GDPR Policy

Data Processing Agreement (DPA)

1 Formation, Duration, and Termination

This DPA enters into force on the Effective Date of the underlying service agreement between the Controller

and the Processor.

The DPA remains in effect for the duration of the service agreement.

Upon termination of the service agreement, this DPA automatically terminates.

2 Subject Matter and Purpose

Processor will process Personal Data only on documented instructions from the Controller, including

transfers to third countries, unless required by law.

The purpose of processing includes providing services via the Q-hub platform, maintaining application

functionality, and performing analytics as described in the service agreement.

The Processor shall have no control over the purposes of processing and the means used, except as directed

by the Controller in documented instructions.

3 Data Processing Details

Categories of Data Subjects: Employees, clients, users of the Q-hub platform.

Categories of Data: Names, contact details, IP addresses, compliance data, and sensitive data uploaded by clients.

Processing Activities: Data storage, retrieval, transmission, and deletion as per the Controller’s instructions.

4 Obligations of the Processor

Compliance: The Processor shall comply with GDPR and ensure confidentiality, integrity, and availability of

Personal Data.

Security Measures: Implement measures in line with ISO 27001, NCSC, and or NIST standards, including encryption and access control.

Sub-Processors: The Processor shall not engage Sub-Processors without the prior written consent of the

Controller.

The Processor shall ensure that Sub-Processors adhere to the Controller’s instructions, maintain

confidentiality, and implement robust security measures to protect Personal Data.

Data Subject Requests: Processor shall assist the Controller in responding to requests under GDPR Articles

15-22 (e.g., access, rectification, erasure). Data Breaches: Notify the Controller of any Personal Data breach within 48 hours and provide continuous updates throughout the resolution process.

5 Obligations of the Controller

Ensure lawful processing of Personal Data shared with the Processor.

Provide clear instructions for processing activities.

Audit Processor compliance periodically.

6 Data Retention and Return

Upon termination of services, Processor shall:

Return all Personal Data to the Controller.

Permanently delete Personal Data unless otherwise required by law.

Data retention periods align with the Processor’s internal policies and are documented in agreements with

the Controller.

7 International Transfers

Personal Data shall not be transferred outside the EEA without: Standard Contractual Clauses (SCCs) or equivalent safeguards. Explicit written consent from the Controller.

8 Audit Rights

The Controller may audit the Processor's processing operations annually or as needed, ensuring compliance

with this DPA and GDPR obligations. Processor will cooperate fully and ensure Sub-Processors provide similar access for audits. The cost of audits shall be borne by the Controller, unless non-compliance is identified, in which case the Processor shall bear the costs. Recommendations for improvement must be implemented by the Processor within a reasonable timeframe specified by the Controller.

9 Confidentiality

Processor shall maintain strict confidentiality of all Personal Data.

Confidentiality obligations extend to all personnel and Sub-Processors engaged by the Processor, enforced

through binding agreements. These obligations shall remain in effect after the termination of this DPA.

10 Security Measures

Processor implements technical and organisational measures, including:

Encryption: Protecting data at rest and in transit.

Access Control: Multi-factor authentication (MFA).

Monitoring: Real-time threat detection and response.

Incident Management: Procedures aligned with NCSC guidance.

Regular Testing: Periodic penetration testing and vulnerability assessments.

Security measures will be reviewed annually to ensure adequacy against evolving risks.

11 Breach Notification

Processor will notify the Controller within 48 hours of detecting a data breach.

Notifications will include the breach's nature, scope, and potential impact on Data Subjects. The Processor will provide continuous updates on mitigation efforts and further developments.

Costs incurred by the Controller for breach management or audits shall be reimbursed by the Processor if

the breach or non-compliance results from its failure to meet the obligations under this DPA.

12 Sub-Processors

Current Sub-Processors are listed in the service agreement or communicated in advance.

Controller has the right to object to new Sub-Processors.

13 Liability and Indemnification

Processor is liable for breaches caused by non-compliance with this DPA or GDPR.

Processor indemnifies the Controller for fines or claims arising directly from its failures.

14 Final Provisions

Amendments to this DPA must be in writing and signed by both parties.

Governing Law: This DPA is governed by the laws of England and Wales.

+44 (0)117 244 7077
Soultions
Safety ManagementEnvironmental ComplianceQuality ControlIncident Reporting
Company
Contact UsCareers
© Q-Hub. All rights reserved.
Terms & ConditionsPrivacy PolicyGDPR