Data Processing Agreement
Last updated: 2026-05-27 — UK GDPR Article 28
1. Parties
Controller: the customer who subscribes to StaffClock.
Processor: StaffClock, operated by Chavannes Ltd (Company No. 17198260), registered in England and Wales.
This agreement is entered into automatically when the Controller creates an account and uses the service.
2. Subject matter and scope of processing
The Processor processes personal data on behalf of the Controller solely to provide the service. The Processor does not access or use the data for any purpose other than delivering the service and complying with law.
3. Categories of data subjects
The Controller and the end users on whose behalf the Controller uses the service.
4. Lawful basis for processing
The Controller's account data is processed under Article 6(1)(b) UK GDPR (performance of a contract). Security and abuse-prevention processing relies on Article 6(1)(f) UK GDPR (legitimate interests).
5. Sub-processors
The Processor engages the following sub-processors. All international transfers are covered by Standard Contractual Clauses (SCCs) or an equivalent UK transfer mechanism. This table is kept identical to Privacy Notice §5.
| Sub-processor | Purpose | Country | Transfer safeguard |
|---|
The Processor will notify the Controller of intended changes to sub-processors with reasonable notice, giving the Controller the opportunity to object.
6. Data retention
- Account data: deleted synchronously when the Controller deletes their account via /delete-account.
- Security audit log: retained for 365 days, then permanently deleted by an automated purge job — the same period stated in the Privacy Notice.
- Payment records: retained by the payment processor per their own policy and applicable financial regulations.
7. Security measures
- Encryption in transit: all data transmitted over TLS 1.2 or higher.
- Encryption at rest: the managed database encrypts data at rest.
- Access control: no routine human access to personal data; administrative access is limited and protected by strong authentication.
- Incident response: in the event of a personal data breach, the Processor will notify the Controller without undue delay and, where required, report to the ICO within 72 hours.
8. Data subject rights
The Processor will assist the Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) within 7 days of receiving the request.
Requests may be submitted at /account/dsar-request or to privacy@staffclock.co.uk. Account holders may exercise erasure directly at /delete-account.
9. Governing law
This agreement is governed by the laws of England and Wales, subject to UK GDPR and the Data Protection Act 2018. The Processor is registered with the ICO under reference ZC142025.
© 2026 StaffClock — Chavannes Ltd (Company No. 17198260) · Registered in England and Wales · Registered office: Unit A, 82 James Carter Road, Mildenhall, IP28 7DE