Safety Case FlowSafety Case Flow
Request Demo

Data Processing Agreement

Last updated: April 25, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Safety Case Flow Ltd ("Processor") and the customer ("Controller") and applies to the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

The terms "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Appropriate Technical and Organisational Measures", and "Supervisory Authority" shall have the meanings given to them in applicable data protection laws, including the UK GDPR and the Data Protection Act 2018.

2. Processing of Personal Data

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by law; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

2.1 Details of Processing

The details of the Processing operations are as follows:

  • Subject Matter: The provision of building safety compliance software and services by the Processor to the Controller.
  • Duration: The Processing will continue for the duration of the agreement between the Controller and the Processor for the provision of the services.
  • Nature and Purpose: The Processing is necessary for the provision of the services, which include creating and managing Safety Case Reports, storing Golden Thread information, and providing support for building safety compliance.
  • Types of Personal Data: The Personal Data processed may include names, email addresses, telephone numbers, job titles, and other contact information of the Controller's employees, contractors, and residents of buildings managed by the Controller.
  • Categories of Data Subjects: The Data Subjects may include employees and contractors of the Controller, as well as residents of buildings managed by the Controller.

3. Confidentiality

The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Security

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • The pseudonymisation and encryption of Personal Data where appropriate;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

5. Sub-processing

The Processor shall not engage another processor (a "Sub-processor") without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes.

Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that Sub-processor by way of a contract, providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of applicable data protection laws.

6. Data Subject Rights

The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under applicable data protection laws.

7. Data Protection Impact Assessment

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR, taking into account the nature of processing and the information available to the Processor.

8. Return or Deletion of Personal Data

At the choice of the Controller, the Processor shall delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data.

9. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

10. Data Transfers

The Processor shall not transfer Personal Data to a third country or an international organisation unless it has provided appropriate safeguards, and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available.

11. Contact

For questions about this DPA, please contact us through our Contact page.

Back to Home