DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms part of the Agreement between:

(1) The Customer (Controller)

and

(2) Evalu-8 Software Ltd (Processor)

1. Definitions and Interpretation

1.1 The following definitions apply:

  •  Agreement: The licence or services agreement between the parties
  • Commencement Date: The start date of the Agreement
  • Data Protection Legislation: The Data Protection Act 2018, UK GDPR, and any applicable UK data protection laws
  • Personal Data: Personal data processed by the Processor on behalf of the Customer
  • Security Breach: Any unauthorised or unlawful loss, access, disclosure, alteration or destruction of Personal Data
  • Services: The services provided under the Agreement
  • Sub-Processor: Any third party engaged by the Processor to process Personal Data

2. Commencement and Term

2.1 This DPA shall commence on the Commencement Date of using the service and continue for the duration of the Agreement.

2.2 In the event of conflict between this DPA and the EULA, this DPA shall prevail.

3. Data Processing

3.1 Compliance

Both parties shall comply with Data Protection Legislation.

3.2 Roles

The Customer is the Controller and Evalu-8 Software Ltd is the Processor.

3.3 Instructions

The Processor shall process Personal Data only on documented instructions from the Customer.

The Agreement, this DPA, and the Customer’s use of the Services (including configuration and operation of the platform) shall constitute the Customer’s complete and documented instructions to the Processor.

The Processor may process Personal Data as necessary to provide the Services, maintain and improve the Services, and comply with applicable law.

3.4 Controller Responsibilities

The Customer is responsible for ensuring lawful processing, including appropriate legal bases and notices.

3.5 Sub-processors

The Processor may engage Sub-processors where necessary to provide the Services. The Processor shall ensure that any Sub-Processor:

  • is subject to data protection obligations no less protective than those set out in this DPA; and

  • processes Personal Data only on the Processor’s documented instructions.
    The Processor shall remain responsible for the acts and omissions of its Sub-processors.

3.6 International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom or EEA unless:

(a) required to provide the Services; or 

(b) instructed by the Customer;

and in all cases, appropriate safeguards shall be in place in accordance with Data Protection Legislation.

3.7 Security

The Processor shall implement appropriate technical and organisational measures including:

    • Encryption in transit and at rest

    • Access controls and authentication

    • Secure storage and segregation of data

    • Backup and recovery procedures

3.8 Data Subject Rights

The Processor shall assist the Customer with:

  • Access requests

  • Rectification or erasure

  • Restriction of processing

  • Data portability

3.9 Personal Data Breach

In the event of a Security Breach, the Processor shall:

  • Notify the Customer without undue delay

  • Provide reasonable details of the breach

  • Take steps to mitigate and resolve the issue

3.10 Confidentiality

The Processor shall ensure that all personnel authorised to process Personal Data are subject to appropriate confidentiality obligations.

3.11 Assistance

The Processor shall assist the Customer, taking into account the nature of processing, with:

    • Personal data breach notifications

    • Data protection impact assessments

    • Regulatory consultations where required

3.12 Records and Audit

The Processor shall:

  • Maintain records of processing activities as required by Data Protection Legislation

  • Make available information reasonably necessary to demonstrate compliance

Any audit rights shall be subject to reasonable notice and appropriate confidentiality obligations.

 

3.13 Liability

Liability of the parties under this Data Processing Agreement shall be governed by, and subject to, the limitations and exclusions of liability set out in the Agreement.

4. Termination

4.1 This DPA terminates automatically upon termination or expiry of the Agreement.

4.2 On termination, the Processor shall delete or return Personal Data in accordance with the Customer’s instructions or failing that as per the EULA agreement, unless required by law to retain it.

5. General

5.1 Notices may be given by email or post.
5.2 This DPA is governed by the laws of England and Wales.
5.3 The courts of England and Wales shall have exclusive jurisdiction.

Schedule – Processing Details

1. Scope

Processing is limited to what is necessary to provide the Evalu-8 HR & EHS platform and related services.

2. Purpose

Personal Data is processed by the Processor solely for the purpose of providing the Services under the Agreement.

This includes, where applicable:

  • enabling the Customer to configure, use and administer the platform and its available modules and features;

  • supporting the Customer’s internal business operations, compliance activities and record keeping;

  • facilitating system functionality, data storage, retrieval, reporting and workflows as determined by the Customer;

  • providing hosting, maintenance, support, security and technical services; and

  • any other processing activities reasonably necessary to deliver the Services in accordance with the Customer’s instructions.

The scope of processing will vary depending on the modules, features and configurations selected and used by the Customer.

3. Nature of Processing

  • Collection and storage of data

  • Access by authorised users

  • Updates, logs and reporting

  • Secure deletion or return

4. Duration

For the duration of the Agreement and any required retention period.

 

5. Types of Personal Data (not exhaustive)

    • Names, contact details, job roles

    • System usage and audit logs

    • Health & safety records

    • Technical data (IP address, device information)

    • Name, address, date of birth, health condition, disability condition, telephone number, email address, images, biometric data etc, plus other types of PII provided by you for you to fully utilise our software

6. Categories of Data Subjects

  • Employees

  • Contractors

  • Authorised users of the system

  •  Staff (including volunteers, agents, contractors and temporary workers), You can categorise your data within our software with regards to special categories

 




Copyright Evalu-8 Software Ltd 2026

Software

HR Management Software

EHS Software

Info

FAQs

About Us

Blog

Certifications

More

Careers

Partnerships

Privacy and Data

Contact Us

Data Processing Agreement

Evalu-8 Software Ltd

Earl Business Centre

Oldham

OL8 2PF

0161 5289466