Data Processing Agreement

“UK GDPR” means the UK General Data Protection Regulation as defined in the Data Protection Act 2018. “Controller”, “Processor”, “Personal Data”, “Process” and “Data Subject” have the meanings given in UK GDPR. “Tenant Data” means Personal Data Processed by OpesQ on behalf of the Tenant under this Agreement.

The Tenant is the Controller of the Tenant Data. OpesQ Ltd is the Processor. The Tenant determines the purposes and means of Processing; OpesQ acts only on the Tenant’s documented instructions as set out in this Agreement, the Terms of Service, and the Platform configuration.

OpesQ Processes Tenant Data to provide the Platform service. The Processing continues for the term of the subscription. Categories of Data Subject, personal data and processing purpose are set out in Annex 1.

OpesQ Processes Tenant Data only on the Tenant’s documented instructions, unless required to do so by law. Platform configuration settings (modules enabled, data fields populated) constitute documented instructions.

OpesQ ensures that persons authorised to Process Tenant Data are bound by confidentiality (contractually or statutorily).

OpesQ implements appropriate technical and organisational measures, including encryption in transit and at rest, access controls, audit logging, regular penetration testing and employee training. Details are available under NDA on request.

The Tenant gives OpesQ general written authorisation to engage sub-processors. The current list is published at opesq.com/sub-processors. OpesQ will give at least 30 days’ notice of any addition or replacement, during which period the Tenant may object on reasonable data-protection grounds. OpesQ remains liable for the acts and omissions of its sub-processors.

Taking into account the nature of the Processing, OpesQ assists the Tenant by appropriate technical and organisational measures to fulfil the Tenant’s obligations to respond to requests exercising Data Subject rights (access, rectification, erasure, restriction, portability, objection).

OpesQ assists the Tenant in meeting the Tenant’s obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments, prior consultation).

OpesQ notifies the Tenant without undue delay (and in any event within 48 hours) on becoming aware of a Personal Data breach affecting Tenant Data. The notification includes the nature of the breach, categories and approximate numbers of Data Subjects and records concerned, likely consequences, and measures taken or proposed.

On termination, OpesQ returns or deletes all Tenant Data at the Tenant’s choice within 30 days of the effective termination date, unless UK or EU law requires storage. OpesQ confirms deletion on request.

OpesQ makes available to the Tenant all information necessary to demonstrate compliance with Art 28, and allows for and contributes to audits, including inspections, conducted by the Tenant or an auditor mandated by the Tenant. The parties agree that initial information requests are satisfied by the Platform’s published security documentation, SOC / ISO attestations where available, and third-party penetration test summaries.

Where a sub-processor is located outside the UK in a country without an adequacy decision, OpesQ relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, with appropriate supplementary measures. The Tenant authorises OpesQ to enter such transfer mechanisms on its behalf for sub-processors on the published list.

Categories of Data Subject:the Tenant’s employees, workers, contractors, job applicants, and their dependants or emergency contacts where provided.

Categories of Personal Data: name, contact details, employment records, pay and benefits data, training records, absence records, disciplinary records, right-to-work documents, driving licence data (where applicable), and such other HR data as the Tenant loads into the Platform.

Special categories: health data (sickness absence), ethnic origin (equality monitoring), where provided by the Tenant. Processed under Art 9(2)(b) employment-law obligation or Art 9(2)(h) occupational medicine, as applicable.

Purpose of Processing: to enable the Tenant to manage its workforce through the Platform.

Duration: the term of the subscription plus the return / deletion period in Clause 11.

For questions about this DPA, to request a signed PDF copy, or to exercise audit rights, please contact privacy@opesq.com.