Data Processing Agreement
Version: 1.1 · Effective: 29 April 2026 · Last updated: 8 May 2026
This Data Processing Agreement (“DPA”) is entered into by:
- Swipe360 Limited, company number 17207506, of 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ (“Processor”, “Swipe360”), and
- [Customer name] (“Controller”, “Customer”).
This DPA forms part of, and is subject to, the Swipe360 Terms of Service (“Agreement”) between the parties. It applies whenever Swipe360 processes Personal Data on behalf of the Customer.
1. Definitions
Terms used and not defined here have the meaning given in UK GDPR and the Data Protection Act 2018 (“Data Protection Laws”).
- Personal Data — any information relating to an identified or identifiable natural person, processed by Swipe360 on behalf of the Customer under the Agreement.
- Data Subject — the natural person whose Personal Data is processed (typically Customer’s staff).
- Sub-processor — any third party engaged by Swipe360 to process Personal Data on the Customer’s behalf.
- Processing — has the meaning given in UK GDPR Art. 4(2).
2. Roles
The Customer is the Controller. Swipe360 is the Processor, processing Personal Data only:
- on the Customer’s documented instructions, and
- as required to deliver the Service under the Agreement.
If Swipe360 is required by law to process beyond the Customer’s instructions, it will tell the Customer first (unless prohibited by that law).
3. Subject matter, duration, nature & purpose
| Subject matter | Provision of cloud-based staff scheduling software |
| Duration | Term of the Agreement plus the deletion period under §10 |
| Nature | Storage, retrieval, transmission, deletion |
| Purpose | To enable the Customer to schedule staff, manage rotas, leave and absence |
| Categories of data | See Annex I |
| Categories of data subjects | Customer’s employees, contractors and bank/agency staff |
4. Customer instructions and warranties
The Customer warrants that:
- it has all necessary rights and lawful bases to share the Personal Data with Swipe360, and
- it has provided required notices to Data Subjects (e.g. employee privacy notice).
The Customer’s documented instructions are the Agreement, this DPA, and any further written instructions provided through Swipe360 support channels.
5. Confidentiality
Swipe360 ensures persons authorised to process Personal Data are bound by confidentiality (employment contract, contractor NDA, or statutory duty).
6. Security measures
Swipe360 implements appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage. Current measures are described in Annex II.
7. Sub-processors
The Customer authorises Swipe360 to engage the sub-processors listed in Annex III. Swipe360 will:
- impose data protection terms on each sub-processor that are no less protective than this DPA;
- remain liable to the Customer for sub-processor performance;
- give the Customer at least 30 days notice before adding or replacing a sub-processor;
- on reasonable objection, work in good faith to resolve. If unresolved, Customer may terminate the affected portion of the Agreement.
8. International transfers
Personal Data is hosted in the United Kingdom. Where any sub-processor is located outside the UK or European Economic Area, transfers rely on:
- the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or
- an applicable adequacy decision, or
- another lawful transfer mechanism listed in Art. 46 UK GDPR.
9. Data subject rights & assistance
Swipe360 will:
- promptly notify the Customer (within 5 business days) of any Data Subject request received directly;
- provide reasonable assistance — at the Customer’s cost where assistance exceeds the Service’s standard self-serve features — to help the Customer respond to access, rectification, erasure, portability or objection requests;
- assist with data protection impact assessments and prior consultations with the ICO where reasonably required.
10. Return or deletion of data
On termination of the Agreement:
- the Customer may export their data through the in-product export feature for 30 days after termination;
- after 30 days, Swipe360 will permanently delete the Customer’s Personal Data from production systems, with backups overwritten in the normal 30-day rolling retention cycle;
- Swipe360 will retain anonymised, aggregated data and audit logs (no Personal Data identifiable) where required for tax, accounting or fraud prevention.
A written deletion confirmation will be provided on request.
11. Personal data breach
If Swipe360 becomes aware of a Personal Data breach affecting the Customer’s data, it will:
- notify the Customer without undue delay and in any event within 72 hours;
- provide details of the nature, scope, likely consequences and mitigation;
- cooperate in the Customer’s notification obligations to the ICO and to Data Subjects.
