OSCABEManaged Remote Employees

Data Processing Agreement

Version 2026.05Effective 1 May 2026Next review 1 May 2027

This Data Processing Agreement ("DPA") forms part of the Terms of Service between OSCABE LTD (Company No. 15913493) ("Processor", "we") and the Client ("Controller", "you") when OSCABE processes personal data on the Controller's behalf in the course of providing the Platform services.

This DPA satisfies the requirements of Article 28(3) UK GDPR and Article 28(3) EU GDPR. The UK International Data Transfer Addendum to the EU Standard Contractual Clauses ("UK Addendum") is incorporated by reference where applicable.

1. Definitions

Capitalised terms not defined here have the meaning given in the UK GDPR. "Personal Data" means personal data the Controller uploads to, or instructs OSCABE to process via, the Platform.

2. Subject matter, duration, nature and purpose

| Item | Description | | --- | --- | | Subject matter | OSCABE's operation of the Platform on the Controller's instructions | | Duration | The term of the Controller's account plus any post-termination retention period | | Nature and purpose | Hosting, storage, transmission, retrieval, billing, communication routing | | Types of personal data | Names, business email, IP addresses, profile data, messages, billing records, work records | | Categories of data subjects | Controller's authorised users; Engineers introduced through the Platform; Controller's leads and contacts uploaded to messaging or CRM features | | Special category data | None expected. The Controller must not upload special category data without informing OSCABE in advance |

3. Processing instructions

OSCABE will process Personal Data only on the documented instructions of the Controller. The Controller's instructions are deemed to comprise: (a) these DPA terms, (b) the Terms of Service, (c) configuration choices in the Platform UI, and (d) any written instruction expressly accepted by OSCABE.

If OSCABE believes an instruction infringes UK or EU data protection law it will inform the Controller without delay.

4. Confidentiality

OSCABE ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security (Article 32)

OSCABE implements appropriate technical and organisational measures including:

  • TLS 1.2+ in transit, AES-256 at rest
  • Hashed passwords (bcrypt cost 12) and salted tokens
  • Role-based access control with least-privilege defaults
  • Multi-factor authentication on administrative accounts
  • Centralised audit logging and intrusion detection
  • Annual third-party penetration testing
  • Documented incident-response playbook with 24-hour internal triage
  • ISO 9001:2015 certified management system

A current security overview is available on request.

6. Sub-processors

The Controller provides general written authorisation for OSCABE to engage sub-processors. OSCABE will maintain a public list at /legal/subprocessors and will give the Controller at least fourteen (14) days' notice before adding or replacing a sub-processor. The Controller may object on reasonable data-protection grounds during that notice period; if the parties cannot resolve the objection, the Controller may terminate the affected service.

OSCABE will impose data-protection obligations on each sub-processor that are no less onerous than those in this DPA and remains liable to the Controller for sub-processor performance.

7. Data subject rights

OSCABE will assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligations to respond to data subject requests (Articles 15-22). If a data subject contacts OSCABE directly, OSCABE will (a) confirm OSCABE acts as a processor for the Controller, (b) instruct the data subject to contact the Controller, and (c) inform the Controller promptly.

8. Assistance with Articles 32-36

OSCABE will assist the Controller in ensuring compliance with security, breach notification, data protection impact assessments and prior consultation, taking into account the nature of processing and the information available to OSCABE.

9. Personal data breach

OSCABE will notify the Controller without undue delay, and in any case within 36 hours, of becoming aware of a personal data breach affecting the Controller's Personal Data. The notification will include the information required by Art 33(3) UK GDPR.

10. International transfers

Where Personal Data is transferred to a third country or international organisation, OSCABE will rely on the UK International Data Transfer Agreement (IDTA) or the EU SCC Module 3 with the UK Addendum as applicable, and will complete and retain a Transfer Risk Assessment in line with the ICO's January 2026 guidance.

A list of countries where Personal Data may be processed appears in our Sub-processors list.

11. Audit

The Controller may, on at least thirty (30) days' written notice and no more than once per calendar year, request access to documentation reasonably necessary to demonstrate OSCABE's compliance with this DPA. OSCABE may satisfy this obligation by providing recent third-party audit reports (ISO, SOC 2 when available) and a completed CAIQ-Lite questionnaire.

12. Return or deletion

On termination, and at the Controller's option, OSCABE will return or delete all Personal Data within 90 days unless retention is required by UK or EU law. Backups containing Personal Data are over-written within 35 days.

13. Liability

The Controller's and OSCABE's liability under this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits a data subject's rights under UK or EU GDPR or a regulator's enforcement powers.

14. Order of precedence

If there is a conflict between this DPA and the Terms of Service, this DPA prevails on data protection matters.