Services Ltd (trading as Tru-Digital Protection), 3rd Floor, 86-90 Paul Street, London, EC2A 4NE as the Processor to process Personal Data on the terms set out in this Agreement.

The Processor agrees to process the Personal Data within the UK on the terms set out in this Agreement, in accordance with the Controller's documented instructions.

1. Interpretation

The following definitions apply in this Agreement:

Agreed Purpose: The purposes for which Personal Data is processed, as set out in Clause 4.

The Agreement: This Data Processing Agreement, which forms part of the Services Agreement between the parties.

Business Day: A day other than Saturday, Sunday, or UK bank holiday when banks in London are open for business.

Data Protection Authority: The Information Commissioner's Office (ICO), established under section 114 of the Data Protection Act 2018.

Data Security Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

Personal Data: Has the meaning given in the UK GDPR and includes all personal data processed by the Processor on behalf of the Controller as detailed in Schedule 1.

Privacy and Data Protection Legislation: The UK GDPR (as retained under the European Union (Withdrawal) Act 2018), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and all applicable laws relating to processing of personal data and privacy.

Services Agreement: The contract between the parties for the provision of DPO services, including the Quote, Terms and Conditions, and this Data Processing Agreement.

Term: The duration of the Services Agreement as set out in the Quote.

Terms Controller, Processor, Data Subject, Personal Data, Special Category Data and Processing have the meanings given in the UK GDPR.

2. Compliance with Data Protection Legislation

2.1 Mutual Compliance

Both parties shall comply with all applicable requirements of Privacy and Data Protection Legislation during the Term.

2.2 Controller Responsibilities

The Controller:

• Is responsible for ensuring it has a lawful basis for processing Personal Data
• Must ensure it has appropriate consents, notices, and fair processing information in place
• Warrants that it is entitled to transfer the Personal Data to the Processor for processing
• Remains responsible for compliance with data subject rights requests

2.3 Processor Responsibilities

The Processor shall:

• Process Personal Data only on documented instructions from the Controller (unless required by law)
• Assist the Controller in meeting its obligations under the UK GDPR
• Not transfer Personal Data outside the UK without prior written authorisation
• Notify the Controller immediately if any instruction appears to infringe Privacy and Data Protection Legislation

3. Processing Instructions

3.1 Scope of Processing

The Processor shall process Personal Data only:

• For the Agreed Purposes set out in Clause 4
• In accordance with the Controller's documented instructions
• As described in Schedule 2 (The Services)
• In accordance with the Services Agreement

3.2 Instruction Changes

The Controller may issue additional written instructions regarding processing. The Processor shall:

• Confirm acceptance of new instructions within 5 Business Days
• Notify the Controller if instructions appear to infringe applicable law
• Be entitled to charge reasonable additional fees for work beyond the original scope

4. Purpose of Processing

4.1 Framework

This Agreement sets out the framework for sharing Personal Data between the Controller and Processor to enable the Processor to deliver DPO services.

4.2 Agreed Purposes

The Processor processes Personal Data for the following purposes (the Agreed Purpose):

DPO Services

• Advising on data protection compliance and UK GDPR obligations
• Acting as the designated contact point with the ICO
• Monitoring compliance with data protection policies and procedures
• Conducting data protection audits and gap analyses

Data Subject Rights Management

• Supporting the handling of Subject Access Requests (SARs)
• Redacting documents to protect third-party rights
• Advising on Freedom of Information (FOI) requests
• Managing data subject complaints

Breach Management

• Investigating and documenting data security breaches
• Preparing breach notifications for the ICO and data subjects
• Advising on breach containment and remediation

Policy and Documentation

• Maintaining the Record of Processing Activities (ROPA)
• Developing and updating data protection policies
• Conducting Data Protection Impact Assessments (DPIAs)
• Maintaining the Single Central Register (SCR) where contracted

Training and Advisory

• Delivering data protection training to staff
• Providing ongoing advisory support via email, phone, and portal

4.3 No Incompatible Processing

The Processor shall not process Personal Data in a manner incompatible with the Agreed Purpose without prior written authorisation from the Controller.

