Template document. The text below is the standard Data Processing Agreement we offer customers. It is published here for procurement review. Final wording of any executed agreement should be reviewed by your legal counsel and may be tailored (sub-processor scope, audit cadence, liability cap) on Enterprise contracts. Nothing on this page is legal advice.

Legal · Procurement

Data Processing Agreement

Required under UK GDPR Article 28 when you share personal data with us. This page is the canonical text — bookmark it, share with your DPO, then request a countersigned PDF when you're ready to sign.

Version 1.1Effective 28 May 2026UK GDPR Art. 28 aligned

Request countersigned PDFSecurity overview

Plain-English summary

We hold three roles for you under data-protection law:

You are the Controller. You decide why the data is collected and how it's used. Your workers are your data subjects.
We are the Processor. We hold, process and protect the data on your instructions — never for our own purposes.
Our sub-processors (Stripe, Twilio, Vercel, Fly.io, Anthropic etc.) operate under back-to-back contracts mirroring this DPA. Full list in Schedule B below.

We will: process only on your documented instructions, encrypt everything in transit and at rest, notify you within 24 hours of any personal-data breach, return or delete your data at the end of the contract, and give you reasonable audit rights. We will not: train AI models on your data, sell or share with third parties for advertising, or use your data after the contract ends.

The agreement

1. Parties

This Data Processing Agreement (this “DPA”) is entered into between Vygard Ltd, a company registered in England and Wales (“Processor”, “we”, “us”) and the entity executing the underlying Service Agreement for the Vygard service (the “Controller”, “you”). Each a “Party”, together the “Parties”.

2. Background

We provide the Vygard safety-monitoring service (the “Service”) to you under the terms of a Service Agreement (the “Agreement”). The Service necessarily involves the Processing of Personal Data relating to your workers and administrators. This DPA forms part of the Agreement and governs that Processing under UK GDPR Article 28 and, where applicable, EU GDPR Article 28.

3. Definitions

Capitalised terms not defined here have the meaning given in UK GDPR. Specifically:

Controller, Processor, Sub-processor, Personal Data, Processing, Data Subject, Personal Data Breach: as defined in Article 4 UK GDPR.
UK GDPR: the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 amending the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland.
EU GDPR: Regulation (EU) 2016/679 (the General Data Protection Regulation).
UK IDTA: the United Kingdom International Data Transfer Agreement issued by the Information Commissioner.
EU SCCs: the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914.
Schedule: a schedule to this DPA, identified by letter.

4. Subject matter, nature, purpose, duration

The subject matter of the Processing is the operation of the Service for the Controller. The nature, purpose, types of Personal Data and categories of Data Subjects are set out in Schedule A. This DPA is co-terminus with the Agreement and continues for the term of the Agreement plus any wind-down period specified in clause 11.

5. Processor obligations

The Processor will:

Process only on documented instructions. The Agreement, the Service's configurable settings, and any written instructions you give us via the in-product control panel constitute your documented instructions. We will notify you if we believe an instruction infringes data-protection law.
Ensure confidentiality. Every person we authorise to access Personal Data is bound by written confidentiality obligations or a statutory duty of confidence.
Implement appropriate security. We implement and maintain the technical and organisational measures set out in Schedule C to ensure a level of security appropriate to the risk, in accordance with Article 32 UK GDPR.
Engage Sub-processors only under written contracts imposing data-protection terms equivalent to this DPA. Our current Sub-processors are listed in Schedule B. You authorise us to engage them. Process for changes is in clause 6.
Assist with Data Subject rights. Taking into account the nature of the Processing, we will assist you by appropriate technical and organisational measures, insofar as possible, in fulfilling your obligation to respond to Data Subject requests under UK GDPR Chapter III.
Assist with security, breach and DPIA obligations. We will help you comply with Articles 32 to 36 UK GDPR, taking into account the nature of the Processing and the information available to us.
Notify you of Personal Data Breaches within 24 hours of becoming aware of them, providing all information then known. Further detail is supplied as it emerges.
Return or delete Personal Data at the end of the Agreement in accordance with clause 11.
Make available all information necessary to demonstrate compliance with Article 28 UK GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to clause 8.

6. Sub-processors

We will give you at least 30 days' advance notice of any intended addition or replacement of a Sub-processor by publishing the change to this page (Schedule B below) and emailing the notification contact you provide. If you reasonably object on data-protection grounds, you may terminate the affected portion of the Service without penalty within the 30-day notice window.

To subscribe to Sub-processor change notifications, email legal@vygard.com.

7. International transfers

Personal Data is hosted in the United Kingdom by default. Where a Sub-processor is located outside the United Kingdom (or, for EU customers, the European Economic Area), transfers are made under the appropriate transfer mechanism listed in Schedule B (UK International Data Transfer Agreement and / or EU Standard Contractual Clauses). Onward transfers by Sub-processors are governed by their own contractual arrangements that mirror this DPA.

