Data Processing Addendum (DPA)
Last updated: [DATE]
This Addendum forms part of the Terms of Service between Daramac Ltd ("TradeZebra", "Processor") and the electrician or business using TradeZebra ("Customer", "Controller"). It applies where TradeZebra processes personal data on the Customer's behalf — principally the personal data of the Customer's own clients and the occupants of properties (names, contact details, addresses, and details that appear in jobs and certificates).
It is written to meet Article 28 UK GDPR.
1. Roles
The Customer is the controller of the personal data it enters about its clients and properties. TradeZebra is the processor of that data. (Separately, TradeZebra is a controller for the Customer's own account and business data — see the Privacy Policy; that is not covered by this Addendum.)
2. TradeZebra's obligations as processor
TradeZebra will:
- process the personal data only on the Customer's documented instructions (which include using it to provide the features of TradeZebra), unless required by law to do otherwise;
- ensure people authorised to process it are under a duty of confidentiality;
- apply appropriate technical and organisational security measures (Annex 2);
- engage sub-processors only under §3;
- assist the Customer, taking account of the nature of processing, to respond to data-subject rights requests and to meet its security, breach-notification and impact-assessment duties;
- notify the Customer without undue delay on becoming aware of a personal data breach affecting the Customer's data;
- at the Customer's choice, delete or return the personal data at the end of the service, and delete existing copies unless law requires retention; and
- make available information needed to demonstrate compliance, and allow and contribute to audits as required by Article 28(3)(h).
3. Sub-processors
The Customer gives general authorisation for TradeZebra to engage the sub-processors listed in Annex 1 to provide the service. TradeZebra will impose data-protection terms on each sub-processor equivalent to those in this Addendum, and remains responsible for their performance. TradeZebra will give the Customer reasonable notice of any intended addition or replacement of a sub-processor, and the Customer may object on reasonable data-protection grounds.
4. International transfers
Some sub-processors — in particular the AI provider used for certificate extraction — process data outside the UK. TradeZebra will ensure a valid transfer mechanism is in place (UK IDTA, the UK Addendum to the EU SCCs, or reliance on a UK adequacy decision) so the data keeps an equivalent level of protection.
5. Data-subject requests
If a data subject contacts TradeZebra directly about data the Customer controls, TradeZebra will not respond substantively (except to confirm the request should go to the Customer) and will pass the request to the Customer promptly.
6. Liability and duration
This Addendum runs for as long as TradeZebra processes the Customer's personal data. Liability under it is subject to the limits in the Terms of Service, except where the law does not allow that.
Annex 1 — Sub-processors
(Keep in exact step with the Privacy Policy subprocessor table. Confirm the final production list.)
| Sub-processor | Function | Location |
|---|---|---|
| Supabase | Database, authentication, file/photo storage | [CONFIRM] |
| PowerSync | Offline sync (data cached on device and synced) | [CONFIRM] |
| Stripe | Payment processing incl. Stripe Terminal | [CONFIRM] |
| OpenRouter | AI models for certificate extraction from photos | Outside UK — safeguards per §4 |
[HOSTING PROVIDER] | Website/app hosting | [CONFIRM] |
[EMAIL PROVIDER] | Transactional email | [CONFIRM] |
Not currently engaged (add when the corresponding feature launches): accounting integrations (Xero/QuickBooks); any location-tracking infrastructure.
Annex 2 — Security measures
Indicative measures — [confirm against the real deployment before review]:
- Encryption of data in transit (TLS) and at rest, including the on-device local database used for offline working.
- Row-Level Security enforcing per-organisation data isolation.
- Access controls, least-privilege, and authentication for staff access.
- Logging, monitoring and backup.
- A defined process for detecting, handling and notifying personal data breaches.
Annex 3 — Subject matter and details of processing
- Subject matter: provision of the TradeZebra job-management and certificate application.
- Duration: the term of the Customer's use, plus retention per the Privacy Policy.
- Nature and purpose: storing and organising job records; producing quotes, invoices and certificates; AI-assisted extraction of circuit data from photos; taking payments.
- Types of personal data: names, contact details, property addresses, job descriptions, site/board photographs, and the personal data contained in certificates.
- Categories of data subject: the Customer's clients, and occupants or contacts at the properties where work is carried out.