Data Processing Agreement

EasyQMS processes personal data on behalf of the customer for the duration of the subscription and any agreed post-termination data-export window.

To provide the EasyQMS compliance platform and any sub-services ordered by the customer.

• Customer's employees, engineers, contractors and managers (account holders).
• End beneficiaries where applicable — e.g. property occupiers, passengers, site visitors.
• Categories: identifiers, contact data, employment and competency records, evidence (photos, signatures, GPS), and any data the customer chooses to upload.

• Process personal data only on the customer's documented instructions.
• Ensure persons authorised to process are under confidentiality.
• Implement the technical and organisational measures in our Information Security Statement.
• Engage sub-processors only as listed in Sub-processors, with 30 days' prior notice of changes.
• Assist the customer with data subject requests, DPIAs and consultations with the ICO.
• Notify the customer of any personal data breach without undue delay and in any case within 72 hours of awareness.
• On termination, return or delete personal data at the customer's choice within [REVIEW: e.g. 30 days].

Where transfers occur outside the UK, the UK International Data Transfer Agreement (or the UK Addendum to the EU SCCs) applies and is incorporated by reference.

The customer may audit our compliance with this DPA once per year on 30 days' written notice, or where required by a regulator. We may satisfy audit obligations through current third-party reports ([REVIEW: e.g. ISO 27001, SOC 2]).

Liability for breaches of this DPA is governed by the limitation of liability clause in the main agreement.