Data Processing Agreement

1. Scope and Applicability

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TekSpert Ltd ("Processor", "we") and the Customer ("Controller", "you") and governs the processing of Personal Data by the Processor on behalf of the Controller through the Pubs Management platform.

This DPA applies where the Controller determines the purposes and means of processing Personal Data (principally employee data) and the Processor processes that data on the Controller's instructions through the Platform.

2. Definitions

Terms used in this DPA have the meanings given in the UK GDPR and Data Protection Act 2018, unless otherwise defined in this DPA or the Terms of Service.

"Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR), as amended from time to time.

"Personal Data Breach" has the meaning given in Article 4(12) of the UK GDPR.

"Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

3. Processing Instructions

3.1. The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by law.

3.2. The subject matter, duration, nature, purpose, and categories of Personal Data and data subjects are set out in Annex 1 of this DPA (incorporated by reference in the Terms of Service).

3.3. The Controller warrants that it has a lawful basis for the processing and has provided all necessary fair processing notices to data subjects.

4. Confidentiality

The Processor shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security Measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest
• Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
• Ability to restore availability and access to Personal Data in a timely manner following an incident
• Regular testing, assessment, and evaluation of security measures
• Role-based access controls with least-privilege principles
• Regular backups and disaster recovery procedures

6. Sub-Processors

6.1. The Controller provides general authorisation for the Processor to engage Sub-Processors, subject to the requirements of this section.

6.2. The Processor shall maintain a current list of Sub-Processors and shall notify the Controller of any intended changes to Sub-Processors at least 14 days before the change, giving the Controller the opportunity to object.

6.3. Where a Sub-Processor is engaged, the Processor shall impose data protection obligations no less protective than those in this DPA on the Sub-Processor by way of a written contract.

6.4. The Processor remains fully liable to the Controller for the performance of the Sub-Processor's obligations.

7. International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom without the Controller's prior written consent and unless appropriate safeguards are in place (such as UK GDPR-approved standard contractual clauses or adequacy decisions by the UK Secretary of State).

8. Data Subject Requests

8.1. The Processor shall promptly notify the Controller if it receives a request from a data subject to exercise their rights under Applicable Data Protection Law.

8.2. The Processor shall provide reasonable assistance to the Controller in responding to data subject requests, taking into account the nature of the processing.

9. Data Breach Notification

9.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach.

9.2. The notification shall include: (a) description of the nature of the breach; (b) categories and approximate number of data subjects and records affected; (c) likely consequences; (d) measures taken or proposed to address the breach and mitigate its effects.

9.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Audit Rights

10.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and Applicable Data Protection Law.

10.2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor, subject to reasonable notice (not less than 30 days) and during normal business hours.

10.3. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by the Processor.

11. Term and Termination

This DPA shall remain in effect for the duration of the Terms of Service. Upon termination of the Terms of Service, the provisions of this DPA shall continue to apply to any Personal Data retained by the Processor until such data is deleted or returned.

12. Deletion and Return of Data

12.1. Upon termination of the Terms of Service, the Processor shall, at the Controller's choice: (a) return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or (b) delete all Personal Data and certify deletion in writing.

12.2. The Processor shall make data available for export for a period of 30 days following termination. After this period, the Processor shall delete all remaining copies unless retention is required by law.

13. Contact

For questions about this DPA, please contact us at privacy@pubsmanagement.com.

TekSpert Ltd, Company No. 16711813, VAT No. 505 2175 24.