Skip to main content

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Future Mill Limited ("Processor") and the customer entity using Badger HR ("Controller").

1. Purpose

This DPA sets out how personal data is processed when the Controller uses Badger HR and reflects the requirements of the UK GDPR and, where applicable, the EU GDPR.

2. Roles

  • The Controller determines the purposes and means of processing personal data.
  • The Processor processes personal data only on the Controller's documented instructions.

3. Scope of Processing

The Processor will process personal data solely to provide, maintain, and support the Badger HR service.

Categories of personal data may include:
- Employee identification and contact details
- Employment, role, and organisational information
- HR documents, records, and policy acknowledgements

Categories of data subjects include:
- Employees
- Workers
- Contractors

4. Processor Obligations

The Processor agrees to:

  • Process personal data only on documented instructions from the Controller
  • Ensure that personnel authorised to process personal data are subject to confidentiality obligations
  • Implement appropriate technical and organisational measures to protect personal data
  • Assist the Controller, where applicable, with responding to data subject rights requests
  • Assist the Controller with security, breach notification, and data protection impact assessments
  • Delete or return personal data upon termination of the Service, as set out in the Terms of Service

5. Subprocessors

The Controller authorises the use of subprocessors necessary to deliver the Service.

The Processor:
- Maintains a list of subprocessors
- Ensures subprocessors are subject to appropriate data protection obligations
- Remains responsible for the performance of its subprocessors

6. International Data Transfers

Where personal data is transferred outside the UK or EU, the Processor will ensure appropriate safeguards are in place, including the use of standard contractual clauses and any required UK addenda.

7. Security Measures

The Processor implements technical and organisational measures designed to protect personal data, including but not limited to:

  • Encryption of data in transit
  • Logical access controls
  • Monitoring and maintenance of systems

Security measures may be updated over time to reflect evolving best practices.

8. Personal Data Breaches

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Service and will provide reasonable assistance in investigating and mitigating the breach.

9. Audits and Compliance

The Processor will make available information reasonably necessary to demonstrate compliance with this DPA.

Audits may be conducted on reasonable notice and subject to confidentiality, security, and proportionality requirements.

10. Termination

Upon termination of the Service:
- Personal data will be made available for export for a limited period
- Thereafter, personal data will be securely deleted unless retention is required by law

11. Governing Law

This DPA is governed by the laws of England and Wales.

12. Contact

Questions relating to this DPA can be directed to:

Email: hello@badgerhr.com