DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms part of the Agreement between:

(1) The Customer (Controller)

and

(2) Evalu-8 Software Ltd (Processor)

1. Definitions and Interpretation

1.1 The following definitions apply:

  • Agreement: The licence or services agreement between the parties
  • Commencement Date: The start date of the Agreement
  • Data Protection Legislation: The Data Protection Act 2018, UK GDPR, and any applicable UK data protection laws
  • Personal Data: Personal data processed by the Processor on behalf of the Customer
  • Security Breach: Any unauthorised or unlawful loss, access, disclosure, alteration or destruction of Personal Data
  • Services: The services provided under the Agreement
  • Special Category Data: Has the meaning given in Article 9 of the UK GDPR and includes data revealing health information, disability information, biometric data and other sensitive personal data processed by the Customer through the Services.
  • Sub-Processor: Any third party engaged by the Processor to process Personal Data

2. Commencement and Term

2.1 This DPA shall commence on the Commencement Date of using the service and continue for the duration of the Agreement.

2.2 In the event of conflict between this DPA and the EULA, this DPA shall prevail.

 

3. Data Processing

3.1 Compliance

Both parties shall comply with Data Protection Legislation.

3.2 Roles

The Customer is the Controller and Evalu-8 Software Ltd is the Processor.

3.3 Instructions

The Processor shall process Personal Data only on documented instructions from the Customer.

The Agreement, this DPA, and the Customer’s use of the Services (including configuration and operation of the platform) shall constitute the Customer’s complete and documented instructions to the Processor.

The Processor may process Personal Data as necessary to provide the Services, maintain and improve the Services, and comply with applicable law.

3.4 Controller Responsibilities

The Customer is responsible for ensuring lawful processing, including appropriate legal bases and notices.

3.5 Sub-processors

The Processor may engage Sub-processors where necessary to provide the Services.

The Processor shall ensure that any Sub-Processor:

  • is subject to data protection obligations no less protective than those set out in this DPA; and
  • processes Personal Data only on the Processor’s documented instructions.

The Processor shall remain responsible for the acts and omissions of its Sub-processors.

3.6 International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom or EEA unless:

(a) required to provide the Services; or
(b) instructed by the Customer;

and in all cases, appropriate safeguards shall be in place in accordance with Data Protection Legislation.

3.7 Security

The Processor shall implement and maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

Such measures shall include, where appropriate:

  • encryption of Personal Data in transit using TLS or equivalent.
  • encryption of Personal Data at rest.
  • role-based access controls and least privilege access principles.
  • multi-factor authentication for privileged or administrative access where applicable.
  • logical segregation of customer data.
  • regular security patching and vulnerability management procedures.
  • malware protection and monitoring systems.
  • secure backup and disaster recovery procedures.
  • logging and monitoring of access to systems processing Personal Data.
  • staff security and confidentiality training.
  • processes for regularly testing and evaluating the effectiveness of security measures.

3.8 Data Subject Rights

The Processor shall assist the Customer with:

  • Access requests
  • Rectification or erasure
  • Restriction of processing
  • Data portability

3.9 Personal Data Breach

In the event of a Security Breach, the Processor shall:

  • Notify the Customer of a Security Breach without undue delay and, where feasible, within 72 hours of becoming aware of the Security Breach.
  • Provide reasonable details of the breach
  • Take steps to mitigate and resolve the issue

3.10 Confidentiality

The Processor shall ensure that persons authorised to process Personal Data:

  • are subject to confidentiality obligations.
  • receive appropriate data protection and security training.
  • only access Personal Data where necessary for performance of their duties.

are subject to employee screening

3.11 Assistance

The Processor shall assist the Customer, taking into account the nature of processing, with:

  • Personal data breach notifications
  • Data protection impact assessments
  • Regulatory consultations where required

3.12 Records and Compliance Information

The Processor shall maintain records of processing activities as required by applicable Data Protection Legislation.

Upon reasonable written request, the Processor shall make available information reasonably necessary to demonstrate compliance with its obligations under this DPA.

The Customer acknowledges that the Services are provided in a shared-hosting and multi-tenant environment. Accordingly, the Processor shall not be required to disclose confidential information relating to other customers, internal security information, penetration test results, or permit on-site inspections or audits by the Customer unless required by applicable law or a competent regulatory authority.

Where reasonably required to demonstrate compliance, the Processor may satisfy information requests by providing:

  • security summaries or compliance documentation.
  • responses to reasonable security questionnaires.

3.13 Liability

Liability of the parties under this Data Processing Agreement shall be governed by, and subject to, the limitations and exclusions of liability set out in the Agreement.

4. Termination

4.1 This DPA terminates automatically upon termination or expiry of the Agreement.

4.2 On termination, the Processor shall delete or return Personal Data in accordance with the Customer’s instructions or failing that as per the EULA agreement, unless required by law to retain it.

5. General

5.1 Notices may be given by email or post.

5.2 This DPA is governed by the laws of England and Wales.

5.3 The courts of England and Wales shall have exclusive jurisdiction.

Schedule – Processing Details

  1. Scope

Processing is limited to what is necessary to provide the Evalu-8 HR & EHS platform and related services.

  1. Purpose

Personal Data is processed by the Processor solely for the purpose of providing the Services under the Agreement.

This includes, where applicable:

  • enabling the Customer to configure, use and administer the platform and its available modules and features;
  • supporting the Customer’s internal business operations, compliance activities and record keeping;
  • facilitating system functionality, data storage, retrieval, reporting and workflows as determined by the Customer;
  • providing hosting, maintenance, support, security and technical services; and
  • any other processing activities reasonably necessary to deliver the Services in accordance with the Customer’s instructions.

The scope of processing will vary depending on the modules, features and configurations selected and used by the Customer.

  1. Nature of Processing
  • Collection and storage of data
  • Access by authorised users
  • Updates, logs and reporting
  • Secure deletion or return
  1. Duration

For the duration of the Agreement and any required retention period.

 

  1. Types of Personal Data (not exhaustive)
  • Names, contact details, job roles
  • System usage and audit logs
  • Health & safety records
  • Technical data (IP address, device information)

Name, address, date of birth, health condition, disability condition, telephone number, email address, images, biometric data etc, and any other categories of Personal Data uploaded, stored or otherwise processed by the Customer through use of the Services.

  1. Categories of Data Subjects
  • Employees
  • Contractors
  • Authorised users of the system
  • Staff (including volunteers, agents, contractors and temporary workers), You can categorise your data within our software with regards to special categories, for example, special category data may include (not exhaustive):
    • occupational health information.
    • disability information.
    • accident or incident records.
    • biometric data where enabled by the Customer.
    • other sensitive employment-related information uploaded by the Customer.

Copyright Evalu-8 Software Ltd 2026

Software

HR Management Software

EHS Software

Info

FAQs

About Us

Blog

Certifications

More

Careers

Partnerships

Privacy and Data

Contact Us

Data Processing Agreement

Evalu-8 Software Ltd

Earl Business Centre

Oldham

OL8 2PF

0161 5289466