8. Audit

You may audit our compliance with this DPA once per year with at least 30 days' written notice, by reviewing our up-to-date third-party security audits (ISO 27001 / SOC 2 when available), penetration test executive summaries, and responses to your supplied security questionnaire (SIG Lite, SIG Core or CAIQ). On-site audits may be substituted where these documents do not adequately answer a specific risk, at your cost and during business hours, subject to reasonable confidentiality terms. We will respond to audit requests within 5 working days.

9. Data Subject requests

You are responsible for responding to requests from Data Subjects exercising their rights under UK GDPR Chapter III. We provide tooling within the Service to fulfil access, rectification, restriction, erasure, portability and objection requests for Personal Data we hold on your behalf. If a Data Subject contacts us directly, we will redirect them to you within 2 working days unless prohibited by law.

10. Personal Data Breach

We will notify your nominated security contact within 24 hours of becoming aware of a Personal Data Breach affecting your Personal Data, providing at minimum: the nature of the breach, categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed. We will provide further information as it becomes available and cooperate with you on regulator and Data Subject notifications.

11. Return or deletion

On termination or expiry of the Agreement, at your written instruction within 30 days, we will either:

Return all Personal Data to you in a portable format (JSON or CSV per category, ZIP archive), then delete; or
Delete all Personal Data, except where retention is required by Union or Member State law.

Backups containing Personal Data are overwritten on their normal rotation cycle and fully purged within 35 days of termination. Audit logs retained under regulatory obligation (typically 7 years for safety incidents) are minimised to remove direct identifiers where possible.

12. Liability

The Parties' respective liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Where the Agreement does not contain such terms (e.g. click-through subscriptions), each Party's aggregate liability under this DPA is capped at 12 months' subscription fees paid under the Agreement.

13. Order of precedence

In case of conflict between this DPA and the Agreement, this DPA prevails for matters relating to the Processing of Personal Data.

14. Governing law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising from or in connection with this DPA.

15. Signature

You accept this DPA either by signing a countersigned PDF (available on request) or by clicking “I agree to the DPA” when prompted during onboarding. Either method binds your organisation.

Signed on behalf of the Processor:
Vygard Ltd · Director · 28 May 2026

Schedule A

Description of processing

Purposes

Operating the Vygard service as described in the Service Agreement
Authenticating workers and admin users (phone-based OTP, password, biometric unlock)
Recording worker shift start / end, clock-on / clock-off events
Receiving and storing worker location pings while clocked on (lat / lng / timestamp / accuracy)
Receiving health-vitals samples from paired wearable devices (heart rate, HRV, motion, fall events)
Detecting and escalating safety incidents (man-down, SOS, no-check-in, geofence breach)
Notifying nominated emergency contacts and recipients during escalation cascades
Generating compliance reports for the Controller (RIDDOR, LOLER, FISA daily checks, etc.)
Providing the Controller's administrators with operational dashboards and analytics
Sending transactional notifications (welfare pings, shift reminders, training expiry)
Processing payments via the Sub-processor Stripe for the Controller's subscription

Types of Personal Data

Category	Examples
Worker identification	Name, work phone, role, employee ID, site assignment
Authentication credentials	Hashed password (scrypt), hashed refresh tokens (SHA-256), device IDs
Location data	GPS coordinates, accuracy radius, timestamp; only while clocked on
Health-related data (special category)	Heart rate, HRV, motion / fall events, SpO2 (only if the wearable is paired and the worker has consented)
Incident records	Triggered alerts, escalation timeline, ack/resolve timestamps, optional voice notes
Photographic evidence	PPE check-in selfies, hazard report photos (only if the workflow requires them)
Administrator records	Admin user email, name, role, last-seen-at timestamp
Audit metadata	Action type, actor, timestamp, IP address, user-agent string

Categories of Data Subjects

Workers (the Controller's employees, contractors or volunteers)
Administrators (the Controller's authorised supervisors / dispatchers / managers)
Family members or nominated emergency contacts (limited to phone number + name)
Workers' buddies in the same or neighbouring tenants (in mutual-aid configurations)

Duration

For the term of the Agreement, plus the wind-down period in clause 11. Indicative retention by data type is published in our Security Overview page and tightened on Enterprise tiers.

Schedule B

Sub-processors

Current as of 28 May 2026. Changes notified 30 days in advance per clause 6.

