DATA PROCESSING AGREEMENT (DPA)
This Data Processing Agreement (“DPA”) forms part of the agreement between Deploi Technologies Limited (“Deploi”) and the Customer governing the provision of the Deploi platform and services (“Agreement”).
This DPA applies where Deploi processes Personal Data in connection with the Services.
1. Definitions
Terms used in this DPA have the meaning given in UK GDPR unless defined below.
Controller means the entity determining the purposes and means of processing Personal Data.
Processor means the entity processing Personal Data on behalf of a Controller.
Personal Data, Processing, Data Subject, Personal Data Breach, and Supervisory Authority have the meanings given in UK GDPR.
Services means the Deploi platform, background screening, compliance passport, monitoring, and related services.
Customer Data means Personal Data provided by or on behalf of Customer.
Compliance Passport Data means Personal Data maintained by Deploi as part of its independent compliance passport infrastructure.
2. Roles of the Parties
The parties acknowledge that Deploi operates a hybrid model.
2.1 Customer as Controller
Customer acts as Controller for:
employment screening decisions
hiring or engagement decisions
internal HR and compliance use
access to reports
employer audit requirements
2.2 Deploi as Processor
Deploi acts as Processor when processing Personal Data solely on behalf of Customer for:
performing background checks
generating reports
employment verification
ongoing monitoring requested by Customer
2.3 Deploi as Independent Controller
Deploi acts as independent Controller for:
maintaining compliance passports
portability of candidate records
fraud prevention
platform security
regulatory compliance
service integrity and audit
lawful record retention
aggregated analytics
safeguarding and monitoring infrastructure
This independent controller role is essential to enable candidate portability and cross-employer compliance.
Customer acknowledges and agrees that Compliance Passport Data is not Customer property.
3. Processing Details
The subject matter, duration, categories of data, and purposes of processing are set out in Appendix 1 – Processing Particulars.
4. Processor Obligations
Where Deploi acts as Processor, Deploi shall:
4.1 process Personal Data only on documented instructions from Customer;
4.2 ensure personnel are subject to confidentiality obligations;
4.3 implement appropriate technical and organisational security measures;
4.4 assist Customer with:
data subject rights requests
breach notification
DPIAs
regulatory cooperation
4.5 notify Customer without undue delay of a Personal Data Breach;
4.6 delete or return Customer Personal Data at termination, unless retention is required by law or necessary for Deploi’s independent Controller obligations.
5. Security Measures
Deploi maintains industry-standard security controls including:
encryption in transit and at rest
access controls and authentication
audit logging
secure infrastructure hosting
vulnerability monitoring
role-based access
incident response procedures
Detailed security documentation available on request.
6. Sub-Processors
Customer authorises Deploi to use sub-processors.
Current categories include:
identity verification providers
background screening databases
hosting providers
compliance data sources
infrastructure providers
Deploi:
performs due diligence
enters GDPR-compliant contracts
remains liable for sub-processor performance
A current sub-processor list is available on request.
Customer may object to new sub-processors on reasonable data protection grounds.
7. International Transfers
Where Personal Data is transferred outside the UK:
adequacy decisions are relied upon where available
Standard Contractual Clauses or IDTA are used where required
supplementary safeguards are implemented
8. Data Subject Rights
Deploi will assist Customer in responding to:
access requests
rectification
erasure
restriction
portability
objection
Where requests relate to Compliance Passport Data, Deploi may respond as independent Controller.
9. Retention
Customer Data is retained only as necessary to perform Services.
Compliance Passport Data may be retained longer where necessary for:
legal compliance
safeguarding
audit integrity
regulatory requirements
fraud prevention
passport portability
Retention schedules available on request.
10. Audits
Customer may request reasonable audit information.
Audits must:
be proportionate
not disrupt operations
protect other customers
use confidentiality safeguards
Security certifications or third-party audit reports may satisfy audit rights.
11. Breach Notification
Deploi will notify Customer without undue delay after becoming aware of a breach affecting Customer Data.
Notification will include:
nature of breach
categories affected
likely consequences
mitigation steps
12. Liability
Liability under this DPA follows the liability limits in the main Agreement.
Nothing limits liability where prohibited by law.
13. Survival
This DPA survives termination of the Agreement as long as Deploi processes Personal Data.
Appendix 1 – Processing Particulars
Categories of Data Subjects
candidates
employees
contractors
referees
former employees
compliance subjects
Types of Personal Data
identity data
employment history
vetting records
right-to-work documentation
criminal record checks
financial verification
qualifications
references
contact details
compliance monitoring data
Sensitive Data
May include:
criminal record data
biometric verification
health disclosures
regulatory screening
Processed only where lawful.
Purpose of Processing
employment vetting
compliance verification
identity authentication
safeguarding
regulatory reporting
ongoing monitoring
compliance passport maintenance
Duration
Processing continues for:
employment lifecycle
regulatory retention periods
passport continuity
lawful compliance obligations