4.4 Single Points of Contact

Each party appoints a Single Point of Contact (SPoC):

Controller's SPoC: The authorised signatory identified in the Quote, or their designated representative as notified to the Processor in writing.

Processor's SPoC: Gareth Eynon, DPO

• Email: dpo@trudigital.co.uk
• Phone: 0204 621 2983

5. Personal Data Categories

5.1 Data Subjects

The Personal Data processed under this Agreement relates to:

Pupils and Students

• Current, former, and prospective pupils
• Children subject to safeguarding concerns
• Pupils with SEND support

Parents and Guardians

• Parents, guardians, and emergency contacts
• Individuals making SARs or complaints

Staff and Governors

• Teaching and support staff (current, former, prospective)
• Governors, trustees, and volunteers
• Agency staff and contractors

Third Parties

• External professionals (social workers, medical professionals)
• Complainants and correspondents
• Suppliers and service providers

5.2 Categories of Personal Data

The Personal Data processed may include:

Identifiers and Contact Details

• Names, addresses, telephone numbers, email addresses
• Date of birth, age, gender
• National Insurance numbers (staff), NHS numbers (pupils)
• Unique Pupil Numbers (UPN), staff ID numbers

Education and Training Data

• Attendance records, timetables, class lists
• Academic records, assessments, examination results
• SEND records, Education Health and Care Plans (EHCPs)
• Behaviour logs, exclusion records
• Free School Meal eligibility

Employment Data

• Employment contracts, job descriptions, performance reviews
• Salary, pension, and payroll information
• Disciplinary and grievance records
• Recruitment information (CVs, references)
• DBS certificates and safeguarding checks

Safeguarding Data

• Safeguarding and child protection records
• CPOMS entries, welfare concerns
• LADO referrals, social services involvement
• Incident logs and injury records

Financial Data

• Payment information (school meals, trips, clubs)
• Debt records, payment plans
• Bursary and financial support applications

Digital and Technical Data

• Email correspondence, documents, and files
• System logs, access records
• CCTV footage (metadata only)
• IT usage and internet history

5.3 Special Category Data

Processing may include Special Category Data concerning:

• Racial or ethnic origin
• Religious or philosophical beliefs
• Health (physical and mental health, medical conditions, medication)
• Sex life or sexual orientation (in safeguarding contexts)
• Biometric data (for identification purposes)

5.4 Criminal Offence Data

Where the Controller is processing data relating to criminal convictions and offences (e.g., DBS checks, safeguarding concerns), the Processor may process such data in accordance with the Agreed Purpose.

5.5 Volume and Relevance

The volume of Personal Data processed depends on:

• School/trust size and number of data subjects
• Service tier contracted (Advice, Comprehensive, or All Inclusive)
• Number of SARs, breaches, and advisory requests

The Processor shall only process Personal Data that is adequate, relevant, and not excessive in relation to the Agreed Purpose.

6. Fair and Lawful Processing

6.1 Lawful Basis

The Controller warrants that:

• It has identified appropriate lawful bases for all processing under the UK GDPR
• It has appropriate conditions for processing Special Category Data and criminal offence data
• All necessary consents, notices, and privacy information are in place
• It is entitled to transfer the Personal Data to the Processor

6.2 Fair Processing

The Controller shall ensure that data subjects are informed:

• That their Personal Data may be processed by a third-party DPO service provider
• Of the Processor's identity and contact details
• Of their rights under Privacy and Data Protection Legislation

The Processor shall include appropriate privacy information in all customer-facing communications.

7. Data Subject Rights

7.1 Rights Under UK GDPR

Data subjects have the following rights:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision-making and profiling

7.2 Notification of Requests

The Processor shall notify the Controller within 48 hours of receiving:

• A request from a data subject to exercise their rights
• A complaint regarding processing of Personal Data
• A communication from the ICO or other regulatory authority

The Processor shall not respond directly to such requests without the Controller's written authorisation.

7.3 Assistance with Requests

The Processor shall provide reasonable assistance to the Controller in responding to data subject rights requests, including:

• Locating and retrieving relevant Personal Data
• Redacting third-party information from SAR disclosures
• Advising on exemptions and legal obligations
• Preparing draft response letters

Such assistance is included in Comprehensive and All Inclusive service tiers. Additional charges may apply for Advice tier customers.

