← Back to home
Data Processing Agreement (DPA)
Version 1.0 · Effective from: 26 April 2026 · UK GDPR Article 28 compliant
ℹ️ This DPA forms part of the WorkHive Terms of Service. By using the WorkHive service, the Controller (you) and the Processor (us) agree to these terms. A counter-signed copy is available on request to
legal@workhive.co.uk.
1. Parties
| Controller ("you", "Customer") | The organisation using WorkHive, as identified at signup. |
|---|
| Processor ("we", "us", "WorkHive") | SJC Distributions Limited, a company incorporated in England and Wales. Registered office: [registered address on file]. Trading as "WorkHive". |
|---|
2. Definitions
Words have the meaning given by UK GDPR (the General Data Protection Regulation as retained in UK law) and the Data Protection Act 2018:
- UK GDPR — Regulation (EU) 2016/679 as it has effect in UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
- Personal Data — any data relating to an identified or identifiable natural person processed under this DPA.
- Sub-processor — any entity engaged by us to process personal data on behalf of the Controller.
- Data Subject — the individual to whom the personal data relates (typically the Controller's staff).
3. Subject matter, duration, nature and purpose
Subject matter: personal data of the Controller's staff and applicants, processed via the WorkHive workforce-management software.
Duration: for the term of the WorkHive service contract, plus a maximum 30-day data export period after termination.
Nature: hosting, storing, retrieving, transmitting, displaying, encrypting, backing up, audit-logging and (for orgs that enable HR Helper) AI-summarising the personal data.
Purpose: delivering the WorkHive workforce-management service as set out in the Terms of Service.
4. Categories of data subjects and personal data
| Category | Examples |
|---|
| Identity | Name, email, phone, date of birth, gender |
| Address | Home address, postcode |
| Employment | Role, start/end date, contracted hours, hourly rate, employee number |
| HMRC / financial | NI number (encrypted), tax code, bank details (encrypted) |
| Right to Work | Document copies, share codes, expiry dates |
| Operational | Shift data, clock-in times, GPS at clock-in/out, holiday balance, sickness episodes |
| Sensitive (Special Category) | Health data within sickness records, ethnicity if voluntarily disclosed |
| Communications | Messages within team chat (Controller's choice to enable) |
5. Obligations of the Processor (us)
We:
- process Personal Data only on documented instructions from the Controller, including transfers, unless required by UK or EU law (in which case we will inform the Controller before processing, unless prohibited by law on important grounds of public interest);
- ensure all our personnel authorised to process Personal Data are bound by confidentiality obligations and have received UK GDPR training;
- implement appropriate technical and organisational measures (see Schedule A);
- only engage Sub-processors with the Controller's general written authorisation, and update the public Sub-processor list with at least 30 days' notice of new ones;
- assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) within reasonable timeframes;
- assist the Controller in complying with their obligations under UK GDPR Articles 32–36 (security, breach, DPIA, prior consultation);
- at the Controller's choice, delete or return all Personal Data after the end of the service contract, and delete existing copies unless UK or EU law requires storage (e.g. PAYE retention);
- make available all information necessary to demonstrate compliance, and allow audits (including inspections) on reasonable notice and at the Controller's expense.
6. Obligations of the Controller (you)
You:
- establish a lawful basis for processing (typically contract performance, legal obligation under HMRC PAYE / Right to Work / pension auto-enrolment);
- provide a Privacy Notice to your staff at the start of employment;
- have authority to upload the personal data you upload, and to instruct us to process it;
- set retention rules consistent with UK law;
- do not upload Special Category data outside of the legitimate workforce purposes (e.g. sickness records);
- configure access controls (roles, sites) appropriately for your organisation;
- secure your own user credentials and devices; promptly remove access for staff who leave.
7. Sub-processors
The Controller authorises us to engage the Sub-processors listed at /sub-processors.html. We notify the Controller of new Sub-processors at least 30 days before they begin processing, giving the Controller a right to object reasonably.
We have a written contract with each Sub-processor that imposes data protection obligations no less protective than those in this DPA.
8. International transfers
Your data is hosted in the UK (Supabase London). The only routine international transfer is to Anthropic (US) for AI inference, and only when the Controller enables HR Helper. That transfer is governed by Standard Contractual Clauses (SCCs) under the UK International Data Transfer Agreement.
9. Security
Schedule A sets out technical and organisational measures. Highlights:
- AES-256 encryption at rest, TLS 1.3 in transit
- Field-level encryption (pgsodium) on bank details and NI numbers
- Row Level Security on every table
- Mandatory 2FA for Manager/HR/Owner roles
- Daily encrypted backups + Point-in-Time Recovery
- Append-only audit log
- Annual independent penetration testing
- Cyber Essentials certified
10. Personal data breaches
We notify the Controller without undue delay (and within 72 hours where feasible) of any Personal Data breach affecting their data. Notification will include the information required under UK GDPR Article 33(3). Our full Breach Response Plan is at /breach-response.html.
11. Liability
Each party's liability under this DPA is governed by the WorkHive Terms of Service, except that nothing in this DPA limits liability for breach of UK GDPR (Article 82).
12. Governing law and jurisdiction
This DPA is governed by the laws of England and Wales. Disputes are subject to the exclusive jurisdiction of the English courts.
13. Contact
Data Protection Officer / lead contact: privacy@workhive.co.uk
Security incidents: security@workhive.co.uk
ICO complaints: ico.org.uk · 0303 123 1113
Schedule A — Technical & Organisational Measures
- Pseudonymisation & encryption — AES-256 at rest; TLS 1.3 in transit; field-level encryption (pgsodium) on bank details and NI numbers using a separate key in Supabase Vault.
- Confidentiality, integrity, availability and resilience — Row Level Security on every table; append-only audit log; daily encrypted backups; PITR; weekly off-site backup; Better Stack uptime monitoring with auto-alerts.
- Restoration — Documented restore procedure tested monthly; restore-from-PITR capability to any second within last 7 days.
- Regular testing & evaluation — Quarterly internal review; annual external penetration test (CREST-certified); weekly OWASP ZAP automated scan; ongoing dependency vulnerability monitoring.
- Access management — Mandatory 2FA for Manager/HR/Owner roles; password policy 12+ chars + breach-checked; session timeouts; immediate revocation on staff leaving.
- Monitoring & logging — Supabase + Netlify platform logs; immutable audit log on all sensitive actions; impossible-travel detection.
- Personnel — Confidentiality obligations in employment contracts; UK GDPR training; documented onboarding/offboarding access procedures.
- Sub-processor management — DPA with each; public list at /sub-processors.html; 30-day notice of changes.
Acceptance
By using the WorkHive service, you (the Controller) accept this DPA. A counter-signed copy can be requested from
legal@workhive.co.uk for your records.