Data Processing Addendum

This DPA is incorporated into and forms part of the AttendIQ Terms of Service.

Last updated: 30 May 2026
This Data Processing Addendum ("DPA") is between AttendIQ ("Processor") and the Customer ("Controller") and is incorporated into the AttendIQ Terms of Service. It satisfies the requirements of Article 28 of the UK GDPR. By accepting the Terms of Service, the Customer also accepts this DPA.

1. Definitions

Terms used but not defined here have the meanings given in the Terms of Service. "UK GDPR" means the UK General Data Protection Regulation as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018. "Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Supervisory Authority" have the meanings given in the UK GDPR.

2. Subject matter and details of processing

2.1 Subject matter

AttendIQ processes personal data on behalf of the Customer for the purpose of providing the platform described in the Terms of Service.

2.2 Duration

Processing continues for the duration of the Terms of Service and until all personal data is deleted or returned in accordance with clause 7 below.

2.3 Nature of processing

Storage, retrieval, transmission, display, and deletion of personal data via the AttendIQ platform and its supporting infrastructure.

2.4 Categories of data subjects

Workers, subcontractors, site visitors, and other individuals whose records are uploaded to or created within the platform by the Customer.

2.5 Categories of personal data

Name, contact details, date of birth, National Insurance number, employment details, qualification and card records, right to work documentation, attendance and clock-in records, photographic identity, and any other data the Customer uploads to the platform.

2.6 Special category data

Where the Customer uploads data falling under Article 9 UK GDPR (such as health surveillance records or drug and alcohol test results), the Customer is responsible for ensuring it has an appropriate lawful basis and condition for processing that data. AttendIQ stores such data with additional technical safeguards including column-level encryption.

3. Processor obligations

AttendIQ will:

  • Process personal data only on the documented instructions of the Customer (being the configuration and use of the platform), unless required to do so by law
  • Ensure that persons authorised to process the personal data are subject to appropriate confidentiality obligations
  • Implement the technical and organisational security measures described in clause 4
  • Not engage sub-processors without the Customer's general authorisation as set out in clause 5
  • Assist the Customer, taking into account the nature of processing, in fulfilling its obligations to respond to data subject rights requests
  • Assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 UK GDPR (security, breach notification, DPIAs), taking into account the nature of processing and information available to AttendIQ
  • At the Customer's election, delete or return all personal data at the end of the service, and delete copies unless required by law to retain them
  • Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and permit and contribute to audits conducted by the Customer or an auditor mandated by the Customer, on reasonable written notice and subject to confidentiality obligations

4. Security measures

AttendIQ implements technical and organisational measures appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Column-level encryption for special category data
  • Access controls and role-based permissions
  • Multi-factor authentication for platform administrators
  • Data stored in the UK (Supabase, AWS eu-west-2)
  • Regular backups with tested recovery procedures
  • Staff access limited to what is necessary for their role

AttendIQ may update these measures from time to time provided the overall level of protection is not materially reduced.

5. Sub-processors

The Customer grants AttendIQ general authorisation to engage sub-processors. A current list of sub-processors is available at attendiq.co.uk/sub-processors.

AttendIQ will give at least 14 days' notice of any material change to its sub-processor arrangements (by updating the sub-processors page and notifying admin users by email). The Customer may object in writing within that period. If AttendIQ cannot accommodate a reasonable objection, the Customer may terminate the agreement without penalty.

AttendIQ imposes data protection obligations on sub-processors equivalent to those in this DPA.

6. Personal data breaches

AttendIQ will notify the Customer without undue delay (and in any event within 72 hours where feasible) after becoming aware of a personal data breach affecting Customer data. Notification will include: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed. Where information is not available at the time of initial notification, AttendIQ will provide it as soon as reasonably practicable.

7. Return and deletion

On termination of the Terms of Service, AttendIQ will, at the Customer's written request made within 30 days of termination, either return or securely delete all personal data processed on the Customer's behalf. After 30 days, AttendIQ may delete the data. Certain data may be retained for longer where required by applicable law, in which case AttendIQ will notify the Customer.

8. International transfers

AttendIQ stores all Customer personal data in the UK or EEA. Where any sub-processor is located outside the UK or EEA, AttendIQ ensures appropriate transfer safeguards are in place (such as standard contractual clauses or an adequacy decision).

9. Contact

Questions about this DPA should be directed to privacy@attendiq.co.uk.