7.4 Record Keeping

The Processor's SPoC shall maintain records of:

• All data subject rights requests relating to this Agreement
• Dates received, actions taken, and outcomes
• Correspondence with the Controller and data subject
• Advice provided and decisions made

8. Data Retention and Deletion

8.1 Retention Periods

The Processor shall retain Personal Data only for as long as necessary for the Agreed Purpose:

During Active Service Delivery:

Advisory and Support Materials

• Advice emails, queries, and correspondence: Retained for the Term plus 6 years (limitation period)
• Portal access logs and activity records: Retained for the Term plus 2 years
• Training materials and attendance records: Retained for the Term plus 2 years

SAR Working Files

• Copies of documents for redaction: Deleted within 90 days of SAR completion
• Redaction working files and notes: Deleted within 90 days of SAR completion
• SAR log entries (metadata only - no personal data): Retained for the Term plus 6 years

Breach Management

• Breach investigation files: Retained for the Term plus 6 years
• ICO correspondence and notifications: Retained for the Term plus 6 years

ROPA, Policies, and Documentation

• Live ROPA entries: Retained and updated for the duration of the Term
• Historical ROPA versions: Retained for the Term plus 6 years
• Custom policies created for the Controller: Retained for the Term (Controller owns the final versions)
• Policy templates (generic): Retained indefinitely as intellectual property

Single Central Register

• SCR data processed on behalf of Controller: Retained per Controller's instructions (typically updated continuously during Term)
• SCR working files: Deleted within 30 days of data synchronisation

Post-Termination:

• Working files and copies of Personal Data: Deleted within 90 days unless Controller instructs otherwise
• Archives and backup copies: Deleted within 180 days (to allow for backup rotation cycles)
• Contractual records (non-personal data): Retained for 6 years from termination

8.2 Deletion on Instruction

The Controller may instruct the Processor to delete Personal Data at any time. The Processor shall:

• Confirm receipt of the instruction within 2 Business Days
• Complete deletion within 30 days unless a longer period is agreed
• Provide written confirmation of deletion

8.3 Deletion Method

Deletion shall be permanent and irreversible using secure deletion methods appropriate to the storage medium:

• Electronic data: Secure overwriting or cryptographic erasure
• Physical documents: Confidential shredding or incineration
• Backup archives: Deletion at next backup rotation cycle (maximum 180 days)

8.4 Return of Data

If the Controller requests return of Personal Data instead of deletion:

• The Processor shall provide data in a structured, commonly used, machine-readable format (e.g., CSV, PDF)
• Transfer shall be via secure encrypted channel
• The Processor shall delete its copies within 30 days of successful transfer

9. Sub-Processors and Third Parties

9.1 Authorised Sub-Processors

The Controller authorises the Processor to engage the following sub-processors:

Infrastructure and Hosting

• Notion Labs Inc (USA/EU) - Knowledge base, ROPA, and documentation platform
• Google Ireland Limited (Ireland/UK) - Google Workspace (email, docs, storage)
• Microsoft Ireland Operations Limited (Ireland/UK) - Microsoft 365 services (if applicable)

Communication and Support

• Tally Forms (EU) - Contact form processing

Analytics and Monitoring (processes only pseudonymised/aggregated data)

• Cloudflare Inc (USA/EU) - Web hosting and security
• Google Analytics (configured for UK data residency where possible)

9.2 Sub-Processor Obligations

The Processor warrants that:

• All sub-processors are bound by written contracts imposing data protection obligations equivalent to this Agreement
• The Processor remains fully liable for any sub-processor's acts or omissions
• All sub-processors implement appropriate technical and organisational security measures

9.3 Changes to Sub-Processors

If the Processor intends to engage a new sub-processor or replace an existing one:

• The Processor shall notify the Controller at least 30 days in advance
• The Controller may object on reasonable data protection grounds within 14 days
• If the Controller objects, the parties shall discuss alternative arrangements
• If no resolution is reached, the Controller may terminate the affected service without penalty

9.4 International Transfers

The Processor shall not transfer Personal Data outside the UK without:

