Data Processing Addendum (UK GDPR)
Last updated: November 8, 2025
This Data Processing Addendum forms part of the subscription agreement for controller-processor arrangements under UK GDPR.
Parties
(1) Customer, the "Controller"; and
(2) Aubis Ltd, the "Processor".
1. Subject Matter and Duration
Processor will process Personal Data on behalf of Controller to provide the Aubis services. The DPA lasts for the term of the Agreement and until deletion or return of Personal Data.
2. Nature and Purpose of Processing
- Hosting and storage of uploaded documents and metadata
- Indexing and search
- Generation of timelines and exports
- Security, logging, and support
3. Types of Personal Data and Data Subjects
Data Subjects: parents/carers, children, invited collaborators
Data types: names, emails, uploaded EHCP-related documents and metadata, usage logs
4. Processor Obligations
Processor shall:
- Process Personal Data only on documented instructions from Controller
- Keep Personal Data confidential and ensure staff are under confidentiality duties
- Implement appropriate technical and organisational security measures
- Assist Controller with data subject requests and DPIAs
- Notify Controller without undue delay after becoming aware of a Personal Data Breach
- Delete or return all Personal Data at end of services
- Make available information necessary to demonstrate compliance and allow audits
5. Sub-processors
Controller authorises use of sub-processors for infrastructure, email and payments. Processor will impose data-protection terms on sub-processors and remain responsible for their performance. Processor will maintain a current list of sub-processors and provide notice of changes.
6. International Transfers
Where Personal Data is transferred outside the UK, Processor will implement appropriate safeguards (e.g., UK IDTA / SCCs).
7. Security
Processor will maintain encryption in transit and at rest, access controls, vulnerability management, and audit logging. Summary security information is available on request.
8. Personal Data Breach
Processor will notify Controller without undue delay after becoming aware of a breach, provide details as known, take reasonable steps to mitigate, and cooperate with Controller's notifications if required.
9. Assistance and Cooperation
Processor will assist Controller in meeting obligations under the UK GDPR, taking into account the nature of processing.
10. Deletion and Return
At termination, Controller may request deletion or return of Personal Data. Processor will securely delete within 30 days unless law requires retention.
Contact
Data Protection: nikki@aubis.co.uk