Compliance Track
TermsPrivacy

Data Processing Agreement

Version dpa-2026-05-30 · Last updated: 30/05/2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller") and Compliance Track ("Processor") and applies whenever the Processor processes personal data on behalf of the Controller in the course of providing the service. It is intended to satisfy the requirements of Article 28 of the UK GDPR.

1. Subject matter and duration

The subject matter is the processing of personal data uploaded by the Controller into Compliance Track for the purpose of managing right to work and sponsor compliance records. This DPA applies for the duration of the Controller's account and any post termination period required for return or deletion of data.

2. Nature and purpose of processing

The Processor stores, organises, retrieves, transmits, and (where requested) deletes personal data on the Controller's instructions, in order to provide reminders, audit ready records, document storage, and reporting features.

3. Types of personal data

Names, contact details, job titles, employment dates, passport numbers, visa types and dates, right to work check records, share codes, sponsorship references, certificates of sponsorship, salaries, work locations, and any documents the Controller chooses to upload (which may include images of identity documents and visa decision notices).

4. Categories of data subjects

Current, former, and prospective employees of the Controller, including sponsored workers and non sponsored staff added for rota planning.

5. Processor obligations

The Processor shall:
  • Process personal data only on the Controller's documented instructions, which are set out in the Terms of Service, this DPA, and the configuration choices made by the Controller within the service. The Processor will inform the Controller if, in its opinion, an instruction infringes UK GDPR.
  • Ensure that personnel authorised to process the data are subject to confidentiality obligations.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, role based access control, row level security in the database, multi factor authentication for administrative access, logging, and regular review.
  • Engage subprocessors only under written terms that impose obligations equivalent to this DPA, and maintain a current list of subprocessors. The Controller has a general authorisation to use the subprocessors listed in the Privacy Policy. The Processor will give the Controller reasonable notice of any new or replacement subprocessor and an opportunity to object on reasonable grounds.
  • Assist the Controller, taking into account the nature of processing, in responding to requests from data subjects exercising their rights under UK GDPR.
  • Assist the Controller in meeting its obligations under Articles 32 to 36 UK GDPR, including security, breach notification, data protection impact assessments, and prior consultation with the ICO.
  • Notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data.
  • On termination of the service, and at the Controller's choice, delete or return all personal data to the Controller, and delete existing copies unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable notice and subject to confidentiality.

6. International transfers

Where the Processor transfers personal data outside the UK to a subprocessor, the transfer will be subject to the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another transfer mechanism recognised as adequate under UK GDPR.

7. Liability and precedence

Liability under this DPA is subject to the limits set out in the Terms of Service. If there is any conflict between this DPA and the Terms of Service in relation to processing of personal data, this DPA prevails.