Sub-processor	Role	Location	Transfer mechanism	DPA
Vercel Inc.	Admin web app + marketing site hosting (Next.js)	London (lhr1) primary; US fallback only for static asset CDN	UK IDTA + EU SCCs (Module 2: Controller-to-Processor)	View
Fly.io Inc.	API hosting (Fastify) + Postgres database (lwp-api, lwp-db)	London (lhr) only — pinned by deployment config	UK IDTA + EU SCCs (Module 2)	View
Upstash Inc.	Redis queue for escalation timing (BullMQ-backed)	Dublin (eu-west-1)	EU SCCs + UK IDTA addendum (Module 2)	View
Stripe Payments UK Ltd.	Subscription billing + payment card processing	UK / EU / US — Stripe is the controller for cardholder data	EU SCCs + UK IDTA addendum (Module 1)	View
Twilio Ireland Ltd.	SMS OTPs + invite links, WhatsApp Business messaging, voice fallback for SOS escalation	EU (Dublin) + UK; US for delivery telemetry only	EU SCCs + UK IDTA addendum (Module 2)	View
Resend Inc.	Transactional email (master admin invites, billing notices, signup confirmations)	US — encrypted in transit + at rest	EU SCCs + UK IDTA addendum (Module 2)	View
Anthropic PBC	AI Virtual Watcher anomaly detection + nearest-responder ranking (claude-opus-4-7 via API)	US — standard API endpoint; tenant data is not used for model training (default org setting)	EU SCCs + UK IDTA addendum (Module 2). Per-tenant token cap enforced server-side.	View

Network operators (mobile carriers carrying SMS / voice) are not treated as Sub-processors as they Process only opaque transit data on their own initiative; this aligns with ICO guidance.

Schedule C

Technical and organisational measures

The measures below are reviewed annually and updated as the threat-model evolves. Material additions are noted in the change log at the bottom of this page.

Access control

Role-based access (worker / supervisor / admin / super-admin)
JWT-based authentication, 30-day expiry, refresh-token rotation with theft detection
Biometric unlock on iOS via Apple Keychain
Worker passwords stored as scrypt(salt, 64-byte) — never plaintext
Refresh tokens stored as SHA-256 hash only
Constant-time comparisons on all secret verification paths

Encryption

TLS 1.2+ enforced on all external endpoints (Vercel + Fly.io)
Database encryption at rest via Fly.io managed Postgres (AES-256)
Backups encrypted with provider-managed keys; customer-managed keys (AWS KMS) on Enterprise
Push notification payloads opaque — no PII in notification body

Data minimisation

Worker location ingested only while clocked-on
Raw GPS retained 90 days, then aggregated to site-level visit counts
Health-vitals samples (HR, HRV, motion) summarised to one-hour buckets after 14 days
Voice/audio captured on SOS only after explicit consent toggle
PPE selfies stored encrypted, 90-day retention, accessible only on incident review

Multi-tenant isolation

Every row in every table carries tenant_id (customer_id)
Enforced at API guard layer before queries reach the database
Cross-tenant queries rejected at the application boundary
Externally pen-tested annually for tenant-isolation bypass

Audit + logging

Every master-admin action written to append-only master_admin_audit table
Worker-side actions (clock-on, SOS, check-in) carry server-side timestamp + IP
Stripe webhook events recorded for billing dispute defence
Retention: 90 days (Starter), 365 days (Pro), indefinite WORM (Enterprise)

Operational security

All super-admin actions require a separate HMAC-signed session (24-hour TTL)
Production credentials stored in Vercel / Fly secrets, never in code
Quarterly access reviews for all employee accounts
Background checks on all employees with production access (BS 7858)
Mandatory MFA on all internal SaaS (GitHub, Vercel, Fly, Stripe)

Incident response

24/7 on-call rotation; pager-duty equivalent
Personal-data breach notification to Controller within 24 hours of discovery
Postmortem published within 5 working days of resolution for any P1 incident
Annual tabletop exercise against the response plan

Business continuity

Postgres point-in-time recovery, 7-day window
Daily encrypted backups retained 35 days, cross-region
Tested restore quarterly — last successful restore documented in our internal log
RPO ≤ 1 hour, RTO ≤ 4 hours for the API; Vercel CDN provides static-content failover

Schedule D

International transfer mechanism details

Where Personal Data is transferred outside the United Kingdom (or the EEA for EU customers), the following transfer tools apply, in this order of preference:

Adequacy decision. Where the recipient country benefits from a UK or EU adequacy decision (e.g. the EU–US Data Privacy Framework for participating Sub-processors), transfers are made on the basis of that adequacy decision.
UK IDTA. For UK transfers to non-adequate countries, we execute the UK International Data Transfer Agreement (Module 2: Controller-to-Processor) directly with the Sub-processor, or rely on the UK Addendum to the EU SCCs.
EU SCCs. For transfers from the EEA, we rely on the Commission's Standard Contractual Clauses (Decision (EU) 2021/914), using the relevant Module per the role of each party.
Transfer Impact Assessment. A documented Transfer Impact Assessment is held for each non-adequacy transfer route, with supplementary measures (encryption with customer-held keys where feasible, pseudonymisation in transit) applied where required. Available on request as part of the security questionnaire process.

Change log

Version	Date	Notes
1.0	28 May 2026	First public version. Aligns with UK GDPR Article 28, UK IDTA, and EU SCCs (Decision 2021/914).

Ready to sign or have legal questions?

legal@vygard.com — countersigned PDF turnaround within 1 working day. Or book a 30-min call with our DPO if you need bespoke wording for Enterprise.

Try the live demo Book a 30-min call