Data Processing Addendum

Last updated: 09 June 2026

This Data Processing Addendum ("DPA") forms part of the agreement between ComplySync ("Processor") and the customer ("Controller") and applies to the processing of personal data carried out by ComplySync on behalf of the Controller in connection with the provision of the ComplySync platform.

1. Definitions

In this DPA, "Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any successor legislation. "Personal Data", "Processing", "Data Subject", "Controller" and "Processor" have the meanings given in Data Protection Laws.

2. Scope of Processing

ComplySync processes personal data solely to provide the compliance document management services described in the Terms and Conditions. The categories of personal data processed include:

Names and contact details of subcontractors, workers and employees
Email addresses and phone numbers
CSCS card numbers and accreditation references
Uploaded compliance documents (insurance certificates, RAMS, qualifications)
Expiry dates and compliance status records
Audit log data (timestamps, IP addresses, actions taken)

Data subjects include the Controller's subcontractors, workers, employees and authorised portal users.

3. Controller Obligations

The Controller shall ensure it has a lawful basis for sharing personal data with ComplySync and that data subjects have been appropriately informed. The Controller is responsible for the accuracy and relevance of personal data provided.

4. Processor Obligations

ComplySync shall:

Process personal data only on documented instructions from the Controller, unless required by law
Ensure persons authorised to process personal data have committed themselves to confidentiality
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
Not engage another processor without prior written authorisation of the Controller
Assist the Controller in fulfilling its obligations to respond to Data Subject requests
Delete or return all personal data to the Controller at the end of the service, at the Controller's choice
Make available to the Controller all information necessary to demonstrate compliance with this DPA

5. Security Measures

ComplySync implements the following security measures:

Encryption of data in transit (TLS/HTTPS)
Secure session management with CSRF protection
Role-based access controls for portal users
Rate limiting on authentication endpoints
Comprehensive audit logging of all data access and modifications
Regular security reviews and updates

6. Sub-processors

ComplySync uses the following sub-processors:

Hosting provider (for infrastructure and data storage)
Email delivery service (for sending notifications and reminders)

The Controller will be notified of any changes to sub-processors and may object within 14 days.

7. Data Breach Notification

ComplySync shall notify the Controller without undue delay upon becoming aware of a personal data breach. The notification shall include the nature of the breach, categories of data subjects affected, likely consequences, and measures taken to address the breach.

8. International Transfers

Personal data processed under this DPA is stored and processed within the United Kingdom. ComplySync shall not transfer personal data outside the UK without the prior written consent of the Controller and appropriate safeguards being in place.

9. Data Retention

Personal data is retained for the duration of the service agreement. Upon termination, the Controller may request export or deletion of all data. ComplySync will complete deletion within 30 days of request, subject to any legal retention requirements.

10. Audit Rights

The Controller may, on reasonable notice, audit ComplySync's compliance with this DPA. ComplySync shall cooperate with such audits and provide access to relevant records and facilities.

11. Contact

For any queries regarding this DPA or data processing, please contact:

ComplySync
Email: info@complysync.co.uk
Phone: 07700 900123
Website: complysync.co.uk