• Prior written authorisation from the Controller
• Appropriate safeguards in place (Standard Contractual Clauses, adequacy decision, or approved certification)
• Conducting a transfer risk assessment

For sub-processors listed in 9.1 with international elements, the Processor warrants that appropriate safeguards are in place via:

• Hosting within UK/EU data centres where technically feasible
• Standard Contractual Clauses between the sub-processor and its parent company
• UK GDPR-compliant data processing agreements

10. Security and Confidentiality

10.1 Security Obligations

The Processor shall implement appropriate technical and organisational measures to:

• Prevent unauthorised or unlawful processing of Personal Data
• Prevent accidental loss, destruction, or damage to Personal Data
• Ensure a level of security appropriate to the risk

10.2 Security Measures

The specific measures implemented by the Processor are detailed in Schedule 3.

Key measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication for all system access
• Role-based access controls and least privilege principles
• Regular security updates and patch management
• Secure backup and disaster recovery procedures
• Regular security reviews and updates
• Staff security awareness training

10.3 Confidentiality

The Processor shall ensure that all personnel authorised to process Personal Data:

• Are subject to binding confidentiality obligations
• Receive appropriate training on data protection and security
• Process Personal Data only as necessary for the Agreed Purpose

10.4 Changes to Security Measures

The Processor shall notify the Controller of any material changes to security measures within 14 days.

11. Data Security Breaches

11.1 Immediate Notification

The Processor shall notify the Controller immediately and in any event within 12 hours of becoming aware of a Data Security Breach affecting the Controller's Personal Data.

Notification shall be by telephone (followed by email) to the Controller's SPoC and shall include:

• Nature of the breach (what happened, when, how discovered)
• Categories and approximate volume of data affected
• Likely consequences and severity assessment
• Immediate containment measures taken
• Processor's preliminary recommendation on ICO notification

11.2 Investigation and Assistance

The Processor shall:

• Conduct a full investigation into the breach
• Provide ongoing updates to the Controller every 24 hours until resolved
• Assist the Controller with ICO breach reporting (Article 33 notification)
• Assist with data subject notifications where required (Article 34)
• Provide all information reasonably requested by the Controller or ICO
• Cooperate fully with any ICO or law enforcement investigation

11.3 Remediation

The Processor shall:

• Take immediate measures to contain and mitigate the breach
• Implement remedial actions to prevent recurrence
• Provide a written post-incident report within 14 days
• Review and update security measures as necessary

11.4 Breach Records

The Processor shall maintain a register of all Data Security Breaches, documenting:

• Facts of each breach
• Effects and consequences
• Remedial actions taken
• Evidence supporting decisions on ICO notification

12. Audits and Inspections

12.1 Audit Rights

The Controller (or its authorised auditor) may audit or inspect the Processor's compliance with this Agreement:

• On reasonable written notice (minimum 14 days)
• During Business Hours
• No more than once per year (unless following a Data Security Breach)

12.2 Information and Access

The Processor shall:

• Provide all information reasonably necessary to demonstrate compliance
• Allow access to relevant facilities, systems, and documentation
• Make personnel available for interview
• Cooperate fully with audit activities

12.3 Audit Costs

The Controller shall bear its own costs of audit. If an audit reveals material non-compliance by the Processor, the Processor shall reimburse reasonable audit costs.

12.4 ICO Audits

The Processor shall notify the Controller immediately if the ICO requests to audit the Processor's handling of the Controller's Personal Data.

13. Data Protection Impact Assessments

Where the Controller is required to conduct a Data Protection Impact Assessment (DPIA), the Processor shall:

• Provide reasonable assistance and information
• Advise on the necessity and scope of the DPIA
• Support completion of the DPIA template
• Assist with prior consultation with the ICO if required

DPIA support is included in Comprehensive and All Inclusive tiers. Additional charges may apply for Advice tier customers.

14. Termination

14.1 Effect of Termination

On termination or expiry of the Services Agreement:

• The Processor shall cease all processing of Personal Data
• The Processor shall (at the Controller's election) return or delete all Personal Data within 90 days
• The obligation to delete extends to all copies, backups, and archives
• The Processor shall provide written certification of deletion

14.2 Retention Post-Termination

The Processor may retain Personal Data only where:

• Required by law (e.g., accounting records, litigation holds)
• Necessary for establishment, exercise, or defence of legal claims
• The Controller provides written instruction to retain

Any retained data remains subject to confidentiality obligations and this Agreement.

