1. Definitions
In this DPA:
- "Controller", "You", "Your" means the entity that has agreed to the Terms of Service and uses the Service to process Customer Data.
- "Processor", "We", "Us", "Our" means whatcleaner.
- "Customer Data" means personal data relating to the Controller's customers that is processed through the Service.
- "Data Protection Laws" means UK GDPR, the Data Protection Act 2018, and any applicable data protection legislation.
- "Sub-processor" means any third party engaged by the Processor to process Customer Data.
- "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data.
2. Scope and Purpose of Processing
2.1. This DPA applies to the processing of Customer Data by the Processor on behalf of the Controller in connection with the provision of the Service.
2.2. Subject Matter: Provision of cleaning business management software services.
2.3. Duration: The term of this DPA shall correspond to the duration of the Controller's use of the Service.
2.4. Nature and Purpose: Processing Customer Data to provide booking management, customer relationship management, payment tracking, and related business management functionality.
2.5. Types of Personal Data:
- Customer names and contact details
- Service addresses and property information
- Booking and service history
- Payment records and transaction data
- Notes and service preferences
2.6. Categories of Data Subjects: The Controller's business customers and contacts.
3. Controller Obligations
The Controller warrants and undertakes that:
- 3.1. It has a valid legal basis under Data Protection Laws for the collection and processing of Customer Data.
- 3.2. It has provided appropriate privacy notices to data subjects regarding the processing of their personal data.
- 3.3. It has obtained any necessary consents where required by Data Protection Laws.
- 3.4. It shall comply with all applicable Data Protection Laws in relation to its use of the Service.
- 3.5. Its instructions for processing Customer Data shall comply with Data Protection Laws.
- 3.6. It is solely responsible for the accuracy, quality, and legality of Customer Data.
4. Processor Obligations
The Processor shall:
- 4.1. Process Customer Data only on documented instructions from the Controller, unless required by law.
- 4.2. Ensure that persons authorised to process Customer Data are subject to confidentiality obligations.
- 4.3. Implement appropriate technical and organisational security measures as set out in Section 6.
- 4.4. Respect the conditions for engaging Sub-processors as set out in Section 7.
- 4.5. Assist the Controller in responding to data subject requests as set out in Section 8.
- 4.6. Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations.
- 4.7. Delete or return Customer Data upon termination as set out in Section 10.
- 4.8. Make available information necessary to demonstrate compliance with this DPA upon reasonable request.
5. Processing Instructions
5.1. The Controller instructs the Processor to process Customer Data for the purposes of providing the Service as described in the Terms of Service.
5.2. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes Data Protection Laws.
5.3. Additional instructions outside the scope of this DPA require prior written agreement and may incur additional fees.
6. Security Measures
6.1. The Processor implements and maintains the following technical and organisational measures to protect Customer Data:
| Category | Measures Implemented |
|---|
| Encryption | TLS 1.2+ for data in transit; AES-256 encryption at rest for sensitive data |
| Access Control | Role-based access control; principle of least privilege; unique user accounts |
| Authentication | Strong password requirements; bcrypt hashing; session management |
| Infrastructure | Secure cloud hosting (UK/EU); network firewalls; DDoS protection |
| Monitoring | Security event logging; intrusion detection; automated alerts |
| Personnel | Confidentiality agreements; security awareness; limited access |
| Business Continuity | Regular backups; disaster recovery procedures; data redundancy |
6.2. The Processor shall regularly test, assess, and evaluate the effectiveness of these measures.
7. Sub-processors
7.1. The Controller provides general authorisation for the Processor to engage Sub-processors subject to this Section.
7.2. Current Sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|
| MongoDB Atlas | Database hosting | UK/EU | UK adequacy |
| DigitalOcean | Application hosting | UK/EU | UK adequacy |
| Stripe | Payment processing | UK/EU/US | SCCs |
| MailerSend | Email delivery | EU | UK adequacy |
| Sentry | Error monitoring | US | SCCs (technical data only) |
7.3. The Processor shall inform the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object.
7.4. The Processor shall ensure Sub-processors are bound by data protection obligations no less protective than this DPA.
7.5. The Processor remains liable for the acts and omissions of its Sub-processors.
8. Data Subject Rights
8.1. Taking into account the nature of the processing, the Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Data Protection Laws.
8.2. The Processor shall promptly notify the Controller of any data subject request received directly, unless prohibited by law.
8.3. The Processor shall not respond to data subject requests except on documented instructions from the Controller or as required by law.
9. Personal Data Breach Notification
9.1. The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data Breach affecting Customer Data.
9.2. Such notification shall include:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Categories and approximate number of records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9.3. The Processor shall cooperate with the Controller in investigating and remediating any Personal Data Breach.
10. Data Return and Deletion
10.1. Upon termination of the Service:
- The Controller may export Customer Data through the Service's export functionality prior to termination.
- The Processor shall delete Customer Data within 30 days of account termination.
- Backup copies shall be deleted within 90 days.
10.2. The Processor may retain Customer Data to the extent required by applicable law, in which case the Processor shall ensure continued confidentiality and limit processing to such legal purposes.
11. Audits and Compliance
11.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.
11.2. The Processor shall allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to:
- Reasonable advance notice (minimum 30 days)
- During normal business hours
- Confidentiality obligations
- Not more than once per year unless required by regulatory authority
11.3. The Controller shall bear its own costs for such audits.
12. Liability
12.1. The liability of each party under this DPA is subject to the limitations set out in the Terms of Service.
12.2. The Controller shall indemnify the Processor against any claims, damages, or expenses arising from the Controller's breach of Data Protection Laws or this DPA.
13. Term and Termination
13.1. This DPA shall remain in effect for the duration of the Controller's use of the Service.
13.2. Provisions of this DPA that by their nature should survive termination shall remain in effect.
14. Governing Law
14.1. This DPA shall be governed by the laws of England and Wales.
14.2. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.