Data Processing Agreement

You are the controller of personal data about your staff. DbsDue Ltd is the processor and will only process that data on your documented instructions, which are reflected in the features you choose to use within the app.

The processing concerns DBS renewal tracking for your workforce. It lasts for as long as your subscription is active, plus a 90-day deletion window after termination.

• Data subjects: your employees, contractors and volunteers.
• Personal data: name, job role, DBS certificate number, issue date, renewal date, and optional notes you add.
• No special category data, ID documents or check contents are processed.

• Process data only on your documented instructions.
• Ensure persons authorised to process data are bound by confidentiality.
• Implement appropriate technical and organisational security measures.
• Assist you in responding to data subject requests and DPIAs.
• Notify you without undue delay of any personal data breach.
• Delete or return all personal data at the end of the agreement.
• Make available all information necessary to demonstrate compliance.

You give general authorisation for DbsDue to engage the following sub-processors:

• Supabase (Ireland) — database and authentication.
• Cloudflare (UK/EU) — content delivery and edge compute.
• Stripe (Ireland) — payment processing.
• Resend (EU) — transactional email delivery.

We will give you at least 30 days notice before adding or replacing a sub-processor and you may object on reasonable data protection grounds.

Any transfer of personal data outside the UK is covered by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

On reasonable written notice and no more than once per year, you may request a summary of our most recent security audit. Where you require an on-site audit, we will agree scope and timing in good faith.

By using DbsDue you accept this DPA on behalf of your organisation. If you require a signed counterpart, email dpo@dbsdue.co.uk.