14.3 Handover

The Processor shall cooperate with any successor DPO or the Controller to ensure orderly transition, including:

• Transferring live case files (SARs, breaches, complaints)
• Providing copies of ROPA, policies, and documentation
• Briefing on ongoing matters and ICO correspondence

15. Liability and Indemnity

15.1 Processor Liability

The Processor shall indemnify the Controller against:

• Fines or penalties imposed by the ICO arising from the Processor's breach of this Agreement
• Compensation awarded to data subjects due to the Processor's breach
• Reasonable legal costs incurred defending claims arising from the Processor's breach

15.2 Limitations

The indemnity at 15.1 does not apply where the loss arises from:

• The Controller's instructions or acts/omissions
• The Controller's failure to implement the Processor's recommendations
• Force majeure or circumstances beyond the Processor's reasonable control

15.3 Liability Cap

Notwithstanding Clause 15.1, the Processor's total aggregate liability under this Agreement is subject to the limitation of liability provisions in the Services Agreement Terms and Conditions.

This cap does not apply to:

• Liability that cannot be limited by law
• Fraud or fraudulent misrepresentation
• Breach of confidentiality
• Death or personal injury caused by negligence

16. General Provisions

16.1 Relationship to Services Agreement

This Data Processing Agreement forms part of and is incorporated into the Services Agreement. In the event of conflict between this DPA and the Terms and Conditions, this DPA shall prevail in relation to data processing matters.

16.2 Changes to Law

If changes to Privacy and Data Protection Legislation require amendments to this Agreement:

• Either party may propose amendments on reasonable notice
• The parties shall negotiate in good faith to implement necessary changes
• The Processor may implement urgent changes to remain compliant, notifying the Controller within 7 days

16.3 Severability

If any provision is held invalid or unenforceable, it shall be modified to the minimum extent necessary to make it valid and enforceable. The remainder of the Agreement shall remain in full force.

16.4 Entire Agreement

This Agreement (together with the Services Agreement) constitutes the entire agreement between the parties relating to processing of Personal Data.

16.5 Governing Law and Jurisdiction

This Agreement is governed by the law of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

Signatures

This Agreement is executed on the date of the Services Agreement.

Signed on behalf of Tru-Digital Services Ltd (Processor):

Signature: ________________________________

Name: Gareth Eynon

Position: Director and Data Protection Officer

Date: ______________________

Signed on behalf of [Customer Name] (Controller):

Signature: ________________________________

Name: ________________________________

Position: ________________________________

Organisation: ________________________________

Date: ______________________

Schedule 1: Data Processing Details

Controller

An educational establishment (school, academy, or multi-academy trust) subject to UK GDPR and the Data Protection Act 2018, using Tru-Digital Protection's DPO services.

Processor

Tru-Digital Services Ltd (trading as Tru-Digital Protection)

• Address: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE
• ICO Registration: ZB887707
• Company Number: 16210598

A specialist data protection consultancy providing DPO services to UK educational institutions.

Data Subjects

As detailed in Clause 5.1:

• Pupils and students (current, former, prospective)
• Parents, guardians, and family members
• Staff: teaching staff, support staff, leadership, governors, trustees
• Volunteers, contractors, and agency workers
• External professionals (social workers, therapists, medical staff)
• Complainants and correspondents
• Suppliers and service providers

Categories of Personal Data

As detailed in Clause 5.2:

• Identifiers and contact details
• Education and training data
• Employment data
• Safeguarding data
• Financial data
• Digital and technical data

Special Category Data

As detailed in Clause 5.3:

• Racial or ethnic origin
• Religious or philosophical beliefs
• Health information
• Sex life or sexual orientation (safeguarding contexts)
• Biometric data (identification purposes)

Criminal Offence Data

As detailed in Clause 5.4:

• DBS certificate details
• Criminal conviction information (staff screening)
• Safeguarding concerns relating to criminal matters
• Police involvement records