12. Audits
The Customer (or a mutually-agreed independent auditor under NDA) may audit Swipe360’s compliance with this DPA once per 12-month period, on at least 30 days written notice, during normal business hours, and at the Customer’s cost. Swipe360 may instead provide a recent independent assurance report (e.g. SOC 2, ISO 27001, penetration test summary) where one exists.
13. Liability
Liability under this DPA is subject to the liability cap in the Agreement, except for liability that cannot be excluded by law.
14. Conflict
If this DPA conflicts with the Agreement on data protection matters, this DPA prevails.
15. Term
This DPA is effective from the Effective Date of the Agreement and continues until all Personal Data has been deleted under §10.
Annex I — Personal Data processed
Categories of Data Subjects
- Customer’s employees, contractors, agency and bank staff
- Customer’s administrators (managers, deputies, HQ staff)
Categories of Personal Data
- Identification: name, work email, phone (optional)
- Employment: role, department, contract type, contracted hours/days, shift preferences, availability, start date
- Operational: shift assignments, leave requests, sick episodes, swap requests, clock-in/out timestamps and (optional) geolocation, audit log of changes
- Sensitive (limited): gender (only where Customer enables gender-based staffing rules)
- Authentication: hashed password, login timestamps, failed login counters
Data NOT processed (Customer must not enter this through the Service): home address, date of birth, NI number, bank account, ethnicity, health records beyond sick-day flag.
Frequency: continuous, for the duration of the Agreement.
Annex II — Technical and organisational measures
| Area | Measure |
|---|---|
| Encryption in transit | TLS 1.2+ on all endpoints |
| Encryption at rest | AES-256 disk encryption on database and file storage |
| Authentication | Email + password (bcrypt-hashed); account lockout after multiple failed attempts; password complexity (minimum length, letter + number); breach-check against compromised-password lists via k-anonymity API |
| Access control | Role-based — site managers see only their site; HQ users see only their company; super admin (Swipe360 staff) only with documented support ticket |
| Audit logging | Every create/update/delete on personal data written to immutable audit log; retained 7 years |
| Network | Database in private VPC subnet, not publicly addressable; API behind a managed edge / CDN layer |
| Backups | Automated daily database snapshots, 30-day retention, encrypted |
| Vulnerability management | Dependabot + Snyk on dependencies; automated container patching weekly |
| Personnel | Background-checked staff; documented offboarding to revoke access |
| Sub-processor controls | Written DPAs in place with each sub-processor; SCCs/IDTA for transfers outside UK/EEA |
| Incident response | 72-hour breach notification commitment; documented runbook |
Annex III — Approved sub-processors
Swipe360 engages sub-processors in the following categories to deliver the Service. Categories, locations and transfer mechanisms are listed below; the named list of approved sub-processors (with legal entity, registered address and current service URL for each) is provided as a separate addendum to this Annex.
| Category | Service provided | Location of processing | Transfer mechanism |
|---|---|---|---|
| Cloud infrastructure provider | Hosting, database, file storage, CI/CD | UK primary; data residency contractually pinned to United Kingdom | UK domestic |
| Transactional email provider | Account, password, notification and announcement email delivery | EU / US | UK IDTA + SCCs |
| Payment processor | Subscription billing (PCI DSS Level 1) | EU + US | UK IDTA + SCCs |
| Optional AI assistant provider (only if “Sai” AI help is enabled) | AI-generated help responses, under a zero-retention contract | US | UK IDTA + SCCs |
| DNS and content delivery provider | DNS resolution, edge routing | UK / Global | UK IDTA + SCCs |
The named list addendum to this Annex (identifying each specific sub-processor) is available on request by emailing support@swipe360.co.uk and is supplied as an attachment at the time of contract execution. Customers will receive at least 30 days notice of changes by email and may object on reasonable grounds per §7 of this DPA.
Questions about this DPA? Email support@swipe360.co.uk.