Processing Operations

As detailed in Clause 4.2 and Schedule 2:

Collection and Receipt

• Receiving data via secure email, portal upload, or system access
• Accessing Controller's systems (MIS, CPOMS, shared drives) with authorisation
• Recording data in the Processor's systems (ROPA, case management)

Storage and Organisation

• Storing data in secure cloud platforms (Notion, Google Workspace, Microsoft 365)
• Organising data into case files, ROPA entries, policy libraries
• Maintaining structured records and audit trails

Use and Analysis

• Reviewing documents for SAR redaction
• Analysing data flows for ROPA and DPIA purposes
• Investigating data breaches
• Assessing compliance risks
• Preparing reports and recommendations

Disclosure and Sharing

• Returning redacted SAR documents to the Controller
• Sharing breach reports with the ICO (on Controller's instruction)
• Providing audit evidence to the Controller or ICO
• Transferring data to successor DPO at termination

Updating and Correction

• Updating ROPA entries based on Controller's changes
• Correcting errors in case files
• Versioning and updating policy documents

Protection and Restriction

• Applying encryption to data in transit and at rest
• Implementing access controls and authentication
• Redacting third-party information from disclosures
• Restricting access to "need to know" personnel

Deletion and Destruction

• Securely deleting working files per retention schedule
• Removing data from backups
• Destroying physical documents via confidential shredding
• Providing certification of deletion

Duration of Processing

For the Term of the Services Agreement, plus retention periods as specified in Clause 8.

Schedule 2: The Services and Data Handling

This schedule describes how Personal Data is processed to deliver each service tier.

All Service Tiers: Common Processing

Advisory and Compliance Support

• Data received: Email queries, documents for review, policy drafts, incident descriptions
• Processing: Analysis, legal research, advice formulation, response drafting
• Data stored: Correspondence archived in shared workspace
• Retention: For the Term plus 6 years

ICO Liaison

• Data received: Breach reports, ICO correspondence, audit requests
• Processing: Review, response drafting, submission to ICO
• Data stored: ICO correspondence file in secure document store
• Retention: For the Term plus 6 years (regulatory requirement)

Knowledge Base Access

• Data received: None (public resource)
• Processing: User analytics only (pseudonymised)
• Data stored: Access logs
• Retention: 2 years

DPIA Lite Support

• Data received: Processing descriptions, risk information
• Processing: Risk assessment, DPIA template completion, advice
• Data stored: Completed DPIA in shared workspace
• Retention: For the Term plus 6 years

Comprehensive and All Inclusive Tiers: Additional Processing

Subject Access Request Redaction

• Data received: Documents for disclosure (emails, pupil records, CPOMS entries, staff files)
• Processing: Review for third-party data, applying exemptions, redaction of identifiers, preparation of disclosure bundles
• Data stored: Working files in secure project folder during active SAR
• Retention: Deleted within 90 days of SAR completion. SAR log (metadata only) retained for Term plus 6 years.
• Volume: 5 SARs per year (Comprehensive), unlimited (All Inclusive)

Breach Management and Documentation

• Data received: Breach incident details, affected data subjects, system logs, investigation evidence
• Processing: Investigation, severity assessment, ICO notification preparation, remediation advice, documentation
• Data stored: Breach investigation file in secure document store
• Retention: For the Term plus 6 years

Policy Development and Management

• Data received: Current policies, organisational structure, processing activities
• Processing: Drafting/updating policies customised to Controller's context
• Data stored: Policy library in shared workspace
• Retention: Live policies maintained during Term. Historical versions retained for Term plus 2 years.

Record of Processing Activities (ROPA)

• Data received: Processing activity descriptions, system information, data flows, legal bases
• Processing: Documenting activities in structured ROPA format, annual review and update
• Data stored: ROPA database in shared workspace
• Retention: Live ROPA maintained during Term. Historical entries retained for Term plus 6 years.

Training Delivery

• Data received: Staff names, roles, email addresses, attendance records
• Processing: Training delivery, attendance tracking, certificate generation
• Data stored: Training register in shared workspace
• Retention: For the Term plus 2 years

All Inclusive Tier: Additional Processing

Single Central Register Maintenance

• Data received: Staff personal details, DBS certificates, qualification evidence, right-to-work documents, references
• Processing: Recording in SCR format, monitoring compliance, flagging expiry dates
• Data stored: SCR database (Notion or Google Sheets) in shared workspace
• Retention: Live SCR maintained during Term. Historical entries retained per Controller's retention schedule (typically 6 years post-employment).
• Note: The Processor acts as joint controller for SCR maintenance or processor depending on the arrangement agreed.

On-Site Training

• Data received: Same as remote training, plus visitor logs, site access records
• Processing: Same as remote training
• Data stored: Same as remote training
• Retention: Same as remote training

Data Transfer Methods

Secure Channels:

• Encrypted email (TLS 1.2+ in transit)
• Shared Notion workspace (encrypted at rest and in transit)
• Google Drive / Microsoft OneDrive with link expiry and password protection
• Direct system access (MIS, CPOMS) via VPN or SSO where provided

Prohibited Methods:

• Unencrypted email for Special Category or criminal offence data
• Personal email accounts or consumer file-sharing services
• Physical post (unless encrypted USB or with Controller's explicit agreement)

Sub-Processor Use for Services

As detailed in Clause 9, authorised sub-processors are used as follows:

• Notion Labs Inc: ROPA, policy library, shared workspace, case management
• Google Workspace: Email, document collaboration, secure storage
• Cloudflare: Web hosting and DDoS protection for knowledge base (no Personal Data processed)

Schedule 3: Technical and Organisational Security Measures

The Processor implements the following measures to protect Personal Data:

1. Access Control

User Authentication

• Multi-factor authentication (MFA) mandatory for all user accounts
• Unique user accounts - no shared credentials
• Password requirements: minimum 12 characters, complexity rules enforced
• Password managers required for all staff
• Biometric authentication (fingerprint/face ID) enabled where supported

Access Management

• Role-based access control (RBAC) - least privilege principle
• Access rights reviewed quarterly
• Immediate revocation on termination of employment
• Separate access controls for each customer workspace
• Audit logging of all access to Personal Data

Device Management

• Endpoint protection on all devices (antivirus, anti-malware)
• Full-disk encryption on all laptops and workstations (FileVault, BitLocker)
• Automatic screen lock after 5 minutes inactivity
• Remote wipe capability for lost/stolen devices
• Mobile device management (MDM) for company devices

2. Data Encryption

Encryption in Transit

• TLS 1.2 or higher for all data transmission
• HTTPS enforced for all web services
• VPN required for remote access to systems
• Email encryption (TLS) mandatory; S/MIME or PGP for highly sensitive data

Encryption at Rest

• AES-256 encryption for all stored data
• Cloud storage providers with encryption at rest (Google, Notion, Microsoft)
• Encrypted backups
• Hardware security modules (HSM) for key management where applicable

Key Management

• Encryption keys stored separately from encrypted data
• Key rotation annually or on security incident
• Access to encryption keys restricted to authorised personnel only

3. Network Security

Perimeter Security

• Next-generation firewall with intrusion detection/prevention (IDS/IPS)
• DDoS protection via Cloudflare
• Network segmentation and VLANs
• Regular firewall rule audits

Monitoring and Detection

• 24/7 security monitoring via cloud provider tools
• Automated alerts for suspicious activity
• Log aggregation and analysis (SIEM)
• Annual penetration testing by third-party security firm
• Vulnerability scanning (quarterly)

Wi-Fi Security

• WPA3 encryption for wireless networks
• Separate guest network with no access to corporate resources
• MAC address filtering where practical

4. Physical Security

Office Premises

• Secure building access (key fob/card access)
• Visitor log and escort policy
• CCTV monitoring of entry points
• Alarm system armed when premises unoccupied

Workstation Security

• Clean desk policy - no Personal Data left visible
• Lockable cabinets for physical documents
• Secure disposal bins for confidential waste
• Privacy screens on monitors in shared spaces

Data Centre Security (Sub-Processors)

• ISO 27001 certified data centres (Google, Microsoft, Notion)
• 24/7 physical security and monitoring
• Redundant power and cooling
• Geographic redundancy and disaster recovery

5. Backup and Disaster Recovery

Backup Procedures

• Automated daily backups of all data
• 3-2-1 backup strategy: 3 copies, 2 different media, 1 offsite
• Encrypted backups stored in geographically separate location
• Backup integrity testing monthly
• Restoration testing quarterly

Disaster Recovery

• Business Continuity Plan reviewed annually
• Recovery Time Objective (RTO): 24 hours
• Recovery Point Objective (RPO): 24 hours (maximum 1 day of data loss)
• Cloud-based systems provide inherent redundancy
• Documented disaster recovery procedures

Incident Response

• Incident response plan with defined roles and procedures
• On-call rota for security incidents
• Forensic preservation capability
• Post-incident review and lessons learned process

6. Secure Disposal

Electronic Data

• Secure deletion using DoD 5220.22-M standard (7-pass overwrite) or cryptographic erasure
• Destruction certificates for decommissioned hardware
• Data sanitisation before device disposal or reuse

Physical Documents

• Cross-cut shredding (P-4 or higher) for confidential documents
• Locked confidential waste bins
• Certified destruction service for high-volume disposal
• Destruction certificates retained for audit

7. Personnel Security

Recruitment and Vetting

• Enhanced DBS checks for all staff (Processor is Registered Body)
• Employment reference checks
• Identity verification
• Right to work verification

Training and Awareness

• Data protection and security training on induction
• Annual refresher training mandatory
• Phishing simulation exercises quarterly
• Security awareness bulletins
• Specialist training for staff handling sensitive data

Confidentiality

• Confidentiality clauses in all employment contracts
• Non-disclosure agreements (NDAs) for contractors
• Code of conduct requiring confidentiality
• Disciplinary process for breaches

Supervision and Monitoring

• Regular supervision and performance reviews
• Monitoring of system access logs
• Investigation of anomalous behaviour
• Clear escalation procedures for concerns

8. Vendor Management

Sub-Processor Due Diligence

• Security assessment before engagement
• Review of sub-processor's security certifications (ISO 27001, SOC 2)
• Data processing agreements with equivalent security obligations
• Annual review of sub-processor security

Vendor Contracts

• Security and confidentiality requirements in all contracts
• Right to audit sub-processors
• Breach notification obligations
• Liability and indemnity provisions

9. Software and Patch Management

Software Updates

• Automatic updates enabled for operating systems and applications
• Critical security patches applied within 48 hours
• Routine patches applied within 14 days
• Legacy systems isolated or decommissioned

Application Security

• Only approved software permitted (whitelisting)
• Software licenses current and compliant
• Vulnerability assessments before deploying new software
• Secure software development lifecycle (SDLC) for custom applications

Anti-Malware

• Enterprise-grade anti-malware on all endpoints
• Real-time scanning and automatic updates
• Regular full system scans
• Quarantine and remediation procedures

10. Audit and Compliance

Internal Audits

• Quarterly internal security audits
• Annual compliance audit against UK GDPR
• ISO 27001 gap analysis (working towards certification)
• Action plans for identified issues

Logging and Monitoring

• Comprehensive audit logs for all data access
• Logs retained for minimum 2 years
• Log review procedures
• Tamper-proof log storage

Documentation

• Security policies and procedures documented and current
• Security incidents logged and investigated
• Risk register maintained and reviewed quarterly
• Data protection policies published and accessible

11. Testing and Assurance

Security Reviews

• Regular security posture reviews
• Remediation of identified vulnerabilities
• Monitoring of security advisories and threat intelligence

Vulnerability Management

• Continuous monitoring of security updates
• Risk-based prioritisation of remediation
• Prompt patching of critical vulnerabilities

Security Certifications

• ICO registration current (ZB887707)
• Regular self-assessment against NCSC guidance
• Compliance with industry best practices

12. Changes and Notifications

The Processor shall notify the Controller within 14 days of:

• Material changes to security measures
• Security incidents or near-misses
• Changes to sub-processors
• New security certifications or audit results

The Processor shall consult with the Controller before materially weakening any security measure.

END OF DATA PROCESSING AGREEMENT

Document Reference: TDP-DPA-v1.0

Effective Date: January 2026

Next Review: January 2027